Difference between revisions of "CTF Lord of the root: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
Line 149: Line 149:
 
Source (CRTL-U)
 
Source (CRTL-U)
  
  <html>
+
  '<html>
  <img src="/images/iwilldoit.jpg" align="middle">
+
  '<img src="/images/iwilldoit.jpg" align="middle">
  </html>
+
  '</html>
  
 
coba
 
coba
Line 159: Line 159:
 
Source (CRTL-U)
 
Source (CRTL-U)
  
<html>
+
  '<html>
<img src="/images/hipster.jpg" align="middle">
+
  '<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
+
  '<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
+
  '</html>
  
  

Revision as of 14:36, 28 January 2023

Download dari https://download.vulnhub.com/lordoftheroot/LordOfTheRoot_1.0.1.ova Install di VirtualBox

netdiscover

Lakukan,

netdiscover -r 192.168.0.0/24

Hasilnya,

Currently scanning: 192.168.0.0/24   |   Screen View: Unique Hosts                                                                                                                                                               
                                                                                                                                                                                                                                  
 21 Captured ARP Req/Rep packets, from 21 hosts.   Total size: 1260                                                                                                                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
.....
192.168.0.139   08:00:27:45:35:64      1      60  PCS Systemtechnik GmbH                                                                                                                                                         
.....

port scan

Lakukan,

nmap -sT -p- -A 192.168.0.139

Hasil,

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:13 EST
Nmap scan report for 192.168.0.139
Host is up (0.00089s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c3de38e35f9da7420efaa494a1deddd (DSA)
|   2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA)
|   256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA)
|_  256 34ec16dda7cf2a8645ec65ea05438921 (ED25519)
MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.89 ms 192.168.0.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.51 seconds

tampaknya hanya SSH yang terlihat.


coba ssh

Lakukan,

ssh 192.168.0.139

Hasil,

The authenticity of host '192.168.0.139 (192.168.0.139)' can't be established.
ED25519 key fingerprint is SHA256:Rz24fg01xp2jMdwk9c44ijnZAz1uaUlvRXX7QU+ERtI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.139' (ED25519) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
root@192.168.0.139's password: 

Ada kata-2 "Easy as 1,2,3"

Hmm kita coba knock port 1, 2, 3 ...

port knocking

Lakukan,

nmap -Pn --host-timeout 201 --max-retries 0  -p 1 192.168.0.139
nmap -Pn --host-timeout 201 --max-retries 0  -p 2 192.168.0.139
nmap -Pn --host-timeout 201 --max-retries 0  -p 3 192.168.0.139

Naga-naganya port knocking untuk membuka / menghidupkan web :) ..

lakukan nmap lagi

Lakukan

nmap -sT -p- -A 192.168.0.139

Hasilnya,

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:22 EST
Nmap scan report for 192.168.0.139
Host is up (0.00063s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c3de38e35f9da7420efaa494a1deddd (DSA)
|   2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA)
|   256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA)
|_  256 34ec16dda7cf2a8645ec65ea05438921 (ED25519)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

TRACEROUTE
HOP RTT     ADDRESS
1   0.63 ms 192.168.0.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.69 seconds


Terlihat Ada web Server Apache 2.4.7 di port 1337


Akses Web

URL,

http://192.168.0.139:1337  (ada gambar dengan kata2 "I will do it, I will take the ring into mordor" )

Source (CRTL-U)

'<html>
'<img src="/images/iwilldoit.jpg" align="middle">
'</html>

coba

http://192.168.0.139:1337/mordor/

Source (CRTL-U)

 '<html>
 '<img src="/images/hipster.jpg" align="middle">
 '