CTF Lord of the root: Walkthrough
Download dari https://download.vulnhub.com/lordoftheroot/LordOfTheRoot_1.0.1.ova Install di VirtualBox
netdiscover
Lakukan,
netdiscover -r 192.168.0.0/24
Hasilnya,
Currently scanning: 192.168.0.0/24 | Screen View: Unique Hosts 21 Captured ARP Req/Rep packets, from 21 hosts. Total size: 1260 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- ..... 192.168.0.139 08:00:27:45:35:64 1 60 PCS Systemtechnik GmbH .....
port scan
Lakukan,
nmap -sT -p- -A 192.168.0.139
Hasil,
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:13 EST Nmap scan report for 192.168.0.139 Host is up (0.00089s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3c3de38e35f9da7420efaa494a1deddd (DSA) | 2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA) | 256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA) |_ 256 34ec16dda7cf2a8645ec65ea05438921 (ED25519) MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.89 ms 192.168.0.139 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.51 seconds
tampaknya hanya SSH yang terlihat.
coba ssh
Lakukan,
ssh 192.168.0.139
Hasil,
The authenticity of host '192.168.0.139 (192.168.0.139)' can't be established. ED25519 key fingerprint is SHA256:Rz24fg01xp2jMdwk9c44ijnZAz1uaUlvRXX7QU+ERtI. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.0.139' (ED25519) to the list of known hosts. .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ ____ __. __ ___________ .__ .___ ___________ ___________ __ | |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________ | < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \ | | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/ |____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__| \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ Easy as 1,2,3 root@192.168.0.139's password:
Ada kata-2 "Easy as 1,2,3"
Hmm kita coba knock port 1, 2, 3 ...
port knocking
Lakukan,
nmap -Pn --host-timeout 201 --max-retries 0 -p 1 192.168.0.139 nmap -Pn --host-timeout 201 --max-retries 0 -p 2 192.168.0.139 nmap -Pn --host-timeout 201 --max-retries 0 -p 3 192.168.0.139
Naga-naganya port knocking untuk membuka / menghidupkan web :) ..
lakukan nmap lagi
Lakukan
nmap -sT -p- -A 192.168.0.139
Hasilnya,
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:22 EST Nmap scan report for 192.168.0.139 Host is up (0.00063s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3c3de38e35f9da7420efaa494a1deddd (DSA) | 2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA) | 256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA) |_ 256 34ec16dda7cf2a8645ec65ea05438921 (ED25519) 1337/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.7 (Ubuntu) MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.63 ms 192.168.0.139 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.69 seconds
Terlihat Ada web Server Apache 2.4.7 di port 1337
Akses Web
URL,
http://192.168.0.139:1337 (ada gambar dengan kata2 "I will do it, I will take the ring into mordor" )
Source (CRTL-U)
// <html> // <img src="/images/iwilldoit.jpg" align="middle"> // </html>
coba
http://192.168.0.139:1337/mordor/
Source (CRTL-U)
// <html> // <img src="/images/hipster.jpg" align="middle"> //