AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() ![]() You should now check the listening terminal and see the following lines appear: Now browse to to start your reverse shell. The shell is now located at: the following commands on your attacking machine to start a netcat listener to catch the shell: Please note that you have to fill in the IP address of your local attacking machine and port number: 9001 Create a PHP file named: shell.php containing the file found here and upload using the upload functionality on the site: Using the upload function we are able to upload our reverse shell. Mara CMS does allow all files to be uploaded. In the top header, you can see we are allowed to upload files. You should now be logged in as admin and see the following page: Browse to: and provide the default username and password: admin:changeme. A quick search online shows us that we can log in using the ?login GET parameter. By checking the current page we can see the CMS is Mara. One of the most famous examples of a CMS is WordPress. You can now browse to to find the following page:Ĭontent Management Systems (CMS) are computer software used to manage and create content. Now you can answer the first question! Initial footholdīy providing the secret number in the input field we acquire a new URL path: This path is used by the web server running on port 80. After a few minutes you should find the number. Only if the number was found, the number is printed. By adding the parameters to the header, we can bypass the rate limit. Then for each number, a request is sent to find out if the number is the correct one. The script loopts through the possible numbers. Spin the wheel and try again." not in x.text): X = requests.post(url, data=myobj, headers=headers) Also, take note of the new header requests which make sure we can continue brute-forcing and not be limited by a rate limit. Now we will use a Python script to brute-force the secret number. By searching the web, it becomes clear this rate limit can be bypassed. This makes brute-forcing the secret number a bit more difficult. Run the intruder script for a few minutes and you should see numerous responses having the following content: Make sure you create a list containing all these numbers. The payload should be a list of numbers from 1-100000. If all went well you should see the following screen on the intruder tab: ![]() Make sure the only payload is the secret number. Afterwards, click on the Intruder tab and change the payload positions. Now right-click on the white field and click on “Send to Intruder”. To find the secret number, we will intercept the number request using Burp Suite. TryHackMe Madness – Finding the secret number Since the web server on port 80 does not reveal much information, we will try to find the secret number for the web server running on port 8085. The following page can be seen by browsing to : When browsing to the document root we can see the following page for the web server running on port 80: We can see that ports are ports used by Apache and Gunicorn web servers. Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_ Supported Methods: HEAD OPTIONS POST GET |_http-server-header: Apache/2.4.18 (Ubuntu)Ĩ085/tcp open http syn-ack Gunicorn 20.0.4 |_ Supported Methods: OPTIONS GET HEAD POST |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd1NxUo0xJ3krpRI1Xm8KMCFXziZngofs/wjOkofKKVĨ0/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBENNM4XJDFEnfvomDQgg0n7ZF+bHK+/x0EYcjrLP2BGgytEp7yg7A36KajE2QYkQKtHGPamSRLzNWmJpwzaV65w= | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7zuGtMGKQdFrh6Y8Dgwdo7815klLm7VzG05KNvT112MyF41Vxz+915iRz9nTSQ583i1cmjHp+q+fMq+QGiO0iwIdYN72jop6oFxqyaO2ZjBE3grWHSP2xMsTZc7qXgPu9ZxzVAfc/4mETA8B00yc6XNApJUwfJOYz/qt/pb0WHDVBQLYesg+rrr3UZDrj9L7KNFlW74mT0nzace0yqtcV//dgOMiG8CeS6TRyUG6clbSUdr+yfgPOrcUwhTCMRKv2e30T5naBZ60e1jSuXYmQfmeZtDZ4hdsBWDfOnGnw89O9Ak+VhULGYq/ZxTh31dnWBULftw/l6saLaUJEaVeb The output of the scan can be seen below:Ģ2/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux protocol 2.0) ![]() The sC and sV flags indicate that basic vulnerability scripts are executed against the target and that the port scan tries to find version information. We start by running a port scan on the host using nmap. echo " sustah.thm" > /etc/hosts TryHackMe Madness – Enumeration Before we start enumerating the box, add the following line to your /etc/hosts file. This writeup will help you solve the Sustah box on TryHackMe. ![]()
0 Comments
Read More
Leave a Reply. |