URL: https://tryhackme.com/room/hfb1thegame Title Rating The Game Easy Description Cipher has gone dark, but intel reveals he’s hiding critical secrets inside Tetris, a popular video game. Hack it and uncover the encrypted data buried in its code. This was easiest boxes I have done. Solution Just download and unzip the Game content. Then use strings utility as below:
URL: https://tryhackme.com/room/creative Title Rating Creative Easy Recon Nmap gets us port 22 and port 80. Note: Remember to add creative.thm to /etc/hosts Lets checkout the webserver: Nothing stands out in particular. I did a directory fuzzing still nothing. Finally vhost scan gives us a beta.creative.thm SSRF via found domain Whenever we see a field requesting a URL, always first test SSRF: And we do get a request confirming SSRF....
URL: https://tryhackme.com/room/rabbitstore Title Rating Rabbit Store Medium Recon Nmap Scan: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 60 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 60 Apache httpd 2.4.52 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://cloudsite.thm/ |_http-server-header: Apache/2.4.52 (Ubuntu) 4369/tcp open epmd syn-ack ttl 60 Erlang Port Mapper Daemon | epmd-info: | epmd_port: 4369 | nodes: |_ rabbit: 25672 25672/tcp open unknown syn-ack ttl 60 There are some ports open...
URL: https://tryhackme.com/room/publisher Title Rating Publisher Easy Overview The “Publisher” CTF machine is a simulated environment hosting some services. Through a series of enumeration techniques, including directory fuzzing and version identification, a vulnerability is discovered, allowing for Remote Code Execution (RCE). Attempts to escalate privileges using a custom binary are hindered by restricted access to critical system files and directories, necessitating a deeper exploration into the system’s security profile to ultimately exploit a loophole that enables the execution of an unconfined bash shell and achieve privilege escalation....
URL: https://tryhackme.com/room/whiterose Title Rating Whiterose Easy Recon Nmap scan finds a Port 22 and Port 80 open nothing else of interest. Visiting the IP:80 we are redirected to http://cyprusbank.thm/ Lets add this to /etc/hosts file Directory fuzzing didn’t give anything but a Vhost scan gave away a admin s ubdomain ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://10.10.151.242/" -H "Host: FUZZ.cyprusbank.thm" -fw 1 admin So we got to https://admin.cyprusbank.thm and we get a Login!...
URL: https://tryhackme.com/room/lofi Title Rating Lo-Fi Easy Recon Nmap gives 2 Open ports 22(ssh) and 80(http), nothing else of interest. Visiting the webserver, its a Apache webserver with links to youtube vids The Search function does not do anything. But the Links given to the right open certain page depending on the type of music. So we have relax.php, chill.php, vibe.php, etc. We can say the server is just locating and executing these files from the web root....
URL: https://tryhackme.com/room/thestickershop Title Rating The Sticker Shop Easy Box Description Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move! Can you read the flag at http://10.10.114.205:8080/flag.txt? Lets just go to this URL and see: We dont have access....
URL: https://tryhackme.com/room/lightroom Title Rating Light Easy Overview So the creator asks us to try a database app. The application is running on port 1337. We can connect to it using nc 10.10.123.134 1337 You can use the username smokey in order to get started. Recon Nmap gives use 2 open ports: Open 10.10.123.134:22 SSH Open 10.10.123.134:1337 DB app As per the description, lets try to netcat the database at 1337:...
URL: https://tryhackme.com/room/billing Title Rating BillingV2 Easy BillingV2 is a Easy rated box, where we not allowed to perform any bruteforcing. In recon, we do find a webserver and mysql. Initial Foothold is acquired via a Unauth RCE on the Apache application - MagnusBilling. Later we use the sudo privileges on fail2ban tool to inject command in its functionality which eventually gets us root. Recon We start with Nmap Scan which get us few open ports:...
Recon Nmap Scan # nmap 10.10.22.7 -sV [](<PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_ Supported Methods: OPTIONS GET HEAD POST 139/tcp open netbios-ssn syn-ack ttl 60 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 60 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13?...