Newrouge CTF

  Driver Machine(10.10.11.106) This was an easy windows machine with a chance to explore printnightmare vulnerability and abusing file upload vulnerability to capture NTLM hash of a user whom we force to authenticate to our server. Recon on port scan we get 4 open ports 22/tcp filtered ssh 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:window As...

GoodGames machine(10.10.11.130) This box was an easy box with chance of exploring vulnerabilities like password reuse in organization, Server Side Template Injection and SQL injection to pwn a gaming website. Recon Starting with recon, port scan shows only 1 port is open. rustscan -a $IP -u 5000 -- -A PORT STATE SERVICE REASON VERSION 80/tcp open ssl/http syn-ack Werkzeug/2.0.2 Python/3.9.2 |_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST |_http-server-header: Werkzeug/2.0.2 Python/3.9.2 |_http-title: GoodGames | Community and Store In website footer it reveals hostname GoodGames.HTB Let's add that to our /etc/hosts file. Other enumeration like directory scan and vhost fuzzing doesn't reveal much other than that there is login panel, where we can sign-in and sign-up. Foothold: Sql injection and SSTI Clicking on account icon gives a login panel and option to signup. And any w...

  Bolt Machine(10.10.11.114) It was a nice machine with some info leaks in source code of downloadable. And then Exploiting SSTI for foothold and cracking pgp keys for getting root. Recon: strating port scan rustscan -a 10.10.11.114 -u 5000 -- -A we get 3 open ports 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack nginx 1.18.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 76362BB7970721417C5F484705E5045D | http-methods: |_ Supported Methods: OPTIONS GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Starter Website - About 443/tcp open ssl/http syn-ack nginx 1.18.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 82C6406C68D91356C9A729ED456EECF4 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.18.0 (Ubuntu) | http-title: Passbolt | Open source password manager for teams |_Requested resource was /auth/login?redirect=%2F | ssl-cert: Subject: commonN...