Newrouge CTF

GoodGames machine(10.10.11.130) This box was an easy box with chance of exploring vulnerabilities like password reuse in organization, Server Side Template Injection and SQL injection to pwn a gaming website. Recon Starting with recon, port scan shows only 1 port is open. rustscan -a $IP -u 5000 -- -A PORT STATE SERVICE REASON VERSION 80/tcp open ssl/http syn-ack Werkzeug/2.0.2 Python/3.9.2 |_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST |_http-server-header: Werkzeug/2.0.2 Python/3.9.2 |_http-title: GoodGames | Community and Store In website footer it reveals hostname GoodGames.HTB Let's add that to our /etc/hosts file. Other enumeration like directory scan and vhost fuzzing doesn't reveal much other than that there is login panel, where we can sign-in and sign-up. Foothold: Sql injection and SSTI Clicking on account icon gives a login panel and option to signup. And any w...

  Bolt Machine(10.10.11.114) It was a nice machine with some info leaks in source code of downloadable. And then Exploiting SSTI for foothold and cracking pgp keys for getting root. Recon: strating port scan rustscan -a 10.10.11.114 -u 5000 -- -A we get 3 open ports 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack nginx 1.18.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 76362BB7970721417C5F484705E5045D | http-methods: |_ Supported Methods: OPTIONS GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Starter Website - About 443/tcp open ssl/http syn-ack nginx 1.18.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 82C6406C68D91356C9A729ED456EECF4 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.18.0 (Ubuntu) | http-title: Passbolt | Open source password manager for teams |_Requested resource was /auth/login?redirect=%2F | ssl-cert: Subject: commonN...

Epsilon Machine(10.10.11.134) Recon: Add epsilon.htb to hosts file. Runing Port Scan we get 3 open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.10.11.134:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-title: Costume Shop Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Port 80 is apache & port 5000 is running python application i.e costume shop. As shown in scan port 80 is 403 Forbidden & have a .git directory that also is 403. Files like . git/config & .git/HEAD are accessible. We will use GitTools tool to dump this g...