Newrouge CTF

  Devzat Machine(10.10.11.118) It was a medium linux machine with a command injection vulnerability and required source code review & exploiting outdated influxdb to escalate privilege on machine. Recon: Starting with the nmap scan using rustscan, rustscan -a 10.10.11.118 -u 5000 -- -A . This will scan for open ports at very high speed and also do nmap scan on them. PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack Apache httpd 2.4.41 | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: devzat - where the devs at 8000/tcp open ssh syn-ack (protocol 2.0) | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest, NULL, Socks4, Socks5, X11Probe: |_ SSH-2.0-Go | ssh-hostkey: | 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQ...

Epsilon Machine(10.10.11.134) Recon: Add epsilon.htb to hosts file. Runing Port Scan we get 3 open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.10.11.134:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-title: Costume Shop Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Port 80 is apache & port 5000 is running python application i.e costume shop. As shown in scan port 80 is 403 Forbidden & have a .git directory that also is 403. Files like . git/config & .git/HEAD are accessible. We will use GitTools tool to dump this g...