Newrouge CTF

Secret Machine(10.10.11.120) Info: This machine had pretty sweet learning curve for new comers, exploiting command injection to get foothold and core-dump abuse to get root on machine. Recon: Starting with portscan, we get 3 open ports. PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack nginx 1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: DUMB Docs 3000/tcp open http syn-ack Node.js (Express middleware) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: DUMB Docs Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel on port 3000 node js application is running and port 80 has docs for same application. And there is source-code avialable for downlaod. Docs shows how using API we can register new user and login it will then give JWT token for that u...

Epsilon Machine(10.10.11.134) Recon: Add epsilon.htb to hosts file. Runing Port Scan we get 3 open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.10.11.134:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-title: Costume Shop Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Port 80 is apache & port 5000 is running python application i.e costume shop. As shown in scan port 80 is 403 Forbidden & have a .git directory that also is 403. Files like . git/config & .git/HEAD are accessible. We will use GitTools tool to dump this g...