search
Home

Year of the Jellyfish

Date: 10, May, 2021

Author: Dhilip Sanjay S

Click Herearrow-up-right to go to the TryHackMe room.

hashtag
Nmap Scan

# Nmap 7.91 scan initiated Thu Apr 29 15:52:55 2021 as: nmap -sV -sC -p- -vv -oN nmap_full 176.34.160.174
Nmap scan report for ec2-176-34-160-174.eu-west-1.compute.amazonaws.com (176.34.160.174)
Host is up, received reset ttl 31 (0.17s latency).
Scanned at 2021-04-29 15:52:55 IST for 468s
Not shown: 65528 filtered ports
Reason: 65527 no-responses and 1 admin-prohibited
PORT      STATE SERVICE  REASON         VERSION
21/tcp    open  ftp      syn-ack ttl 31 vsftpd 3.0.3
22/tcp    open  ssh      syn-ack ttl 31 OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:b2:81:be:e0:bc:a7:86:39:39:82:5b:bf:e5:65:58 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3op12UwFIehC/VLx5tzBbmCUO/IzJlyueCj1/qP7tq3DcrBu9iQbC1gYemElU2FhqHH2KQr9MFrWRJgU4dH0iQOFld1WU9BNjfr6VcLOI+flLQstwWf1mJXEOdDjA98Cx+blYWG62qwXLiW+aq2jLfIZkVjJlp7OueNeocxE0P7ynTqJIadMfeNqNZ1Jc+s7aCBSg0NRSh0FsABAG+BSFhybnKXtApc+RG0QQ3vFpnU0k0PVZvg/qU/Eb6Oimm67d8hjclPbPpQoyvsdyOQG7yVS9eIglTr00ddw2Jn8wrapOa4TcBJGu9cgSgITHR8+htJ1LLj3EtsmJ0pErEv0B
80/tcp    open  http     syn-ack ttl 31 Apache httpd 2.4.29
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to https://robyns-petshop.thm/
443/tcp   open  ssl/http syn-ack ttl 32 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Robyn's Pet Shop
| ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB/localityName=Bristol/[email protected]
| Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm
| Issuer: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB/localityName=Bristol/[email protected]
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-29T10:15:16
| Not valid after:  2022-04-29T10:15:16
| MD5:   b8e2 3c83 9255 42e2 61bc 37cb 9905 c247
| SHA-1: 462c 9240 9d15 7db5 331b 60ac 168c 780c 6bbb 9e2c
| -----BEGIN CERTIFICATE-----
| MIIEPzCCAyegAwIBAgIUKkr9q+6kgXUlGTpFxf5kkC/ScEAwDQYJKoZIhvcNAQEL
| BQAwgZMxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb3V0aCBXZXN0MRAwDgYDVQQH
| DAdCcmlzdG9sMRcwFQYDVQQKDA5Sb2J5bnMgUGV0c2hvcDEbMBkGA1UEAwwScm9i
| eW5zLXBldHNob3AudGhtMScwJQYJKoZIhvcNAQkBFhhyb2J5bkByb2J5bnMtcGV0
| c2hvcC50aG0wHhcNMjEwNDI5MTAxNTE2WhcNMjIwNDI5MTAxNTE2WjCBkzELMAkG
| A1UEBhMCR0IxEzARBgNVBAgMClNvdXRoIFdlc3QxEDAOBgNVBAcMB0JyaXN0b2wx
| FzAVBgNVBAoMDlJvYnlucyBQZXRzaG9wMRswGQYDVQQDDBJyb2J5bnMtcGV0c2hv
| cC50aG0xJzAlBgkqhkiG9w0BCQEWGHJvYnluQHJvYnlucy1wZXRzaG9wLnRobTCC
| ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMT1qJ/4ZuY4zQtR2wGgSeV5
| I+z7BK/hH4I9B94ZCe3DVNHrR63KWw1SCzSa56MSd+Rkdf3wnql/7+nCcC3NEvAN
| lFp5M3OCmj5eN0hTXDV5mz+t50dOMwhUbtKK5JR74lhIaB3ZVlse1GhTqMZa4PBR
| /QsPtKHL6gEadSO0tUk7vIr+5SANBvNNnPd33P6sSaIaAXpadmrGa8EKNW1Pksm+
| SL4m0wWHJnPNHyvoQIKTD3e6lxbwIY1sFh+sWlQHFtCWPZhmomq0cMyHkn4ldpwy
| Bxk5uikckgOegmkslR+/NUTSXCw7f4jNvzNlGQhoMIrcsipLu2va5/Gg3MyRDG0C
| AwEAAaOBiDCBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DBrBgNVHREEZDBighJy
| b2J5bnMtcGV0c2hvcC50aG2CG21vbml0b3JyLnJvYnlucy1wZXRzaG9wLnRobYIX
| YmV0YS5yb2J5bnMtcGV0c2hvcC50aG2CFmRldi5yb2J5bnMtcGV0c2hvcC50aG0w
| DQYJKoZIhvcNAQELBQADggEBAGCheA/RJPq/MvfdoHDHbsOdUFPAGe9CGcLk8Wky
| rjPD3ywu1pGO5rymQufEBpVB3oe5YTqEkCJlLO9OyxsWFuOV1RWsWBiavpomxV+P
| UVbo2ixGqaFxh5//vxI81NhSi57mGMfgFJ7lXnjQmJ33Oan5o+DDl4h4TaaeqEzE
| coXEyaCgzNUQONNPZctG60Rs985j6Vc7cutjmkZgnxsl+c8W/vIjvkRoERySpooZ
| hGJ3hJWeKo9J3NfCuioTaLcjNUk9zqBMcmuFW4rqPl8yckV6lpSJf4983qjrlJww
| 8bRC8+d8cvunxDSZNti4Ql20JaXMo4tQ/bcjksRsh6/rSj0=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
8000/tcp  open  http-alt syn-ack ttl 31
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 15
|_    Request
| http-methods: 
|_  Supported Methods: GET
|_http-title: Under Development!
8096/tcp  open  unknown  syn-ack ttl 32
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:37 GMT
|     Server: Kestrel
|     Content-Length: 0
|     X-Response-Time-ms: 168
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:07 GMT
|     Server: Kestrel
|     Content-Length: 0
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 Found
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:08 GMT
|     Server: Kestrel
|     Content-Length: 0
|     Location: /web/index.html
|   Help: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:24 GMT
|     Server: Kestrel
|     Content-Length: 0
|   Kerberos: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:26 GMT
|     Server: Kestrel
|     Content-Length: 0
|   LPDString: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:37 GMT
|     Server: Kestrel
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 505 HTTP Version Not Supported
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:09 GMT
|     Server: Kestrel
|     Content-Length: 0
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Thu, 29 Apr 2021 10:29:25 GMT
|     Server: Kestrel
|_    Content-Length: 0
22222/tcp open  ssh      syn-ack ttl 31 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:99:92:52:8e:73:ed:91:01:d3:a7:a0:87:37:f0:4f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpLAsRYbJYyJ+bS8pAi+HpQupaD+Oo76UbITMFLP+pZyxM5ChxwyPbCYKIitboOoa3PWRe6V4UjBcOPtNujmv2tjCcETv/tp2QyuHPW6Go6ZzFDn0V8SUGhWIqwLge79Yp9FwG7y9tUxqnViQCJBfWtY5kJh11Iy/X4Arg1ifiT9FAExpVt3fgZl3HN6bxwyfFIQfxVqySgdQxSgqpVTU4Kc3pkZM1UL+c+kzfCYwiNJL0WHAYNl3u77H+Lp5J371BSJTWpaNS/bkS2KSqG/DPafCg4qhOn/rjDldHtQ3Eukcj0AGg/jBYbrYgAhsBXLJbhHTNTt4zrQe5sRArZ8ab
|   256 5a:c0:cc:a1:a8:79:eb:fd:6f:cf:f8:78:0d:2f:5d:db (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHcGmMvzfmx0EHLv5MLqqn0a4WVxxU7dcNq0F03HIZIY002BsPtaEXkbkcn5FdDsjDGuBWq+1JGB/xDI5py485o=
|   256 0a:ca:b8:39:4e:ca:e3:cf:86:5c:88:b9:2e:25:7a:1b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpTk+WaMxq8E5ToT9RI4THsaxdarA4tACYEdoosbPD8
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.91%I=7%D=4/29%Time=608A8A78%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x2
SF:015\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8096-TCP:V=7.91%I=7%D=4/29%Time=608A8A73%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20clo
SF:se\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:07\x20GMT\r\nServer:\
SF:x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(GetRequest,8D,"HTTP/1\.1
SF:\x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Thu,\x2029\x20Apr\
SF:x202021\x2010:29:08\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x20
SF:0\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(HTTPOptions,8D,"HTTP/1\.
SF:1\x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Thu,\x2029\x20Apr
SF:\x202021\x2010:29:08\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x2
SF:00\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(RTSPRequest,87,"HTTP/1\
SF:.1\x20505\x20HTTP\x20Version\x20Not\x20Supported\r\nConnection:\x20clos
SF:e\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:09\x20GMT\r\nServer:\x
SF:20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Help,78,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20Thu,\x2029\x20Ap
SF:r\x202021\x2010:29:24\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x
SF:200\r\n\r\n")%r(SSLSessionReq,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:25
SF:\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Termi
SF:nalServerCookie,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x
SF:20close\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:25\x20GMT\r\nSer
SF:ver:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(TLSSessionReq,78,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20T
SF:hu,\x2029\x20Apr\x202021\x2010:29:25\x20GMT\r\nServer:\x20Kestrel\r\nCo
SF:ntent-Length:\x200\r\n\r\n")%r(Kerberos,78,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nConnection:\x20close\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x
SF:2010:29:26\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n
SF:")%r(FourOhFourRequest,8F,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnecti
SF:on:\x20close\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:37\x20GMT\r
SF:\nServer:\x20Kestrel\r\nContent-Length:\x200\r\nX-Response-Time-ms:\x20
SF:168\r\n\r\n")%r(LPDString,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:nection:\x20close\r\nDate:\x20Thu,\x2029\x20Apr\x202021\x2010:29:37\x20
SF:GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n");
Service Info: Host: robyns-petshop.thm; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 29 16:00:43 2021 -- 1 IP address (1 host up) scanned in 468.47 seconds

hashtag
Check out all the open ports - Run gobuster on 8096 port

hashtag
System Info

curl http://robyns-petshop.thm:8096/system/info/public/

hashtag
Add the alternative names in /etc/hosts

  • We find that robyns-petshop.thm and dev.robyns-petshop.thm are the same content (Pico CMS)

  • beta.robyns-petshop.thm doesn't seem to be exploitable:

hashtag
Exploiting Monitorr

  • Search for exploits using searchsploit:

  • We want an RCE to get access to shell, so mirror the RCE Exploit:

  • After making few modifications in the code, like verify=False and print(reqData.text), run the exploit:

hashtag
Figuring out the bypass filter

  • Seems like thhe php extension is being blocked, so we'll try different extensions like .php.gif, .phtml. But still there was no luck.

  • On monitoring the request in browser, there was a cookie isHuman:1

  • So, include this cookie in the python exploit too.

  • The final exploit:

  • But still the extensions with .php, .phtml, .gif.php gave the following error:

  • Finally .gif.phtml worked. Usually 443 won't be blocked, so use that port.

    • Final exploit with random characters filename

    • Opening Netcat

    • Running the exploit

hashtag
Shell access & Flag 1

  • Stabilizing the shell

  • Flag 1

hashtag
Privilege Escalation & Root flag

  • Permission denied for root directory

  • Download & run linpeas on the target

  • Linpeas didn't give much infor. Check the upgradable softwares

  • snapd seems to be old and exploitable. Search for exploits using searchsploit or exploit db

hashtag
Root Access

hashtag
Reference

PreviousCrack the Hash 2NextVulnNet - DotJar

Last updated