https://tryhackme.com/r/room/creative
nmap -Pn -sS 10.10.153.72 -p- --min-rate 5000 -v
Scanning creative.thm (10.10.153.72) [65535 ports]
Discovered open port 22/tcp on 10.10.153.72
Discovered open port 80/tcp on 10.10.153.72
Completed SYN Stealth Scan at 16:46, 36.09s elapsed (65535 total ports)
Nmap scan report for creative.thm (10.10.153.72)
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
nmap -Pn -sVC 10.10.153.72 -p 22,80 -A -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
| 256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_ 256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Creative Studio | Free Bootstrap 4.3.x template
|_http-server-header: nginx/1.18.0 (Ubuntu)
vi /etc/hosts
127.0.0.1 kali
127.0.0.1 localhost
10.10.153.72 creative.thm
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://creative.thm/FUZZ
assets [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 421ms]
index.html [Status: 200, Size: 37589, Words: 14867, Lines: 686, Duration: 506ms]
:: Progress: [4713/4713] :: Job [1/1] :: 101 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://creative.thm/assets/FUZZ
css [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 390ms]
imgs [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 332ms]
js [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 335ms]
vendors [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 362ms]
:: Progress: [4713/4713] :: Job [1/1] :: 109 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://creative.thm -H "Host: FUZZ.creative.thm" -fs 178
beta [Status: 200, Size: 591, Words: 91, Lines: 20, Duration: 407ms]
vi /etc/hosts
127.0.0.1 kali
127.0.0.1 localhost
10.10.153.72 creative.thm
10.10.153.72 beta.creative.thm
This page has SSRF. I found open port.
🍜 username saad:x:1000:1000:saad:/home/saad:/bin/bash
🍜 I got ssh key.
🍜 I got saad's pass.
https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/
de.sh
#! /bin/bash
set -eu
# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
# does it even exist?
if [ "$path" == "" ]
then
echo probably not vulnerable
exit
fi
# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi
🍜 Not Vuln.
二刀流とはいかなかった。。ちゅるちゅるちゅるちゅる。。。
🍜 Thank you for your time. Happy Hacking. ちゅるちゅるちゅるちゅる。。。