diff options
Diffstat (limited to 'docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt')
| -rw-r--r-- | docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt | 240 |
1 files changed, 240 insertions, 0 deletions
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt new file mode 100644 index 0000000..353c6e3 --- /dev/null +++ b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt @@ -0,0 +1,240 @@ +Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds +Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-05 05:20 UTC +Nmap scan report for target (172.15.18.117) +Host is up (0.00075s latency). +Not shown: 65505 closed ports +PORT STATE SERVICE VERSION + + +### welcome page (we solved) +80/tcp open http nginx 1.19.5 +|_http-server-header: nginx/1.19.5 +|_http-title: Metasploit CTF + +## proxy. found a flag on a webserver that was only available through localhost (solved) +1080/tcp open socks5 (No authentication; connection failed) +| socks-auth-info: +|_ No authentication + +### basic format string read flag out of memory (solved) +1337/tcp open waste? +| fingerprint-strings: +| GenericLines, GetRequest, HTTPOptions, RTSPRequest: +| Welcome to the '9 of Clubs' service. +| ------------------------------- +| Please choose an option: +| Send contact info +| Greetings +| Send feedback +| Exit +| Unknown option. +| Welcome to the '9 of Clubs' service. +| ------------------------------- +| Please choose an option: +| Send contact info +| Greetings +| Send feedback +| Exit +| NULL: +| Welcome to the '9 of Clubs' service. +| ------------------------------- +| Please choose an option: +| Send contact info +| Greetings +| Send feedback +|_ Exit + +### Buffalo RE (we solved) +4545/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5) +|_http-server-header: SimpleHTTP/0.6 Python/3.8.5 +|_http-title: Directory listing for / + +### simple dodge falling rocks game needs a bot (solved) +5555/tcp open telnet +| fingerprint-strings: +| NULL: +| [HSCORE: 0 +| [HSCORE: 1 +| [HSCORE: 2 +| [HSCORE: 3 +|_ [HSCORE: 4 + +### Photos5u flag was just in one of the "other user"'s files which are publically open (solved) +6868/tcp open http WSGIServer 0.2 (Python 3.8.5) +|_http-server-header: WSGIServer/0.2 CPython/3.8.5 +|_http-title: Photos5u + +### comes up and lets you retrieve the flag once you beat 5555 game (solved) +7878/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5) +|_http-server-header: SimpleHTTP/0.6 Python/3.8.5 +|_http-title: Directory listing for / + +### Guest -- guess other username (we solved) +8080/tcp open http Apache httpd 2.4.38 ((Debian)) +|_http-open-proxy: Proxy might be redirecting requests +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: Site doesn't have a title (text/html). + +### vuln == in php (solved) +8092/tcp open http Apache httpd 2.4.38 ((Debian)) +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: Site doesn't have a title (text/html; charset=UTF-8). + +### Make metasploit module +8101/tcp open http Apache httpd 2.4.38 ((Debian)) +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: 5 of Clubs Frontend + +### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved) +8123/tcp open http WSGIServer 0.2 (Python 3.8.5) +|_http-server-header: WSGIServer/0.2 CPython/3.8.5 +|_http-title: Salt Free Hashes + +### Image upload (we solved) +8200/tcp open http Apache httpd 2.4.38 ((Debian)) +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: Home + +### redirects to vhost. says to use other subdomains, but what are they? +8201/tcp open http nginx 1.19.5 +|_http-server-header: nginx/1.19.5 +|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201 + +### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved) +8202/tcp open http nginx 1.19.5 +|_http-server-header: nginx/1.19.5 +|_http-title: Site doesn't have a title (text/html). + +### Metasploit modules looks like something to do with the session cookie +8888/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5) +|_http-title: Home + +### Game library (we solved) +9000/tcp open http WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25)) +|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25) +|_http-title: Site doesn't have a title (text/html;charset=utf-8). + +### Game reviews (we solved) +9001/tcp open http Thin httpd +|_http-server-header: thin +|_http-title: Site doesn't have a title (text/html;charset=utf-8). + +### Broken zip file (we solved) +9007/tcp open http Apache httpd 2.4.46 ((Unix)) +| http-methods: +|_ Potentially risky methods: TRACE +|_http-server-header: Apache/2.4.46 (Unix) +|_http-title: Index of / + +### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved) +9008/tcp open java-object Java Object Serialization + +### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved) +9009/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA) +| 256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA) +|_ 256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519) + +### Jar file - wireshare protocol vuln (solved) +9010/tcp open http Apache httpd 2.4.38 +| http-ls: Volume / +| SIZE TIME FILENAME +| 3.2K 2020-12-01 15:29 QOH_Client.jar +|_ +|_http-server-header: Apache/2.4.38 (Debian) +|_http-title: Index of / +3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : +==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== +SF-Port1337-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU +SF:LL,9B,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n----- +SF:--------------------------\nPlease\x20choose\x20an\x20option:\n1\.\x20S +SF:end\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\ +SF:x20Exit\n\0")%r(GenericLines,146,"\nWelcome\x20to\x20the\x20'9\x20of\x2 +SF:0Clubs'\x20service\.\n-------------------------------\nPlease\x20choose +SF:\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\ +SF:.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x2 +SF:0to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------------ +SF:-------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20i +SF:nfo\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(Get +SF:Request,146,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\ +SF:n-------------------------------\nPlease\x20choose\x20an\x20option:\n1\ +SF:.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback +SF:\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20o +SF:f\x20Clubs'\x20service\.\n-------------------------------\nPlease\x20ch +SF:oose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings +SF:\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(HTTPOptions,146,"\nWelco +SF:me\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------- +SF:------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact +SF:\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unk +SF:nown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20servi +SF:ce\.\n-------------------------------\nPlease\x20choose\x20an\x20option +SF::\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20fee +SF:dback\n0\.\x20Exit\n\0")%r(RTSPRequest,146,"\nWelcome\x20to\x20the\x20' +SF:9\x20of\x20Clubs'\x20service\.\n-------------------------------\nPlease +SF:\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Gre +SF:etings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\n +SF:Welcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-------------- +SF:-----------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20co +SF:ntact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n +SF:\0"); +==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== +SF-Port5555-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU +SF:LL,699,"\xff\xfd\"\xff\xfb\x01\x1b\[2J\x1b\[HSCORE:\x200\r\n\|\x20\x20\ +SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20 +SF:\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x2 +SF:0\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x +SF:20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ +SF:|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20 +SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x2 +SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x +SF:20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x2 +SF:0\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x201\r\n\|\x20\x20\x20\x20\x20 +SF:\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x +SF:20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ +SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r +SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2 +SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x +SF:20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\ +SF:x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 +SF:\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ +SF:|\r\n\x1b\[2J\x1b\[HSCORE:\x202\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x +SF:20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x2 +SF:0\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x +SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\ +SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20 +SF:\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x2 +SF:0\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x +SF:20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\ +SF:n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b +SF:\[HSCORE:\x203\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\| +SF:\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x200\|\r\n\|\x20\x20 +SF:\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x +SF:20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\ +SF:x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 +SF:\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\ +SF:r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x +SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x2 +SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x204\r\n\| +SF:\x20\x20\x200\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x +SF:20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20 +SF:\x20\x20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\ +SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r +SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2 +SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x +SF:20\x20\x20\x20\x20"); +==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== +SF-Port9008-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU +SF:LL,4,"\xac\xed\0\x05"); +MAC Address: 0A:6C:D1:10:33:CD (Unknown) +Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%) +No exact OS matches for host (test conditions non-ideal). +Network Distance: 1 hop +Service Info: Host: 172.17.0.15; OS: Linux; CPE: cpe:/o:linux:linux_kernel + +TRACEROUTE +HOP RTT ADDRESS +1 0.75 ms target (172.15.18.117) + +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds |