docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240

Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-05 05:20 UTC
Nmap scan report for target (172.15.18.117)
Host is up (0.00075s latency).
Not shown: 65505 closed ports
PORT     STATE SERVICE     VERSION


### welcome page (we solved)
80/tcp   open  http        nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Metasploit CTF

## proxy. found a flag on a webserver that was only available through localhost (solved)
1080/tcp open  socks5      (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication

### basic format string read flag out of memory (solved)
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|     Exit
|     Unknown option.
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|     Exit
|   NULL: 
|     Welcome to the '9 of Clubs' service.
|     -------------------------------
|     Please choose an option:
|     Send contact info
|     Greetings
|     Send feedback
|_    Exit

### Buffalo RE (we solved)
4545/tcp open  http        SimpleHTTPServer 0.6 (Python 3.8.5)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
|_http-title: Directory listing for /

### simple dodge falling rocks game needs a bot (solved)
5555/tcp open  telnet
| fingerprint-strings: 
|   NULL: 
|     [HSCORE: 0
|     [HSCORE: 1
|     [HSCORE: 2
|     [HSCORE: 3
|_    [HSCORE: 4

### Photos5u flag was just in one of the "other user"'s files which are publically open (solved)
6868/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Photos5u

### comes up and lets you retrieve the flag once you beat 5555 game (solved)
7878/tcp open  http    SimpleHTTPServer 0.6 (Python 3.8.5)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
|_http-title: Directory listing for /

### Guest -- guess other username (we solved)
8080/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).

### vuln == in php (solved)
8092/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

### Make metasploit module
8101/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 5 of Clubs Frontend

### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved)
8123/tcp open  http        WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Salt Free Hashes

### Image upload (we solved)
8200/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home

### redirects to vhost. says to use other subdomains, but what are they?
8201/tcp open  http        nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201

### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved)
8202/tcp open  http        nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Site doesn't have a title (text/html).

### Metasploit modules looks like something to do with the session cookie
8888/tcp open  http        Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: Home

### Game library (we solved)
9000/tcp open  http        WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25))
|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).

### Game reviews (we solved)
9001/tcp open  http        Thin httpd
|_http-server-header: thin
|_http-title: Site doesn't have a title (text/html;charset=utf-8).

### Broken zip file (we solved)
9007/tcp open  http        Apache httpd 2.4.46 ((Unix))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Unix)
|_http-title: Index of /

### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved)
9008/tcp open  java-object Java Object Serialization

### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved)
9009/tcp open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA)
|   256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA)
|_  256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519)

### Jar file - wireshare protocol vuln (solved)
9010/tcp open  http        Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.2K  2020-12-01 15:29  QOH_Client.jar
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1337-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,9B,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-----
SF:--------------------------\nPlease\x20choose\x20an\x20option:\n1\.\x20S
SF:end\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\
SF:x20Exit\n\0")%r(GenericLines,146,"\nWelcome\x20to\x20the\x20'9\x20of\x2
SF:0Clubs'\x20service\.\n-------------------------------\nPlease\x20choose
SF:\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\
SF:.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x2
SF:0to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------------
SF:-------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20i
SF:nfo\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(Get
SF:Request,146,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\
SF:n-------------------------------\nPlease\x20choose\x20an\x20option:\n1\
SF:.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback
SF:\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20o
SF:f\x20Clubs'\x20service\.\n-------------------------------\nPlease\x20ch
SF:oose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings
SF:\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(HTTPOptions,146,"\nWelco
SF:me\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-------------------
SF:------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact
SF:\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unk
SF:nown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20servi
SF:ce\.\n-------------------------------\nPlease\x20choose\x20an\x20option
SF::\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20fee
SF:dback\n0\.\x20Exit\n\0")%r(RTSPRequest,146,"\nWelcome\x20to\x20the\x20'
SF:9\x20of\x20Clubs'\x20service\.\n-------------------------------\nPlease
SF:\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Gre
SF:etings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\n
SF:Welcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n--------------
SF:-----------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20co
SF:ntact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n
SF:\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5555-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,699,"\xff\xfd\"\xff\xfb\x01\x1b\[2J\x1b\[HSCORE:\x200\r\n\|\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x201\r\n\|\x20\x20\x20\x20\x20
SF:\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:|\r\n\x1b\[2J\x1b\[HSCORE:\x202\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x2
SF:0\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\
SF:n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b
SF:\[HSCORE:\x203\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|
SF:\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x200\|\r\n\|\x20\x20
SF:\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\
SF:r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x204\r\n\|
SF:\x20\x20\x200\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x
SF:20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\
SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9008-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 0A:6C:D1:10:33:CD (Unknown)
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 172.17.0.15; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.75 ms target (172.15.18.117)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds