Asmaa's CyberSecurity Place 👩🏻‍💻🔒

BluePrint Room Link: https://tryhackme.com/r/room/blueprint ===================================================================== First start with an Nmap scan. The scan will result in many ports open, however, if you try to work with SMB, you will not get anything. So, we will focus on the web servers present on the machine. You have 3 ports running http 80, 443, and 8080. P ort 80 doesn’t have anything, even if you tried to run a gobuster on it. Port 443 is the same as port 8080, however, working with port 8080 is easier, as there is no certificate. In the main page of port 8080, you will find an index of. Oscommerce-2.3.4 if you look inside this folder, you will find a bunch of files and a very sad web commerce website. Try and search for “oscommerce-2.3.4”, to see if there are any exploits for it. Indeed, there are. I will work with the exploit No. 44374 from exploit-db. Copy it to your current directory searchsploit -m 44374 and change its name to  exploit.py . You need to ch...

h4cked Room Link:  https://tryhackme.com/r/room/h4cked ============================================================ Once you open the .pcap, the attacker is obviously trying to log in using ftp service. For the second question, the answer is hydra, by simply Google search “V an Hauser brute force ”. To know the username right-click on any FTP packet and choose follow > tcp stream. The user is jenny . The password is password123 . Current working directory /var/www/html . The backdoor name is shell.php . To get the URL look at the comments at the top of the shellcode. To locate the packet filter the .pcap file using ‘ frame contains “shell.php” ‘. Right-click on frame 450, then follow the TCP stream for this packet. You will get a stream containing all the commands executed on the target. The first command is whoami . The computer's name is wir3 , you can conclude it from the first line.     The command used to spawn a tty shell is python3 -c 'import pty; pty.spawn("...

Brute It Room Link:  https://tryhackme.com/r/room/bruteit ============================================================= sudo nmap IP -Pn . You have 22,80 ports open. Run Nmap with -sV to see the versions for both. To know the version of the Linux distribution you can look at the results from the Nmap’s scan on the target for both SSH and Apache services Ubuntu . The page on the browser is just the default page for Apache. To get the hidden folder gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://IP -r , the hidden folder is /admin. Which is a login form. As it is an admin panel, it is most likely that the username is admin. To get the password intercept the login page using burpsuite to easily fill the blanks in your brute force using Hydra, also try login with invalid credentials to get the error message to be able to put it in your attack. sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt IP http-post-form "/admin/:user=admin&pass=^PASS^:Username or passwo...

Gallery Room Link:  https://tryhackme.com/r/room/gallery666 ================================================================ After the Nmap scan, you will see 2 ports open 80 and 8080. 8080 doesn’t have anything interesting. In 80 the main page has the home page for nginx server. Use gobuster to find any hidden directories. There is /gallery . In /gallery you have a login page. Try to see if sqli works on it.  Enter "  ‘ or ‘1’ = ‘1’ -- - "   in the username field and see if it allows you to get in, and it did :). Once you are in you can answer the second question which is the CMS, the website uses Simple Image Gallery. Although there is a known vulnerability for this, you don’t need it. Go to albums from the top horizontal menu. Then, click on any of the albums and upload a .php webshell, I used the one from pentestmonkey. Do not forget to change the IP into your IP and set up a netcat listener with the same port number as in the shell. Once you have your webshel...

CMSpit Room Link:  https://tryhackme.com/r/room/cmspit ================================================================ sudo nmap -vv IP we have 2 open ports 80 and 22. Visit the website on port 80 and you will immediately know the name of the CMS which is cockpit. To know the version, visit the source code then search (ctrl+f) “ver” and you will get the version. Start msfconsole and search for “cockpit”. You have an exploit module that will reveal the users and get you a shell exploit/multi/http/cockpit_cms_rce. First, run the module without specifying any user to make it print the available users' names then choose any of them and and rerun the exploit. Set the rhosts and the lhost then run the exploit. Now set the user as admin and rerun the exploit. Take the new password and login to the webserver using the browser as the admin. Go to /finder. From there upload a php reverse shell. Set up a listener in your device and run the shell by visiting the shell IP/[she...

Wonderland Room Link:   https://tryhackme.com/r/room/wonderland ================================================================ After an Nmap scan, you will notice that you have 2 open ports, 22 and 80. Go to port 80. There you will find a text and a picture. Run gobuster on the target to see if there are any hidden folders. you got 2 hidden folders /img and /r. The /img folder has 3 pictures in it, download them for further inspection. Using  exiftool  there is nothing. Trying  binwalk -e [picture name]  and also there is nothing except that  alice_door.png  has a zlib file in it, that has nothing interesting. Moving on to  steghide , with steghide we've found a file called  hint.txt  embedded in it. Extract this file  steghide extract -sf white_rabbit_1.jpg .  The hint is:   Which is not clear right now but it will be :). We have another folder that we need to inspect. The /r folder. If you continue to run gob...