Friday, February 11, 2022

Blizzard CTF - part III - notes

 root@kali2:~# tftp 10.0.2.33 69
tftp> get p@5$w0rd.txt
Transfer timed out.
tftp> quit

root@kali2:~# nslookup ctfboard.local
Server:        10.0.7.254
Address:    10.0.7.254#53

** server can't find ctfboard.local: NXDOMAIN

root@kali2:~# nmap 10.0.2.0/24 -p 53

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 15:15 PST
Nmap scan report for scoreboard.local (10.0.2.10)
Host is up (0.00047s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.33
Host is up (0.00045s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.80
Host is up (0.00053s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.81
Host is up (0.00051s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.92
Host is up (0.00052s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.128
Host is up (0.00040s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.163
Host is up (0.00049s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.168
Host is up (0.00056s latency).
PORT   STATE  SERVICE
53/tcp closed domain

Nmap scan report for 10.0.2.203
Host is up (0.00038s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap scan report for 10.0.2.204
Host is up (0.00034s latency).
PORT   STATE    SERVICE
53/tcp filtered domain

root@kali2:~# cat sombra.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkAPY0zMTQrcMajJrhMeRbJcCJrHQpyVD+3tTsjM+TsuP/Dzw0Y1I+ZXGefgAVwHXvyMkxXodrFZn66Si/VZLRNN3glm0ByPszEVMMpA7d/isQDODAWK9e/moRI3deJ0yjSCZ4TXT/d67Zmd73Pcr5DGkRXtbCSktjHzCnKPkr1T+gnTAINeMXdBqYKQtURwTsXMJ9y7MlxEuCbmjBIkHP90qUcHoaODKPKU0uAnAYXtRHeWk+z3cPlrjLtFTYhstYvSKqhgg5cc61B7t/Q8+Mt/u+ZP+bz5haC8ipvPrHEKwQ5HiNO/+oAQ/+gCcUG/7ja9z1IrqZV3/jl6DddArN

root@kali2:~# nmap -sT 10.0.2.10

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 15:49 PST
Nmap scan report for scoreboard.local (10.0.2.10)
Host is up (0.00039s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
8888/tcp open  sun-answerbook


root@kali2:~# nslookup scoreboard.local
Server:        10.0.7.254
Address:    10.0.7.254#53

Non-authoritative answer:
Name:    scoreboard.local
Address: 10.0.2.10


root@kali2:~# ssh ubuntu@10.0.2.163 -p 5555
The authenticity of host '[10.0.2.163]:5555 ([10.0.2.163]:5555)' can't be established.
ECDSA key fingerprint is e1:13:83:84:5f:63:9b:7a:e2:e2:f3:e5:15:b0:7d:85.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.2.163]:5555' (ECDSA) to the list of known hosts.
ubuntu@10.0.2.163's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-129-generic i686)

ubuntu@ubuntu:~$ ls
ubuntu@ubuntu:~$ pwd
/home/ubuntu
ubuntu@ubuntu:~$ cd ..
ubuntu@ubuntu:/home$ ls
ubuntu
ubuntu@ubuntu:/home$ cd ..
ubuntu@ubuntu:/$ ls
bin  boot  dev  etc  home  initrd.img  lib  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var  vmlinuz
ubuntu@ubuntu:/$ cd /root
-bash: cd: /root: Permission denied
ubuntu@ubuntu:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

ubuntu@ubuntu:/var/tmp$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev)
ubuntu@ubuntu:/var/tmp$ whoami
ubuntu
ubuntu@ubuntu:/var/tmp$ nano id
ubuntu@ubuntu:/var/tmp$ chmod +x id
ubuntu@ubuntu:/var/tmp$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev)
ubuntu@ubuntu:/var/tmp$ ./id
sudo: unable to resolve host ubuntu
ubuntu@ubuntu:/var/tmp$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev)
ubuntu@ubuntu:/var/tmp$ cat id
# ensure running as root
if [ "$(id -u)" != "0" ]; then
  exec sudo "$0" "$@"
fi
ubuntu@ubuntu:/var/tmp$ sudo id
sudo: unable to resolve host ubuntu
uid=0(root) gid=0(root) groups=0(root)
ubuntu@ubuntu:/var/tmp$ whoami
ubuntu

ubuntu@ubuntu:/var/tmp$ sudo id
sudo: unable to resolve host ubuntu
uid=0(root) gid=0(root) groups=0(root)

root@kali2:~# nc -lnvp 80
listening on [any] 80 ...
connect to [10.0.4.3] from (UNKNOWN) [10.0.4.3] 52345
GET / HTTP/1.1
Host: 10.0.4.3
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0

root@kali2:~# nmap -sU -p 53 --script dns-client-subnet-scan 10.0.2.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-05 16:53 PST
Nmap scan report for scoreboard.local (10.0.2.10)
Host is up (0.00051s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.33
Host is up (0.00050s latency).
PORT   STATE SERVICE
53/udp open  domain

Nmap scan report for 10.0.2.80
Host is up (0.00044s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.81
Host is up (0.00046s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.92
Host is up (0.00046s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.128
Host is up (0.00055s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.163
Host is up (0.00057s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.168
Host is up (0.00045s latency).
PORT   STATE  SERVICE
53/udp closed domain

Nmap scan report for 10.0.2.203
Host is up (0.00091s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap scan report for 10.0.2.204
Host is up (0.00080s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 256 IP addresses (10 hosts up) scanned in 4.14 seconds

root@kali2:~# nmap -sV 10.0.2.0-254
Nmap scan report for scoreboard.local (10.0.2.10)
Host is up (0.00035s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
80/tcp   open  http     Apache httpd 2.4.18 ((Ubuntu))
443/tcp  open  ssl/http Microsoft IIS httpd 7.5
8888/tcp open  ssl/http Microsoft IIS httpd 7.5
Service Info: OSs: Unix, Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for 10.0.2.33
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE       VERSION
22/tcp    open  tcpwrapped
4848/tcp  open  appserv-http?
12345/tcp open  netbus?

Nmap scan report for 10.0.2.80
Host is up (0.00042s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE    VERSION
3000/tcp closed ppp
3001/tcp open   tcpwrapped

Nmap scan report for 10.0.2.81
Host is up (0.00045s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js (Express middleware)

Nmap scan report for 10.0.2.92
Host is up (0.00036s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE    VERSION
1052/tcp open  http       Tornado httpd 4.2.1
8080/tcp open  http-proxy

Nmap scan report for 10.0.2.128
Host is up (0.00041s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd 1.4.45

Nmap scan report for 10.0.2.163
Host is up (0.00039s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
5555/tcp open   ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.0.2.168
Host is up (0.00053s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
6666/tcp open  irc?