TryHackMe — Advent of Christmas 2-2020

Task 7 [Day 2] Web Exploitation The Elf Strikes Back!

• What string of text needs adding to the URL to get access to the upload page?

Using the id = ODIzODI5MTNiYmYw

• What type of file is accepted by the site?

Try inspecting the source code

Oh! this looks like an “I***E” file

• In which directory are the uploaded files stored?

Read through the file upload section. Pretty sure you’d find something good there

• Activate your reverse shell and catch it in a netcat listener!

You can download a php reverse shell from pentestmonkey

pentestmonkey/php-reverse-shell

Change the ip to your remote machine(the ip from your vpn) or attarkbox and maybe the port in the php script.

ifconfig tun0

Firstly set up a netcat reverse listener

Now navigating to the uploads directory and clicking on the php file

Immediately we get a shell

cat /var/www/flag.txt

Task 8 [Day 3] Web Exploitation Christmas Chaos

Firing up the box and we are met with a login page

• What is the flag?

We going to go ahead to bruteforce the login page with burpsuite

Using foxyproxy to manage my burp proxy so I do not have to manually change it from my browser settings.

Turn on foxyproxy

Fire up Burpsuite

Then going to the login page and entering some random login info, using admin for username and pass for password. We basically just want to fill in the input form.

Hit Forward till you get to this

Hit cntrl-I to send to Intruder. Intruder is used to bruteforce login fields.

Postions Tab

Attack type: Cluster Bomb

username=§admin§&password=§pass§

This basically means this are the fields to be be replaced by whatever wordlist we use.

Payloads Tab

Start Attack

Don’t be mislead by the status codes, look at the Length with 255

Login with the creds

Access granted

Task 9 [Day 4] Web Exploitation Santa’s watching

Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?

Running the gobuster command

gobuster dir -u http://10.10.24.64 -w big.txt -x php

Lets try out the /api directory

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Now that we know that site-log.php is the file inside the api directory

We can fuzz the date parameter

Look for the line with a different response from the other ones

Replace that with the FUZZ placeholder and get your flag.

Task 10 [Day 5] Web Exploitation Someone stole Santa’s gift list!