Post

Sws101_ctf6

Posted
By Pema dolker 2 min read

Topic : GREP

alt text

Overview

The “Grep.v.1.7” challenge is part of TryHackMe’s Red Teaming Path, designed to test participants’ reconnaissance and OSINT (Open Source Intelligence) skills. As an ethical hacker, the goal is to exploit a web application developed by SuperSecure Corp. The challenge involves gathering information from public sources and identifying vulnerabilities to exploit.

Challenge Tasks

Participants are required to complete several tasks, including:

  1. Finding the API key for user registration.
  2. Identifying the first flag.
  3. Determining the email of the “admin” user.
  4. Discovering the hostname of the web application for checking password leaks.
  5. Finding the “admin” user’s password.

Steps Taken

Initial Reconnaissance

  1. Nmap Scan:
    • Conducted a scan with nmap -sC -sV -Pn <Machine_IP> to identify open ports and services.
    • Found open ports: 22 (SSH), 80 (HTTP), and 443 (HTTPS).
  2. Accessing the Web Application:
    • Visited the web application at https://grep.thm after adding the hostname to the /etc/hosts file.
    • Explored available options and found a registration page requiring an API key.

API Key Discovery

  1. GitHub Search:
    • Searched GitHub for repositories related to SuperSecure Corp.
    • Found a repository with a commit message indicating the removal of an API key.
    • Extracted the API key: ffe60ecaa8bba2f12b43d1a4b15b8f39.
  2. Using BurpSuite:
    • Intercepted the registration request with BurpSuite.
    • Modified the intercepted request to include the valid API key, successfully creating an account.

Directory and File Enumeration

  1. Directory Scan:
    • Used a directory scanning tool to discover hidden files and directories.
    • Identified important paths such as /public/html/upload.php.
  2. Bypassing File Upload Restrictions:
    • Created a PHP reverse shell and altered its header bytes to resemble an image file.
    • Uploaded the disguised PHP shell through the upload page and accessed it to establish a reverse shell.

Extracting Information from the System

  1. Reverse Shell Access:
    • Navigated the file system through the reverse shell.
    • Found and read the backup file containing user information: /var/www/backup/users.sql.
    • Retrieved the admin email: admin@searchme2023cms.grep.thm.

Discovering the Hostname for Password Leak Check

  1. Comprehensive Nmap Scan:
    • Conducted an exhaustive Nmap scan revealing an additional open port: 51337.
    • Updated the /etc/hosts file to include leakchecker.grep.thm.
    • Accessed the new hostname to discover the password leak checking service.

Final Answer

  1. Password Leak Check:
    • Used the admin email in the leak checking service to retrieve the leaked password.

Summary

The “Grep.v.1.7” OSINT challenge required thorough reconnaissance and strategic exploitation of a web application. Key actions included Nmap scanning, GitHub searching, directory enumeration, bypassing file upload restrictions, and reverse shell exploitation. The room demonstrated the use of OSINT techniques and ethical hacking .

SWS101, CTF journal
SWS101
This post is licensed under CC BY 4.0 by the author.

Trending Tags

SWS101 DBS101