CyberCrafted [THM] (UNFINISHED)
TryHackMe - Cybercrafted - Write-Up
Port scan
Let's start off by performing a port scan against the target system.
# Nmap 7.92 scan initiated Sat Nov 20 23:37:17 2021 as: nmap -A -T4 -p- -vvv -oA initial/nmap_tcp cybercrafted.thm
Nmap scan report for cybercrafted.thm (10.10.236.237)
Host is up, received reset ttl 63 (0.034s latency).
Scanned at 2021-11-20 23:37:17 CET for 39s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk3jETo4Cogly65TvK7OYID0jjr/NbNWJd1TvT3mpDonj9KkxJ1oZ5xSBy+3hOHwDcS0FG7ZpFe8BNwe/ASjD91/TL/a1gH6OPjkZblyc8FM5pROz0Mn1JzzB/oI+rHIaltq8JwTxJMjTt1qjfjf3yqHcEA5zLLrUr+a47vkvhYzbDnrWEMPXJ5w9V2EUxY9LUu0N8eZqjnzr1ppdm3wmC4li/hkKuzkqEsdE4ENGKz322l2xyPNEoaHhEDmC94LTp1FcR4ceeGQ56WzmZe6CxkKA3iPz55xSd5Zk0XTZLTarYTMqxxe+2cRAgqnCtE1QsE7cX4NA/E90EcmBnJh5T
| 256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLntlbdcO4xygQVgz6dRRx15qwlCojOYACYTiwta7NFXs9M2d2bURHdM1dZJBPh5pS0V69u0snOij/nApGU5AZo=
| 256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbLLQOGt+qbIb4myX/Z/sYQ7cj20+ssISzpZCaMD4/u
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Cybercrafted
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-favicon: Unknown favicon MD5: 4E1E2DCB46BCB45E53566634707765D9
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open minecraft syn-ack ttl 63 Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r ck00r, Users: 0/1)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/20%OT=22%CT=1%CU=30083%PV=Y%DS=2%DC=T%G=Y%TM=619978
OS:C4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)EC
OS:N(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Uptime guess: 45.802 days (since Wed Oct 6 05:23:22 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 38.72 ms 10.9.0.1
2 32.71 ms cybercrafted.thm (10.10.236.237)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 20 23:37:56 2021 -- 1 IP address (1 host up) scanned in 39.73 seconds
Web enumeration
Directory enumeration - http://cybercrafted.thm/
βββ(nγΏkali)-[~/Documents/TryHackMe/CyberCrafted]
ββ$ feroxbuster -u http://cybercrafted.thm/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 80 -x cgi js zip html txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.4.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://cybercrafted.thm/
π Threads β 80
π Wordlist β /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.4.0
π Config File β /etc/feroxbuster/ferox-config.toml
π² Extensions β [cgi, js, zip, html, txt]
π Recursion Depth β 4
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Cancel Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
200 34l 71w 832c http://cybercrafted.thm/index.html
301 9l 28w 321c http://cybercrafted.thm/assets
301 9l 28w 321c http://cybercrafted.thm/secret
π¨ Caught ctrl+c π¨ saving scan state to ferox-http_cybercrafted_thm_-1637448210.state ...
[###>----------------] - 3m 579903/3737304 18m found:3 errors:730
[###>----------------] - 3m 203538/1245768 987/s http://cybercrafted.thm/
[###>----------------] - 3m 201906/1245768 999/s http://cybercrafted.thm/assets
[##>-----------------] - 3m 177012/1245768 952/s http://cybercrafted.thm/secretSubdomain enumeration
βββ(nγΏkali)-[~/Documents/TryHackMe/CyberCrafted]
ββ$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://cybercrafted.thm/ -H "Host: FUZZ.cybercrafted.thm" -fw 1
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://cybercrafted.thm/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.cybercrafted.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 1
________________________________________________
www [Status: 200, Size: 832, Words: 236, Lines: 35]
store [Status: 403, Size: 287, Words: 20, Lines: 10]
www.admin [Status: 200, Size: 937, Words: 218, Lines: 31]
www.store [Status: 403, Size: 291, Words: 20, Lines: 10]
admin [Status: 200, Size: 937, Words: 218, Lines: 31]
:: Progress: [19966/19966] :: Job [1/1] :: 717 req/sec :: Duration: [0:01:21] :: Errors: 4 ::Add to /etc/hosts file
Directory enumeration - http://store.cybercrafted.thm/
Directory enumeration - http://admin.cybercrafted.thm/
SQL injection
SELECT item, amount, cost, UNKNOWN FROM store WHERE item LIKE '%Bow%'Cracking SHA-1 hash
βββ(n@sa)-[~/Downloads/THM]
ββ$ hashcat -a0 -m100 hash.hash /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01:[REDACTED#1]
Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01
Time.Started.....: Sun Nov 21 17:19:23 2021 (0 secs)
Time.Estimated...: Sun Nov 21 17:19:23 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 24428.5 kH/s (4.54ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9830400/14344384 (68.53%)
Rejected.........: 0/9830400 (0.00%)
Restore.Point....: 7864320/14344384 (54.83%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: giuli88 -> babypolk07
Hardware.Mon.#1..: Temp: 48c Util: 1% Core:1980MHz Mem:5000MHz Bus:8Enumeration - www-data
Cracking SSH key
SSH login
Minecraft flag
Enumeration - xxultimatecreeperxx
Privilege escalation
Obtaining the user flag
Obtaining the root flag
Last updated
Was this helpful?