CyberCrafted [THM] (UNFINISHED)

TryHackMe - Cybercrafted - Write-Up

Port scan

Let's start off by performing a port scan against the target system.

# Nmap 7.92 scan initiated Sat Nov 20 23:37:17 2021 as: nmap -A -T4 -p- -vvv -oA initial/nmap_tcp cybercrafted.thm
Nmap scan report for cybercrafted.thm (10.10.236.237)
Host is up, received reset ttl 63 (0.034s latency).
Scanned at 2021-11-20 23:37:17 CET for 39s
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE   REASON         VERSION
22/tcp    open  ssh       syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk3jETo4Cogly65TvK7OYID0jjr/NbNWJd1TvT3mpDonj9KkxJ1oZ5xSBy+3hOHwDcS0FG7ZpFe8BNwe/ASjD91/TL/a1gH6OPjkZblyc8FM5pROz0Mn1JzzB/oI+rHIaltq8JwTxJMjTt1qjfjf3yqHcEA5zLLrUr+a47vkvhYzbDnrWEMPXJ5w9V2EUxY9LUu0N8eZqjnzr1ppdm3wmC4li/hkKuzkqEsdE4ENGKz322l2xyPNEoaHhEDmC94LTp1FcR4ceeGQ56WzmZe6CxkKA3iPz55xSd5Zk0XTZLTarYTMqxxe+2cRAgqnCtE1QsE7cX4NA/E90EcmBnJh5T
|   256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLntlbdcO4xygQVgz6dRRx15qwlCojOYACYTiwta7NFXs9M2d2bURHdM1dZJBPh5pS0V69u0snOij/nApGU5AZo=
|   256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbLLQOGt+qbIb4myX/Z/sYQ7cj20+ssISzpZCaMD4/u
80/tcp    open  http      syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Cybercrafted
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-favicon: Unknown favicon MD5: 4E1E2DCB46BCB45E53566634707765D9
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open  minecraft syn-ack ttl 63 Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r  ck00r, Users: 0/1)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/20%OT=22%CT=1%CU=30083%PV=Y%DS=2%DC=T%G=Y%TM=619978
OS:C4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)EC
OS:N(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Uptime guess: 45.802 days (since Wed Oct  6 05:23:22 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   38.72 ms 10.9.0.1
2   32.71 ms cybercrafted.thm (10.10.236.237)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 20 23:37:56 2021 -- 1 IP address (1 host up) scanned in 39.73 seconds

Web enumeration

Directory enumeration - http://cybercrafted.thm/

┌──(n㉿kali)-[~/Documents/TryHackMe/CyberCrafted]
└─$ feroxbuster -u http://cybercrafted.thm/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 80 -x cgi js zip html txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.4.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://cybercrafted.thm/
 🚀  Threads               │ 80
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.4.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [cgi, js, zip, html, txt]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200       34l       71w      832c http://cybercrafted.thm/index.html
301        9l       28w      321c http://cybercrafted.thm/assets
301        9l       28w      321c http://cybercrafted.thm/secret
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_cybercrafted_thm_-1637448210.state ...
[###>----------------] - 3m    579903/3737304 18m     found:3       errors:730    
[###>----------------] - 3m    203538/1245768 987/s   http://cybercrafted.thm/
[###>----------------] - 3m    201906/1245768 999/s   http://cybercrafted.thm/assets
[##>-----------------] - 3m    177012/1245768 952/s   http://cybercrafted.thm/secret

Subdomain enumeration

┌──(n㉿kali)-[~/Documents/TryHackMe/CyberCrafted]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://cybercrafted.thm/ -H "Host: FUZZ.cybercrafted.thm"  -fw 1

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://cybercrafted.thm/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.cybercrafted.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 1
________________________________________________

www                     [Status: 200, Size: 832, Words: 236, Lines: 35]
store                   [Status: 403, Size: 287, Words: 20, Lines: 10]
www.admin               [Status: 200, Size: 937, Words: 218, Lines: 31]
www.store               [Status: 403, Size: 291, Words: 20, Lines: 10]
admin                   [Status: 200, Size: 937, Words: 218, Lines: 31]
:: Progress: [19966/19966] :: Job [1/1] :: 717 req/sec :: Duration: [0:01:21] :: Errors: 4 ::

Add to /etc/hosts file

Directory enumeration - http://store.cybercrafted.thm/

Directory enumeration - http://admin.cybercrafted.thm/

SQL injection

SELECT item, amount, cost, UNKNOWN FROM store WHERE item LIKE '%Bow%'

Cracking SHA-1 hash

┌──(n@sa)-[~/Downloads/THM]
└─$ hashcat -a0 -m100 hash.hash /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01:[REDACTED#1]
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01
Time.Started.....: Sun Nov 21 17:19:23 2021 (0 secs)
Time.Estimated...: Sun Nov 21 17:19:23 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 24428.5 kH/s (4.54ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9830400/14344384 (68.53%)
Rejected.........: 0/9830400 (0.00%)
Restore.Point....: 7864320/14344384 (54.83%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: giuli88 -> babypolk07
Hardware.Mon.#1..: Temp: 48c Util:  1% Core:1980MHz Mem:5000MHz Bus:8

Enumeration - www-data

Cracking SSH key

SSH login

Minecraft flag

Enumeration - xxultimatecreeperxx

Privilege escalation

Obtaining the user flag

Obtaining the root flag