Try Hackme Advent of Cyber Day19 to Day24 Walkthrough

So this is last part of the writup of the 25-day series Hope you learnt something till now!!!

Day19(Task 24)

this is a LFI task just like we have done in previous task so I ran the whoami command and got the response shown below

So we are root so lets find where the user.txt file is located note that we have to url encode the command we are going to execute so I used the find command to find the location

now just simply reading out the user.txt file I know that the task was to spawn a revershell using the lfi but I was lazy enough to not do that and find the other way

Day20(Task 25)

We are given with an IP let’s start with the basic nmap scan

we got the answer to the first question now lets use hydra to bruteforce the user sam password

found the password now logging into the machine using ssh and reading the first flag

the second part was a cronjob escalation which is kind of easy if you understood the previous challenges carefully

so I am not solving the last part

Day21(Task 26)

This is a reversing engineering task I am complete noob in this fields so I read about tons of blogs to get started on this lets begin with analysing the binary with r2 using following command

r2 -d <file-name>

now we start auto-analysing the binary with the command aaaa

Now search for the main function as referred in the helping material using

afl |grep "main"

now to view the disassembled assembly code for main function we use pdf @main

here we can see the disassembled code and I don’t need to explain you in detail all of the things are given in helping material

now lets add breakpoints by using following commands

db <address>

to add a breakpoint

then we use the commands to control the execution flow dc- continue exection ds- go one step ahead into the program flow

you can see the breakpoints i added

now checking the value of var_ch at intialization we see that the value of var_ch is still not initialised so we step one instruction further and view its value by using px @<location>

We got the answer to first question now continuing now we have to check the values of the register so we use dr command

We got the answer to the second question as well so lets continue now we to check the value of var_4h before the eax register has 0 assigned to it

we get the answer to the third question as well That’s all for this task

Day22(Task 27)

This is also a reversing task but this is used to explain the implementation of the conditional statements in the assembly code

lets view the decompiled code of the main function

the C language equivalent code would be something like this

a=8
b=2
if(a<b){
	b+=7
}
else{
	a+=1
}

from the above code we can easily answer the questions asked in the task

Day23(Task 28)

So this a SQL-injection task And I have previously used the sqlmap tool in previous task so I dont need to explain it again

lets take al look at the website,just a basic login form

lets start up burp and capture the request to be supplied to splmap and check for the databases present with sqlmap

so the database name is social and lets check for tables

so looks like the table is users so lets dump the data present in the table

so we got the email for santa claus ie bigman@shefesh.comand the password as md5 hash so lets crack it online

lets login into the website we can easily view the conversation between santa and Mommy Mistletoe

to get a shell we have to upload php revshell to the site so we can post the php file to website but we cant upload it directly as it restricts it so we rename the file as .phtml and it lets us upload it and simultaneously start a listner at the port specified in the file

so we get a shell and access the flag