# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Enumeration
    • Password Cracking
    • Hydra
    • Wireshark
    • Snort
    • Steganography
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Docker
    • Program Life Cycle
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Event Logs
    • Sysmon
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • Recon
  • Enumeration
  • Exploitation
  1. Try Hack Me

OFFSEC

https://tryhackme.com/room/introtooffensivesecurity

PreviousMOTHER'S SECRETNextPOSTEXPLOIT

Last updated 1 year ago

Walkthrough for "Intro to Offensive Security"

Operating System: Linux

Recon

nmap-auto $TARGET all

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: FakeBank | Account
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: FakeBank | Account
7777/tcp open  cbt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

python3 dirsearch.py -e txt,html,php,sh -w /home/z3r0/Resources/wordlists/dir-list.txt -t 10 -u http://10.10.25.12/

Exploitation

Trying out numbers mostly gave a failure code, something weird was happening so I decided to inspect the javascript that was running behind the scenes with Ctrl-I, following the function pay() attached to the submit button, I was led to the script.js file which showed me the next clue:

The only time the function will execute is when the from value is 2276 and the to value is 8881. Trying exactly that allows the function to execute and transfer money to the negative page on the dashboard! The dashboard now shows a splash note for congratulations as well as a positive balance.

Enumerating the given IP shows that there exists a web page called "Fake Bank". The site is being hosted on both port 80 and 3000 i.e . The only valuable information so far is the name "Mrs G. Benjamin" and the bank account number 8881. The page doesn't have much else, so it's time to enumerate the directories:

The only result that shows is . Navigating to this page shows the below:

http://10.10.25.12/
http://10.10.142.104/bank-transfer