My hackthebox.eu rank is falling like a rock because I don’t have much time to spend. To remember better days I post my former rank banner which I saved before probably knowing what happens later on 😉
I was in the top 200! If you don’t know hackthebox head over to their website and enjoy hacking server and solving challenges like stego, reversing, forensic and others: https://www.hackthebox.eu/
When doing hackthebox stuff I often use the SimpleHTTPServer module of python to download scripts and tools from my host system to the client.
Recently I needed an IPv6 http server because IPv4 was blocked. Since I didn’t find a simple way to host files via IPv6 I extent the SimpleHTTPServer module with IPv6 support. While I was at it I also implemented file upload via post.
The latest version can be found on my GitHub page https://github.com/wsoltys/tools
The current version as of this writing is listed below:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
#!/usr/bin/python import sys import socket from BaseHTTPServer import HTTPServer from SimpleHTTPServer import SimpleHTTPRequestHandler class MyHandler(SimpleHTTPRequestHandler): def do_GET(self): if self.path == '/ip': self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() self.wfile.write('Your IP address is %s' % self.client_address[0]) return else: return SimpleHTTPRequestHandler.do_GET(self) def do_POST(self): content_length = int(self.headers['Content-Length']) body = self.rfile.read(content_length) self.send_response(200) self.end_headers() self.wfile.write('ok') filename = self.path[1:] with open(filename, 'w') as f: f.write(body) return def do_PUT(self): MyHandler.do_POST(self) return class HTTPServerV6(HTTPServer): address_family = socket.AF_INET6 def main(): if len(sys.argv) > 1: port = int(sys.argv[1]) else: port = 80 server = HTTPServerV6(('::', port), MyHandler) print('Serving http on '+server.server_name+' port '+str(server.server_port)) print('Upload files with: curl -T <file> <server ip>') server.serve_forever() if __name__ == '__main__': main() |
My first boot2root beginners challenge taken from here: JIS-CTF: VulnUpload from vulnhub.com.
First we start with a nmap scan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# Nmap 7.60 scan initiated Sat Mar 10 13:13:04 2018 as: nmap -sV -sC -oN jordan.txt 192.X.X.X Nmap scan report for Jordaninfosec-CTF01.fritz.box (192.X.X.X) Host is up (0.00015s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA) | 256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA) |_ 256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 8 disallowed entries | / /backup /admin /admin_area /r00t /uploads |_/uploaded_files /flag |_http-server-header: Apache/2.4.18 (Ubuntu) | http-title: Sign-Up/Login Form |_Requested resource was login.php MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 10 13:13:11 2018 -- 1 IP address (1 host up) scanned in 7.18 seconds |
The nmap scan already reveals a lot of information. The first flag can be found under the url http://[jordan vm]/flag:
The 1st flag is : {8734509128730458630012095}