~$ Advent of Cyber 2022 - Day 9

Posted on Dec. 9th, 2022. | Est. reading time: 2 minutes

Author:
Unknown
Category:
Red Team: Pivoting
Link:

Question 1

Deploy the attached VM, and wait a few minutes. What ports are open?

Run nmap -sV -sS $IP

Screenshot of an 'nmap' output, showing only the port 80 open. Well... that's not a lot to work with...

Answer: 80

Question 2

What framework is the web application developed with?

Browse to the page.

Screenshot of the web page. Thankfully the version info is right *there*

Answer: Laravel

Question 3

What CVE is the application vulnerable to?

We search for laravel and use the info term to get the details of the CVE.

Screenshot of exploit-db results for laravel. Damn, exploitDB is convenient.

Answer: CVE-2021-3129

Question 4

What command can be used to upgrade the last opened session to a Meterpreter session?

From the explanation we find:

Screenshot of meterpreter output.

Answer: sessions -u -1

Question 5

What file indicates a session has been opened within a Docker container?

From the internet: /.dockerenv

Answer: /.dockerenv

Question 6

What file often contains useful credentials for web applications?

See (Question 4)

Answer: .env

Question 7

What database table contains useful credentials?

We find the table schema dump, there is a table called users:

Screenshot of the metasploit output of a postgresql connection. Santa is certainly not the only exec who's security officer cries themselves to sleep at night.

Answer: users

Question 8

What is Santa’s password?

Answer: p4$$w0rd

Question 9

What ports are open on the host machine?

We run proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 172.17.0.1:

Screenshot of a command being chained to the host. Ooops.

Answer: 22,80

Question 10

What is the root flag?

We login with the credentials and get the root flag:

Screenshot of an SSH session. We got 'em.

Answer: THM{47C61A0FA8738BA77308A8A600F88E4B}