man i got stucked when trying to achieve initial access. some of my thoughts were: Directories found & tree: /app /castle /application /files /cache (...) /concrete # directory indexing /images /bin/concrete5 <--- bash file /config/openapi.json <--- OpenAPI file specifying routes. /index.php /contact /blog /login /authenticate /concrete /forgot_password /updates /packages Services concrete5 - 8.5.2 PHP 5.5.9 Apache 2.4.7 Features Search over the blog's content Login into the website Request for password reset9 Send message File upload (acceppting only a few extensions) Possible found credentials admin toad More details It's possible to see directories and files by accessing the /app/castle/concrete path. But a lot of files and directories (in php) return "access denied" or internal error. Thoughts: I think that the /app/castle/concrete is a rabbit hole. I tried to find some exposed credential, or available endpoints for requesting for system i nformation or file download. But I couldn't find anything yet. May the file upload is what I need to exploit? But I couldn't figure it out how yet. I tried a lot of possible extensions bypasses, but nothing looks like to work. Maybe a bruteforce in the login panel? Well, I hope I do not get banned. Let's try it then, some of the last of my resources. Well, the last one in to run nikto, wpscan or even trying to find a public exploit about the found services. Initial Access Gain: - Command Injection (until now I wasn't able to find some place for it.) - Server-Side Template Injection (same as above) - File Upload (could not bypass the extension) - Sensitive Credentials retrieve by exposure (could not find anything) - Broken authentication in some API (couldn't even find the API!) (apparently disabled when doing path transversal in index.php like /app/castle/index.php/%2e%2e - Services and softwares vulnerables (my last resource?) but everything i needed to try was trying some username/password combination... i guess i'm very far from being a beginner in ctf also, awesome video, thnx so much
No Problem 🙂, can i know which part you didn’t understand although it’s jus practice and a bit of understanding how things work it was more of a CTFy than a real life based challenge
@@hoodietramp thanks man i think that will help me a lot. but can i request you somthing? i need someone who will teach me all of this from scratch, can you suggest to me what i should do
@@be6t942there are a lot of discord communities out there where you can find and connect with people that will help you in the journey, join tryhackme’s discord and jus keep going bro hope you the best 🚀
I got the ftp flag just from issuing `ftp user@cctv.thm`. Tho there is no FTP running I figured they had something watching for an ftp connection. This box seemed painful do to ssl issues I was having. I had originally written a python script to just get all the flags but wasted so much time haha. I wanted to see how others challenged this box. Nice job! Cheers.
can you tell me why we have to add cctv.thm , ip in to file /etc/hosts . I dont known why i cannt access directly in to cctv.thm . Please help me known .😞😞😘😘
bcuz the box has configured dns resolution, to be able to access the site you need to add in /etc/hosts file, as the box doesn't have a dns record setup somewhere globally it'll lookup to /etc/hosts file
Search for Privilege Escalation with 2 shells and host mount in this article, you can find the way i got privesc on this box - book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation