|
| 1 | +--- |
| 2 | +title: 'Include(CTF) - TryHackMe Writeup' |
| 3 | +description: 'This is a writeup about my experience |
| 4 | +for the Include CTF on TryHackMe platform' |
| 5 | +pubDate: 'Oct 27 2024' |
| 6 | +heroImage: '../../assets/TryHackMe.jpg' |
| 7 | +--- |
| 8 | + |
| 9 | +## Include(CTF) - TryHackMe Writeup |
| 10 | +Room Link: https://tryhackme.com/room/include |
| 11 | + |
| 12 | +# Reconnaissance |
| 13 | +No doubt we always start with Reconnaissance. Let'start with |
| 14 | +Port Scanning and see what's the open port on this target host. |
| 15 | + |
| 16 | +Nmaps gives the following results with a quick scan. |
| 17 | +```shell |
| 18 | +Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-19 15:04 CST |
| 19 | +Nmap scan report for 10.201.13.4 |
| 20 | +Host is up (0.29s latency). |
| 21 | +Not shown: 992 closed tcp ports (reset) |
| 22 | +PORT STATE SERVICE |
| 23 | +22/tcp open ssh |
| 24 | +25/tcp open smtp |
| 25 | +110/tcp open pop3 |
| 26 | +143/tcp open imap |
| 27 | +993/tcp open imaps |
| 28 | +995/tcp open pop3s |
| 29 | +4000/tcp open remoteanything |
| 30 | +50000/tcp open ibm-db2 |
| 31 | + |
| 32 | +Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds |
| 33 | +``` |
| 34 | + |
| 35 | +Things worth noting |
| 36 | +1. They have Port 22 open, this may be a chance for brute force |
| 37 | +on weak passwords. |
| 38 | +2. They have the whole smtp, pop3, imap service. That means the |
| 39 | +website supports mail service. |
| 40 | +3. Remonteanything is a service for remote desktop. There are |
| 41 | +some interesting CVEs about it. |
| 42 | +4. ibm-db2 is a database service from IBM. Why is there a database |
| 43 | +service directly open to port scanning? It may be supporting some |
| 44 | +web service. |
| 45 | + |
| 46 | + |
| 47 | +Next thing, let's send a simple get request to all this ports and |
| 48 | +see if anyone of them providing a website UI. |
| 49 | +You will soon find that Port 4000 and Port 50000, each of them has |
| 50 | +a website UI. But I didn't go thru all of them at first. After I found |
| 51 | +out Port 4000 has a frontend interface, I jumped right into that |
| 52 | +rabbithole and completely forgot Port 50000. |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +Next step we go to do a little subdomain exploratory. I used |
| 57 | +a very long subdomain list ![here]() along with a self write single |
| 58 | +thread script. The enumerating didn't finish before the machine auto |
| 59 | +shut down after 2 hours. I should have used a shorter payload list with |
| 60 | +more frequently used subdomain as first recon tool. Also, I could have |
| 61 | +used some existing tools with multi-thread - or develolp my own multi-thread |
| 62 | +script. |
| 63 | + |
| 64 | +The subdomain enumeratation with about 1/3 of the whole list gave me the |
| 65 | +following avaialbe subdomains. |
| 66 | +```shell |
| 67 | +/images (Status: 301) [Size: 179] [--> /images/] |
| 68 | +/signup (Status: 500) [Size: 1246] |
| 69 | +/fonts (Status: 301) [Size: 177] [--> /fonts/] |
| 70 | +/signin (Status: 200) [Size: 1295] |
| 71 | +/index (Status: 302) [Size: 29] [--> /signin] |
| 72 | +``` |
| 73 | + |
| 74 | +Seems like nothing out of ordinary, hence I just started looking at the |
| 75 | +actual web pages and their source codes. |
0 commit comments