This room is a weekly challenge vulnerable VM from TryHackMe, created by Deamon. This post will help you to solve the challenge.
Let’s start with a nmap scan looking for open ports in the host machine.
Nmap scan report for 10.10.113.202
Host is up (0.087s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38046/udp6 status
| 100024 1 44174/tcp status
| 100024 1 49265/udp status
|_ 100024 1 53586/tcp6 status
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10–3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0–6.0.1 (Linux 3.4) (92%), Android 5.1 (92%), Android 7.1.1–7.1.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 111.16 ms 10.8.0.1
2 112.30 ms 10.10.113.202OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.20 seconds
As we can see, we have port 80 open so we know there is a web server running. It looks like we can found some credentials there and then try to login using ftp or ssh.
So at first sight there isn’t any useful information, let’s scan for any directories on the web server. I like to use gobuster with kali default wordlists:
gobuster dir -u http://10.10.113.202/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Let’s take a look and see what we have found.
You can also rigth click on the page and view the page source if you didn’t see the word.
This is a big finding!! We will need to use this later so keep this word and let’s start again gobuster to see if we can find more directories.
gobuster dir -u http://10.10.27.202/TheNewDirectory -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
And It looks like the scan returns a new directory from this path.
The video doesn’t give us useful information but, as always, view the page source.
Here we have a hint, it seems there is a file with certain extension. We can bruteforce with gobuster by specifying the extension type we have.
We’ve got it!!! It looks like it is a password that was base58 encoded. There’s a very interesting tool to decode the password, cyberchef.
Now it’s time to use these credentials, let’s try to login ftp service.
Yeah! we were able to login. We have some files, we can download them to see if there’s anything there. You can type “ mget * ” to download all of them.
We have 3 images, 2 are png and 1 is jpg. If you try to open the file Leave_me_alone.jpg it looks like this file is currently corrupted, the png image file is a data file which means that this file contains encoded / unprintable characters.
I found out that the magic number of the current file isn’t matching to the magic number of a normal png file which looks like this.
I use hexeditor, which is a kali default tool to edit the hex values.
Now we can open the image
Ok, so now we have a password, let’s see if we have information in the other files. I’m going to use a tool called Steghide, this tool is used to embed or extract hidden data from/to an image.
There is an embedded file, cool!. Here we have the information inside of the zip file.
Now, cat the files. One of them contains two user-names and the other contains a password. It’s time to test them out by logging to the system with ssh. Fingers crossed…
Congratulations!! you own the machine, here you have one flag: user.txt
You must remember that we always have some hidden files, you should cat them, you may found interesting stuff. Here we have a message so let’s see what is inside.
We type “sudo -l” because maybe there’s a file we can execute with root privileges. In this case the user can execute /usr/bin/pkexec program with root privileges without entering the root password. We can try to execute the bash to get root.
Finally, we’ve got it.
