TryHackMe — NerdHerd — Write-up
Hi, guys! In this article, I will discuss the walkthrough of the “NerdHerd” CTF challenge in the TryHackMe platform.
I hope this write-up will be useful for you. As usual, I will describe the overall stages I went through in the CTF.
Happy reading! 🍀
Stage 1. First, I started to scan the victim host to find the open ports.
Command:
export IP_ADDRESS=<IP_ADDRESS>
sudo nmap -sC -sV --top-ports=10000 $IP_ADDRESS --disable-arp-ping -T aggressive
Result:
Port number 21: service — FTP, version — vsftpd 3.0.3; anonymous login allowed.
Port number 22: service — SSH, version — OpenSSH 7.2p2;
Port number 139: service — netbios-ssn, version — Samba smbd 3.x-4.x;
Port number 445: service — netbios-ssn, version — Samba smbd 4.3.11-Ubuntu;
Port number 1337: service — HTTP, version — Apache 2.4.18;
Computer name: nerdherd
I noted down these results and decided to enumerate each port one by one.
Stage 2. After scanning the victim machine, the first service I started to enumerate was FTP. Once I had connected to the service, as it allowed anonymous login, I used directory listing to reveal what was stored. I had two interesting findings:
- A hidden directory called .jokesonyou
- A PNG file called youfoundme.png
Below you can see the overall stages discussed so far:
Initially, I decided to analyze the hidden directory. There I found an interesting file called hellon3rd.txt:
To read the content of this file, I used the more command:
Well, to figure out what this message could say to me, I did some googling and Wikipedia gave me an excellent hint:
I discovered an open port number 1337 and this message referred to it! It meant I would find something useful while enumerating the HTTP service on port 1337. I kept note of this and moved on.
Stage 3. Then I analyzed the other file I got from the FTP server, youfoundme.png. To download this file, I used the get command:
Then I analyzed the metadata of the picture with exiftool:
The owner of the picture was fijbxslz, interesting. I thought it needed some further research because something feasible could be obtained from this.
Google was my best friend during the CTF, so again I asked it to give me a hint, and it did!
Vigenère cipher? Well, this was where one of the best tools, CyberChef, came into play.
To decode this string, I needed a key. But how could I find it? I decided to put this aside and continue enumeration in another way, but then I remembered “all you need is in the leet”. The answer might be hidden on the web page, so I visited it:
This was an Apache2 default web page. The prompt I encountered first made me think that it was something like XSS, but clicking on the OK button gave me another hint:
Something to find… but where?
Surely, it might be the page source. There was a message like that:
Yes, I kept digging and at the end of the page there was a link:
A song called “Surfin Bird”?
Analyzing the lyrics might give me an idea to find the key. I was right because the word “bird” was repeated multiple times:
Using this word as a key gave me a hint that I was close to the result but not completely: I had to use a little bit more different key:
Maybe, the key was “birdistheword”?
Success!
The output was “easypass”. I was not sure where I could use it, so I just noted it down and decided to conduct further enumeration.
Stage 4. As the next stage, I did directory fuzzing with my favourite tool, ffuf.
# Command:
export IP_ADDRESS=<IP_ADDRESS>
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://$IP_ADDRESS:1337/FUZZ
Result:
The first finding that drew my attention was the /admin directory. I immediately navigated to it:
Actually, I did not have any idea of a username or a password. But I analyzed the page source and found these:
The first string was successfully decoded, however, despite multiple tries, I did not figure out what the second string could be.
Again, I kept noting and moved on.
Stage 5. Discovering open ports 139 and 445 was not a coincidence, there had to be something useful as a finding. So, I started to enumerate the SMB service.
The tool smbclient had given a result like the following:
Unfortunately, I could not access the nerdherd_classified share as my standard user:
It meant that I had to enumerate the service further. For this purpose, I used one of my favourite tools, rpcclient.
export IP_ADDRESS=<IP_ADDRESS>
rpcclient -U '' $IP_ADDRESS
The enumdomusers command of the tool gave me the list of users. I found the user chuck with the RID 0x3e8. The queryuser 0x3e8 command gave me much more information about the user chuck.
I tried to access the nerdherd_classified share by mentioning the username this time. Then I realized that I did not know the password.
I returned to my findings: I found something like easypass, cibartowski, etc.
The password was easypass. 😉
I found a secret file called secr3t.txt, where a note from the 0xpr0N3rd was left:
Good, it is time to analyze some secret directories!
Stage 6. I navigated to the /this1sn0tadirect0ry page and found a file called creds.txt:
It really included the SSH credentials of the user chuck:
It is time to connect:
The user flag was located in the home directory of the user:
Stage 7. Finally, I had to escalate my privileges for fully compromising the machine. To enumerate the existing privilege escalation attack vectors, I used the linpeas.sh script.
# Command to take the script
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh
I started a Python HTTP server to transfer the script to the victim machine:
With the help of the curl command, I transferred the script to my victim machine successfully and made it an executable. Then I ran the script and waited for the result.
I found out that the kernel was outdated and I could use a kernel exploit to escalate my privileges:
The corresponding exploit was like the following:
Again, I downloaded this exploit to my attacking machine and transferred it to the victim host. I also checked whether the gcc is available on the machine or not (command: which gcc). Finally, I compiled the exploit file and ran it:
# Compiling the C file:
gcc <C_FILE> -o <COMPILED_OUTPUT>
# Running it:
./<COMPILED_OUTPUT>
Success!
After spawning a stabilized shell…
# Shell stabilization
python3 -c 'import pty;pty.spawn("/bin/bash")'
… I immediately searched for the root flag. But I was trolled! 🥺
The root.txt file located in the /root directory contained a message like the following:
I used the find command to discover the actual flag:
# Command:
find / -type f -name "*root*" 2>/dev/null
It was a hidden file in the /opt/ directory. The content of it:
Bonus stage. To find the bonus flag, first I read the hint:
The hint was about memories, so I thought that it could be about a history file. It was right! Reading the .bash_history file gave me the bonus flag:
Thanks for reading!