TryHackMe — NerdHerd — Write-up

Hi, guys! In this article, I will discuss the walkthrough of the “NerdHerd” CTF challenge in the TryHackMe platform.

I hope this write-up will be useful for you. As usual, I will describe the overall stages I went through in the CTF.

Happy reading! 🍀

Stage 1. First, I started to scan the victim host to find the open ports.

Command:

export IP_ADDRESS=<IP_ADDRESS>
sudo nmap -sC -sV --top-ports=10000 $IP_ADDRESS --disable-arp-ping -T aggressive

Result:

Figure 1. Nmap scan result

Port number 21: service — FTP, version — vsftpd 3.0.3; anonymous login allowed.

Port number 22: service — SSH, version — OpenSSH 7.2p2;

Port number 139: service — netbios-ssn, version — Samba smbd 3.x-4.x;

Port number 445: service — netbios-ssn, version — Samba smbd 4.3.11-Ubuntu;

Port number 1337: service — HTTP, version — Apache 2.4.18;

Computer name: nerdherd

I noted down these results and decided to enumerate each port one by one.

Stage 2. After scanning the victim machine, the first service I started to enumerate was FTP. Once I had connected to the service, as it allowed anonymous login, I used directory listing to reveal what was stored. I had two interesting findings:

• A hidden directory called .jokesonyou
• A PNG file called youfoundme.png

Below you can see the overall stages discussed so far:

Figure 2. FTP connection

Initially, I decided to analyze the hidden directory. There I found an interesting file called hellon3rd.txt:

Figure 3. The .jokesonyou directory

To read the content of this file, I used the more command:

Figure 4. Content of the hellon3rd.txt file

Well, to figure out what this message could say to me, I did some googling and Wikipedia gave me an excellent hint:

Figure 5. Wikipedia search

I discovered an open port number 1337 and this message referred to it! It meant I would find something useful while enumerating the HTTP service on port 1337. I kept note of this and moved on.

Stage 3. Then I analyzed the other file I got from the FTP server, youfoundme.png. To download this file, I used the get command:

Figure 6. Downloading the picture

Then I analyzed the metadata of the picture with exiftool:

Figure 7. Metadata Analysis

The owner of the picture was fijbxslz, interesting. I thought it needed some further research because something feasible could be obtained from this.

Google was my best friend during the CTF, so again I asked it to give me a hint, and it did!

Figure 8. Searching for fijbxslz

Vigenère cipher? Well, this was where one of the best tools, CyberChef, came into play.

Figure 9. CyberChef Analysis

To decode this string, I needed a key. But how could I find it? I decided to put this aside and continue enumeration in another way, but then I remembered “all you need is in the leet”. The answer might be hidden on the web page, so I visited it:

Figure 10. Web page on the port 1337

This was an Apache2 default web page. The prompt I encountered first made me think that it was something like XSS, but clicking on the OK button gave me another hint:

Figure 11. Hint

Something to find… but where?

Surely, it might be the page source. There was a message like that:

Figure 12. Message in the page source

Yes, I kept digging and at the end of the page there was a link:

Figure 13. Link

A song called “Surfin Bird”?

Figure 14. Song

Analyzing the lyrics might give me an idea to find the key. I was right because the word “bird” was repeated multiple times:

Figure 15. Analyzing the lyrics

Using this word as a key gave me a hint that I was close to the result but not completely: I had to use a little bit more different key:

Figure 16. The first try

Maybe, the key was “birdistheword”?

Figure 17. The second try

Success!

The output was “easypass”. I was not sure where I could use it, so I just noted it down and decided to conduct further enumeration.

Stage 4. As the next stage, I did directory fuzzing with my favourite tool, ffuf.

# Command:
export IP_ADDRESS=<IP_ADDRESS>
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://$IP_ADDRESS:1337/FUZZ

Result:

Figure 18. Directory enumeration result

The first finding that drew my attention was the /admin directory. I immediately navigated to it:

Figure 19. Login page

Actually, I did not have any idea of a username or a password. But I analyzed the page source and found these:

Figure 20. Analyzing the page source

The first string was successfully decoded, however, despite multiple tries, I did not figure out what the second string could be.

Figure 21. The first string: result

Figure 22. The second string: result

Again, I kept noting and moved on.

Stage 5. Discovering open ports 139 and 445 was not a coincidence, there had to be something useful as a finding. So, I started to enumerate the SMB service.

The tool smbclient had given a result like the following:

Figure 23. The smbclient result

Unfortunately, I could not access the nerdherd_classified share as my standard user:

Figure 24. Share access denied

It meant that I had to enumerate the service further. For this purpose, I used one of my favourite tools, rpcclient.

export IP_ADDRESS=<IP_ADDRESS>
rpcclient -U '' $IP_ADDRESS

Figure 25. Connection initiated

The enumdomusers command of the tool gave me the list of users. I found the user chuck with the RID 0x3e8. The queryuser 0x3e8 command gave me much more information about the user chuck.

Figure 26. SMB user enumeration

I tried to access the nerdherd_classified share by mentioning the username this time. Then I realized that I did not know the password.

I returned to my findings: I found something like easypass, cibartowski, etc.

The password was easypass. 😉

I found a secret file called secr3t.txt, where a note from the 0xpr0N3rd was left:

Figure 27. Accessing the intended share

Good, it is time to analyze some secret directories!

Stage 6. I navigated to the /this1sn0tadirect0ry page and found a file called creds.txt:

Figure 28. Finding a file called creds.txt

It really included the SSH credentials of the user chuck:

Figure 29. Credentials

It is time to connect:

Figure 30. SSH connection

The user flag was located in the home directory of the user:

Figure 31. User flag

Stage 7. Finally, I had to escalate my privileges for fully compromising the machine. To enumerate the existing privilege escalation attack vectors, I used the linpeas.sh script.

# Command to take the script
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh

I started a Python HTTP server to transfer the script to the victim machine:

Figure 32. Host machine

With the help of the curl command, I transferred the script to my victim machine successfully and made it an executable. Then I ran the script and waited for the result.

Figure 33. Script transfer successful

I found out that the kernel was outdated and I could use a kernel exploit to escalate my privileges:

Figure 34. PrivEsc attack vector found

The corresponding exploit was like the following:

Figure 35. Exploit

Again, I downloaded this exploit to my attacking machine and transferred it to the victim host. I also checked whether the gcc is available on the machine or not (command: which gcc). Finally, I compiled the exploit file and ran it:

# Compiling the C file:
gcc <C_FILE> -o <COMPILED_OUTPUT>

# Running it:
./<COMPILED_OUTPUT>

Figure 36. Privilege escalation

Success!

Figure 37. PrivEsc successful

After spawning a stabilized shell…

# Shell stabilization
python3 -c 'import pty;pty.spawn("/bin/bash")'

… I immediately searched for the root flag. But I was trolled! 🥺

The root.txt file located in the /root directory contained a message like the following:

Figure 38. Message

I used the find command to discover the actual flag:

# Command: 
find / -type f -name "*root*" 2>/dev/null

Figure 39. Finding the location of the root flag

It was a hidden file in the /opt/ directory. The content of it:

Figure 40. Root flag

Bonus stage. To find the bonus flag, first I read the hint:

Figure 41. Hint

The hint was about memories, so I thought that it could be about a history file. It was right! Reading the .bash_history file gave me the bonus flag:

Thanks for reading!