Try Hack Me — Stegosaurus — WriteUp
Stegosaurus is a room I’ve prepared on TryHackMe with a moderate level of difficulty based on Linux. It requires basic skills in cybersecurity.
Below is a screenshot from scanning ports using the nmap tool:
nmap — open <IP_ADDR>
To make further work easier, I added an entry to the /etc/hosts file redirecting the IP address of the tested machine to the name stegosaurus.thm
First, I check port 21 for the possibility of logging in to the ftp service as anonymous. Unfortunately this is not possible.
In the second step, I try to verify the SMB service provided on port 139 and list available resources.
The “dinoland$” looks interesting, so I’m checking whether it can be accessed without credentials.
There are three files there. After downloading and opening them, the dont_open_prehistory.txt file looks interesting. After decoding it with base64, we get a list of passwords.
Unfortunately, I don’t have any login, so I save this file and leave it for later.
Proceed to verify what is on port 80. After displaying it in the browser, I see the login panel.
Since the panel has the ability to register a new user, I go to this step and create a test user: test:test.123 and log in with the newly created credentials.
The website contains a story about several dinosaurs and does not seem to have any functionality to upload a payload to the server. However, one of the stories contains an interesting sentence: “I’ve got more secrets than you might think! So, next time you see me, remember, there’s more to Stego than meets the eye!” This may suggest that the image file contains hidden data using steganography.
So I decide to download the Stegosaurus image and display its contents using the strings tool.
Based on the name of the task reminiscent of steganography, I decided to try to extract the hidden contents with the steghide tool.
Unfortunately, a password is required, so I decided to try to use a previously obtained and decoded file from the SMB service to crack the password with stegcracker.
and I succeed.
Verification of the extracted file indicates that we are dealing with a .zip archive.
So I rename this file, and try to extract:
mv stegosaurus.jpeg.out steg.zip
Unfortunately, this archive is password protected as well:
So in the next step, I succesfully try to crack the archive password using John The Ripper and the standard rockyou.txt dictionary.
After unpacking the .zip archive using the obtained password, we receive another file with passwords.
Unfortunately I still don’t have any username. So I go back to the website on port 80 and try to use SQLi in the login panel, hoping to find a vulnerability and extract users from the database.
At the beginning I tru to use “or true” statement:
and the answer of webpage is:
So I’m guessing that there is some basic SQLi protection and that some valid user’s name starts with “Stego…”. So I try another “and true” statement:
A successful login attempt with an added “and true” attack in the login field, even with an incorrect password, means that the webapplication is vulnerable to SQLi, so by modifying the payload appropriately, it should be possible to extract information directly from the database.
Let’s look it closer using buspsuite:
As you can see with correct (existing user and true statemanet) payload I’m redirected to welcome.php, for incorrect payload I immediately receive code 200 and information about incorrect login data.
Since this is a boolin based vulnerability, I won’t be able to get the data directly from the database, but I can get it by guessing the letters of the value I’m looking for. Code 200 will mean an error, code 302 will mean that the query is correct. For this purpose, it seems logical to use the LIKE operator, but to be able to use it, I first need to know the number of columns and the name of the database.
We can check the number of columns by using ORDER BY and increasing its value until an error is obtained.
I received an error for the value 6, which suggests that the database has 5 columns. To find its name, I’ll assume I’m dealing with mysql and use a query like this:
‘UNION SELECT 1,2,3,4,5 WHERE database() LIKE BINARY ‘a%’ — -
changing the a% parameter to subsequent alphabetic characters and numbers until I get the first letter of the database name.
I can use Buspsuite Intruder or do it manualy and easy find database name (Dinotopia):
In the next steps, I will want to extract the name of the table with users, username and password. Since manual letter-by-letter verification is time-consuming, I decided to write simple python scripts to extract the table name:
username :
By manipulating the order of letters, we can list all users from the databases. The screenshot shows the one I managed to log in to.
password:
pasword looks like md5hash so I try to crack it using hashcat:
Alternatively, instead of cracking the hash, you can use e.g. “hydra” for a bruteforce attack on ftp.
Now I have a login and password that I can use to log in to the ftp service and find more interesting files:
Analysis of the dump.pcap file found on FTP indicates that it is possible to connect to the server via SSH even though nmap did not find an open port 22. Before the SSH connection took place, the file shows a hit on three unusual ports, which suggests that the SSH service is hidden behind using knockd.
If you are using AttacheBox, unfortunately there is no knockd installed on it, but you can hit these ports in many other ways, for example using netcat.
nc -zv -w 1 stegosaurus.thm 7776; nc -zv -w stegosaurus.thm 8887; nc -zv -w 1 stegosaurus.thm 9998
or just:
Ofcourse if you use your own linux via ssh, the easiest way is to use knockd:
After successfully opening port 22, he logs in to SSH to the StegosaurusSteve account with the previously obtained password that worked in the FTP service.
After successful login, I go to the directory above and see that there are three other home directories of users in the system, which I had previously extracted from the website’s database, but to which I was unable to log in. Displaying the /etc/passwd file confirms that these users exist on the system.
Using the “group” command, I check which groups in the system I belong to and I see that I belong to the “AnkylosaurusAnn” group, which allows me to write to this user’s home directory.
Thanks to this, I can try to create a .ssh subdirectory in the “AnkylosaurusAnn” directory and copy my generated public key into it as “authorized_keys”, which should allow me to log in to the “AnkylosaurusAnn” account with my private key.
After a successful login attempt with the key, I view the user.txt file and get the first flag.
In the next step, I check whether I have any additional sudo permissions.
Since I have the privileged use of the “tee” command, I can easily abuse it in many ways to escalate to the “root” user. In my opinion, the easiest solution would be to modify the /etc/passwd file to enable switching to the “root” user with the “su” command without entering a password.
It is now possible to display the root.txt flag.
Finished :)
