Thursday, December 8, 2022

TryHackMe - Year of the Rabbit - writeup

Year of the Rabbit is the beginer friendly CTF room on TryHackMe.com. How ever i strongly suggest that this isnt your very first CTF room. Because this one is pretty long and not so straight forward as you would suspect from easy room. Here is my "journey" through the VM we need to hack in and
  1. step

    2. As usually I started with nmap scan:
    nmap -sS VM_IP
     Output looks promissing with open ftp, ssh and http port.
    I tried if ftp might allow us anonymous log in but without luck it doesnt allow. We will return to the ftp later.
  2. step

    3. In this step we will run our friend gobuster.
    gobuster dir -u http://VM_IP -w /usr/share/wordlists/dirb/common.txt -x php,txt,html
     Output directs us to the /assets folder where we find 2 files.
  3. step

    4. Well we got some text and a video. The text suggest that hint is in the video so i went for that but no luck. I tried looking around the web for hint and suggestion was to use burp suite. We use it to intercept the get request for page /sup3r_s3cr3t_fl4g.php in response we find the hidden folder.
  4. step

    5. Open the hidden folder we got in previous step we find picture of the girl. Hmm what could we do with it maybe some meta data.
    strings hot_babe.png
    Voila we get list of possible password and username for FTP access.
  5. step

    6. We use hydra tool:
    hydra -l ftpuser - P possible_pass.txt ftp:/vm_ip
     Hydra will run fast because of short list and you get log in to the ftp with username and password:
    ftp VM_IP
     We are prompted for credentials. After login we use ls and we see Eli's_Creds.txt. I have downloaded filed to attackbox:
    get Eli's_Creds.txt
  6. step

    7. I have opened file on attackbox at first file looks like jibrish but I think I saw once this before.
    I have looked around the web for brainfuck language. I have confirmed that this is brainfuck and I used this decoder
    This one gave us ssh credentials.
    ssh username@VM_IP
     We enter password we got with decoded and the login we get hint were to look for flag? or soemthing else? we have found another credendetials.
    su another_username
     After logged in new account I checked home folder of user where you find the user.txt flag.
  7. step

    8. Ok we got user flag, lets try to escalate priviliges. We check if we can run any command as root user.
    sudo -l
     From output I saw you can run vi program. I headed over to the GTFObins and see what command will help us to get the root access.
    sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
     then we ctrl + c and we type in !/bin/sh and voila we have root access.
    cd /root
    ls
    cat root.txt
I hope anyone who gets stuck finds it helpful
AudiTTRSi
at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to Install PostgreSQL on Debian 12: A Step-by-Step Guide

PostgreSQL, commonly known as Postgres, is a powerful, open-source relational database management system renowned for its advanced features ...