[EN] TryHackMe — Year of the Rabbit (Write-Up)
Hello everyone, this is Emirhan. I am a Computer Engineering student who is interested in Cyber Security and trying to improve himself. This is going to be my first write-up so please don’t be too hard on me :)
Let’s Begin!
Firstly, I started with nmap scan.
“nmap -v -A [ip-address]”
We found that ftp(21), ssh(22) and http(80) ports are open. So I decided to go through the website of the IP address. When we enter the IP address, Apache2 Debian Default Page welcomes us :) Let’s try to find hidden directories. I used gobuster for that.
“gobuster dir -w /usr/share/wordlists/dirb/common.txt -u [url]”
/assets seems interesting. Let’s go there! We have “RickRolled.mp4” and “style.css”. If we look into the “style.css”
We found a secret page. When we enter that page, it says “turn off your javascript”. You can do that by simply asking google how to do it :) After I disabled javascript and enter the website, the song “Never Gonna Give You Up by Rick Astley is shown. I like this song but unfortunately, it doesn’t help us. So I tried to check the website request. I did this from developer tools but you can also use BurpSuite.
As you can see, we found a hidden directory. When we go to that website, A picture of a woman stands out. I thought useful information was hidden in the picture. So I decided to use https://aperisolve.fr/ for this job. After we extract that data, we can find the username for ftp and a password list for possible password. I noted the username and saved passwords in a .txt file. We can use Hydra tool for brute-forcing the password(or you can try one-by-one :d)
“hydra -l [username] -P [txt file path that we saved] ftp://[IP Address]”
After that, thanks to hydra we can use that username and password to connect with ftp.
“ftp [IP Address]”
Enter username, password and you should be able to connect. We can use “ls” command and see there is a “Eli’s_Creds.txt”. You can use “get Eli’s_Creds.txt” command to download that file into your system. When I looked into that file, I saw some nonsense things like this :D
I tried to search for something but I couldn’t find anything. I am not going to lie, I checked other write-ups for this thing and I noticed no one explained how they know what is this but it appeared to be a programming language called “BrainFuck”. When you decrypt it, you can find the username and password for ssh.
“ssh username@[IP Address]”
When you login using that command, this page comes along.
s3cr3t seemed a little suspicious. So I tried to search for that file/directory using “locate s3cr3t” command. After we read inside of that file, we find gwendoline(another user)’s password. Using “su gwendoline” and entering the password, here we are. We found the user flag.
After that we need to switch to the root. I use the “sudo -l” command. This command shows us the sudo permissions of the current user that we are logged on at the moment.
I always check GTFOBins website first. When I checked for vi,
I saw that command. But when I try it, the system doesn’t allow us to run that command. So after a long search, I found something that works.
If you check that vulnerability, you can see that we can use “sudo -u#1” command. After implemening our own vulnerability in that, we can use
“sudo -u#1 /usr/bin/vi /home/gwendoline/user.txt”
and there you go :) Now we are root. You can search a little bit in directories and find the root flag.
That was my first write-up. I hope you enjoyed and learned something from my write-up. See you soon in my next write-up.
Peace.
