In today’s post we’re going to solve the Bounty Hunter room in TryHackMe.
Let’s get started.
Going to the room and clicking the deploy/start machine, we see the following:
Your IP address will be different.
Let’s start answering the question.
The first question is to find open ports.
We’re going to enter the command: nmap -sV <deployed IP address> which in my case will be nmap -sV 10.10.126.62
Doing this we see:
We have three ports open. FTP, SSH, and HTTP.
We need to see who wrote the task list.
With FTP depending on the configuration, you can access this server with a username of anonymous and any password.
Let’s see if this works.
Now let’s do a listing to see what is on the server.
We have a locks.txt and a task.txt file
How do we download the files?
We can use the get command – get <file>
Let’s try it.
The files were downloaded successfully.
We can close the ftp server by entering the exit command.
Doing an cat (concatenate) to open the task.txt file we see:
We found the user – lin.
Let’s answer the next question.
What service can we use to brute force the text file?
Looking at the services opened, we already anonymously logged into the FTP server, so that’s not it.
Let’s see if SSH is the answer. It is!
What is the user’s password? The user in this case is lin.
Well to brute force SSH we can use the program – Hydra.
We didn’t open the tasks.txt file.
Let’s open it.
Using the cat command cat locks.txt we see:
Hmm… this file seems like this is a file with passwords.
Going back to Hydra, doing this we can use the command hydra -l lin -P locks.txt <IP address> -t 4 ssh in my case it will be hydra -l lin -P locks.txt 10.10.126.62 -t 4 ssh
Let’s explain the command
Hydra – The program we’re going to use
-l lin – select the user we want to use (lin)
-P tasks.txt – selecting the password file we want
<IP address> – specifying the IP address we want to brute-force
-t 4 – the number of threads we want. In this case we say we want 4 threads. The bigger the threads, the faster hydra will perform
ssh – let’s us know we want to brute-force the ssh server
Doing this we get the following:
We found the password – RedDr4gonSynd1cat3
Now let’s login
Going back to our terminal let’s enter the command ssh email@example.com
Let’s break this down
ssh – invoking we want to access the SSH server
firstname.lastname@example.org – the user at the server
We get the following:
We get the question of are we sure we want to connect – enter yes.
Next we need to enter the password. Copy the password from the Hydra output.
Doing that we see the above screenshot.
We are now in the SSH server!
Let’s answer the next question.
We need to find and open the user.txt file.
Doing a long listing to view everything ls -la we see:
We see the user.txt file!
Using the cat command to open the file it will be – cat user.txt
Now to the final question.
We need to find and open the root.txt file.
Going back to the terminal – we’re going to enter the command: find / -perm -u=s -type f 2>/dev/null
Let’s break it down
find – invoke the find command
/ – specifying we’re starting at the root file system
-perm = look for a specific permission
-u = s – specifies we want to find users (owners) with the sticky bit set. The sticky bit allows a user to execute the program as the owner. In this case we want to find sticky bits that can be executed as root.
-type f = we’re looking for files
2>/dev/null – we’re redirecting error messages from the standard output (the screen) to /dev/null.
Doing this we get the following:
The above files allows us to execute the program as root.
Most of these are standard, but the sudo command should not be there.
Why? The sudo allows to execute root commands for the specific command.
With the sudo command there’s also a file sudoers file that tells the users, and files that can run as root.
To figure this out, let’s enter the command sudo -l
We’re going to be prompted for the password which is: RedDr4gonSynd1cat3
Doing this we see:
We see that one file – /bin/tar can run as root.
Going to Google and typing in privilege escalation tar file
Clicking on the first link we see:
Scrolling down we see:
We see a section on Sudo!
Copying this command into our terminal and entering the whoami command we get:
We have successfully escalated our privileges to root!
Going to the root home directory and doing a long listing we see:
In this post, we’re going to solve the Hemisphere boot2root from Vulnhub.
Let’s get started.
When we start the Hemisphere – Gemini machine we see the following screen:
OK, we’re prompted with a login screen.
For most boot2root’s we need to find user and root.txt on the box.
Next, on our attacker machine (I’m using parrot security), I am going to type the command netdiscover.
Netdiscover will ping your network with active IPs. From there you can figure out which IP is being used for the virtual machine.
After finding the IP address, let’s open a terminal and type nmap -sV <IP address from netdiscover>. In my case, it’s going to be nmap -sV 192.168.1.132. Doing this we have the following output:
We have 5 ports open.
And ports 139 and 445.
What do the above two ports belong to?
Well these two ports are for Samba SMB. SMB allows computers to talk with each other. Most times when SMB is enabled, it’s SMB 1.0 which is extremely insecure. So how do we exploit it?
Well, there’s an application enum4linux which will enumerate all of the SMB shares. To do this we’ll use the command enum4linux -a <IP address from netdiscover>. In my case it will be enum4linux -a <192.168.1.132>
Doing this we have:
As you can see we have A LOT of output from enumerating the different shares from SMB.
Looking through the input we see there’s a username: William. We need to save this as we’ll use it later.
Now reviewing the nmap scan again – we see that port 80 or HTTP is open.
Next step, is to enumerate/brute force to see if we can find hidden directories.
Let’s use our two favorite applications – dirb and gobuster.
We have an assortment of files/directories to review.
robots.txt – a helpful file that tells web crawlers to exclude directories to be crawled/exposed on the internet.
Going to the robots.txt file we see:
There are three directories. Let’s see if we can find any goodies!
Going to the secret folder we see:
Hmm… there’s nothing there.
Let’s try admin.
Nothing there either.
Let’s try the last folder – lol
So the robots.txt was a red herring. It’s a way to knock us off our game as there’s nothing there.
Going back to dirb/gobuster we see there are two folders to review.
Let’s try assets and see what we get.
Going to the assets folder we see:
Hmm – nothing really there. It’s styling for our website.
Let’s try the second folder – images.
Going to this folder we see:
Nothing of importance. This directory is a space for all of the pictures for our site.
Speaking of our site. Let’s go to the index.html file
Going to this page, we see:
Looking through the page we don’t see anything of value.
So now – we’ve enumerated all of the hidden folders and really haven’t found anything. We know we have a user of William, but how do we log in?
We need to enumerate/brute force the directories again.
How do we do this? Change our wordlist.
Going back to gobuster – we’re going to use the dirbuster directory-list-2.3-medium.txt which has more directories to check.
Entering the updated command we see there’s a new folder – portal. Let’s go to that page and see what we get.
Entering this into the URL we see:
Another page. It’s written in Spanish. We see there are three links at the top. Let’s click on the second (Sobre Nosotros) and see what we get.
Nothing to render/view.
But there is something interesting. In the address bar we have a view parameter. Which is pointing to the about-us.html page. Whenever we see a parameter field we should try to do a Local File Inclusion (LFI).
LFI is a vulnerability where you can access the files in the underlying filesystem. Let’s try to access the /etc/passwd file.
In Linux, the /etc/passwd file holds all the users. Let’s try it.
Let’s break this down.
We have five ../. What is this? Well we’re using this (../) to navigate one folder up. Meaning we want to access the parent directory of our current directory. Finally, when we’re at the topmost area of the file system. We’re telling the application to go to /etc/passwd.
Doing this the webpage displays the /etc/passwd file which reveals all of the users!
When you look in the file we see that there is a user named William. That let’s us know our enumeration from the enum4linux command worked correctly.
Now we have the user William, and we can do LFI on this application. What’s our next step.
Well we know that port 22 or SSH is open. We also know there’s a public and private key for all the users to log into the server.
We have a user of William. So we know he’s a valid user. How do we find William’s public and private key?
These keys will be in his home folder.
In Linux, every user has a home folder which allows the user to save files that can only be accessed by them.
With the public and private keys for SSH, we know it’s stored in a hidden directory titled – .ssh and saved in the id_rsa file.
id_rsa is the private key file
id_rsa.pub is the public key file
We don’t want to access the public key file as it’s accessible to EVERYONE. Hence the name.
We want the private key (id_rsa).
Let’s see if we can access this folder through LFI.
Success! We’re able to access the private key. We’re going to need this to log into the SSH server.
First we need to save this key.
To do this, right-click on the file and highlight the text, copy the text.
Open your favorite word browser, and save the contents as id_rsa (the name is important!). Also make sure you know where you saved this file!
After saving the file – let’s do a ls (listing) in the terminal
We see our id_rsa file.
Now let’s try to log in the ssh server.
Enter the command ssh -i id_rsa william@<IP address from netdiscover>. In my case the command will be ssh -i id_rsa email@example.com.
Uh-oh. We can’t log in as the permissions are too permissive or too open.
Press Control-C to get out of the prompt, we’re going to change the permissions of the id_rsa file.
To do this we’re going to enter the command chmod 600 id_rsa.
After entering this command, do a listing (ls) to view the permissions.
For the id_rsa file we see there is rw in the 2nd and 3rd position. These positions belong to the owner. In this case the owner would be parrot (column 4 in the above screenshot).
Now let’s try to log in again.
Success! We’re in the SSH server.
Now let’s do a listing to see what we see
We have the user.txt file. Let’s open it.
Enter the command cat user.txt
We have the user flag. Now to find the root.txt.
How are we going to do this?
Well there’s a few things we can do.
Since this is a Linux system, let’s enter the command sudo -l
This command will see if a user can elevate (or escalate) their privileges without being the root user.
Entering the command we see this program doesn’t exist.
OK, so we can’t use that.
Remember how we had to change the permissions to gain access to the server?
Well I wonder if we can check files that are overly permissive and use one of those files to elevate our privileges.
What command would we use?
The command we enter is find / -perm -u=s -type f 2>/dev/null
Let’s break this down
We’re using the find command
the / specifies we want to start at the top of the file system
-permu=s specifies we want to find users that have the sticky bit on.
What is the sticky bit? Sticky bit in Linux specifies we can run an application as the owner of the file.
We want to access the root.txt, so we know that the superuser root is probably the only user who can access this file.
-type f = specifies we want files
2>/dev/null specifies that any errors go to the /dev/null file.
Entering this command we see:
Most of these files are always there but we have a file that shouldn’t be there /etc/passwd.
Why shouldn’t this file in this list? Well the /etc/passwd file holds all the users in the operating system.
This file is overly permissive. We see we have read, write, and execute.
So what do we do? Add another root user.
How do we do this?
First we need to create a password. We’re going to use the openssl command to create a suitable password for the /etc/passwd file. I’m going to select a password of password. See the screenshot below.
Next, we’re going to add our new user in the /etc/passwd file. How are we going to do this?
We’re going to use the echo command.
Let’s break this line down.
echo is a command in Linux. We’re going to echo what is in quotation marks.
We’re going to create a user of test
Next, we enter the password we created with openssl
Next, we have the numbers of 0 for userid and groupid. 0 represent root.
Next, we have the name of root
Next, we specify the home folder for root which is /root
Next, we have the shell for this user which is the bourne again shell (/bin/bash)
Finally, we’re appending this input to the /etc/passwd
Pressing Enter we are prompt back to the command line
Using the command su (switch user)
and enter our new user of test and password of password
We see that the login was successful.
Entering the whoami command we see that our user is now root. Which means our privilege escalation worked!
Now that we’re root let’s navigate to the /root folder and do a listing
In this post we’re going to solve the Cofveve virtual machine.
Let’s get started
After downloading the virtual machine and starting it we see the following:
Using the netdiscover command we can find the IP that the virtual machine is using
Going back to our attacking machine (I’m using the parrot virtual machine).
Doing an nmap scan with the command – nmap -sV <IP address from netdiscover command>, we see the following
There are three ports that are open – ssh, and two http ports.
When http ports are opened the next step is to try to do a recursive brute force attacks to find hidden directories.
We’re going to use two programs – dirb and gobuster.
Doing the dirb of port 80, we get:
Using gobuster we see:
We see that both of the programs did not return anything.
Let’s try to the following programs with the 31337 port, let’s start
We see five files – a robots.txt, and four hidden files (start with .)
The robots.txt gives information about sites that should not be crawled by the internet. This is useful as it will give us files or directories (folders) to review to get more information.
Going to the robots.txt we see:
Hmm, there are three directories that are disallowed. Let’s try to go to them.
Let’s start with taxes. When navigating there we see:
We found the first flag!
Going to the second directory .bashrc we see
Hmm, it’s a file, let’s save it.
Going to the last directory of .profile we see
Another file to save.
Going back to either dirb or gobuster results we have one more directory, .ssh.
This is strange. The .ssh which is hidden should not be exposed on the internet. This folder has information about how to login into the system. Such information is a private key (which only the user should know) public key (which everyone knows), as well as other things.
Going to this folder we see:
We see three items, which look like additional files.
Let’s see if we can navigate to these files.
Navigating to the first item, id_rsa we see:
Another file, so let’s save it.
Let’s try the second file – authorized_keys. Going there we see:
Another file, let’s save it.
Finally, let’s go to the third item – id_rsa.pub
Now that we saved everything let’s go back to our virtual machine and open the files.
First, let’s open the id_rsa.pub file. This file is the public key that is part of a pair. The other pair is the private key. As the name suggests only the user should know their private key and not expose it to anyone else. The public key can be exposed to everyone.
Opening the file we see:
We see a ssh-rsa. RSA is a cryptographic algorithm. Looking at the end of the file we see a valid user – simon@covfefe. We need to save this user as we will need it later.
Opening the id_rsa file we see:
This file is the private key to log into the SSH server as Simon! This is bad, as I said before this file should NOT be exposed as Simon private key should only be known by him only.
Opening the authorized_keys file it has the same content as the id_pub
How can we use this information?
We know a user (simon@covfefe) and a private key.
Well we can log into the ssh server.
We can use the command ssh -i id_rsa simon@covfefe
Let’s break this down.
We’re logging into the SSH server, specifying a file id_rsa (Simon’s private key) and the user of Simon
We get the following output:
Uh oh – we received an error:
The private key is too open. We need to change the make it less accessible. To do this we’re going to change the permissions from 644 to 600. What this will do is give access to the owner in this case parrot (which is us).
To do this we will use the command chmod 600 id_rsa
Trying to log in again we have the following:
We need a passphrase… which we don’t have. How do we get this?
Doing a good ol’ Google search of cracking passphrase for id_rsa we see the following link
We see there’s a command ssh2john which can be used to crack the passphrase. Let’s do it!
First, we located where the ssh2john command lives in the file system. Next, we’re going to create a hash using ssh2john. We’re going to use this for the next step.
Next, we’re going to send our hash to john which will be used to crack it. We’re going to use the wordlist rockyou.txt which is a common wordlist used to crack passwords. Doing so, we found our passphrase – starwars.
Running our SSH command again, we enter the passphrase of starwars and we’re in the system!
Doing a long listing and showing all of the files (ls -la) we see the files we found before when brute forcing the directories. Let’s look at the .bash_history. This file is good to review as it will let you know commands that were executed on the machine.
Opening this file we see a read_message and then exit. What is read_message? Is this a program?
Executing the read_message we get a prompt. Let’s enter the name Simon. We received a message stating this is is a private messaging system and the source code is in the root directory.
Navigating to the root directory and doing a long listing with all the files (ls -la) we see there’s a read_message.c file, and flag.txt!
Opening the flag.txt file we see a permission denied :-(. Looking at the long listing again this file (flag.txt) can only be accessed the owner, which in this case is root (column 4). I am the user Simon, so I can’t view the file.
Opening the read_message.c file, we see source code, and… the second flag!
And it’s giving us a hint – we need to review the source code.
Looking at the source code we have a buffer (buf) that is holding 20 characters and is executing another file program which is pointing to /usr/local/sbin/message. Whenever we see buf we need to think of buffer overflows.
Buffer overflows are a vulnerability where you overflow the input to access other parts of the computer system. In this case, since we have a holding space of 20 characters – we’re going to overload the buffer with characters OVER 20 characters. Also we’re going to try to change the shell to /bin/sh <— bourne shell. We’re going to change the shell to escalate the user. Changing from Simon to root. We need to be root to open the flag.txt file.
Let’s try it.
Running the commands id and whoami we see we’re root!
Now let’s open the flag.txt and see what’s in the file.