Madness

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.112.81

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.112.81

Enumeration

Lets visit the website

Its a apache 2 default page, lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.112.81/

Looking the at the page, there is a broken image, lets see what it is in the source code

We have a image, lets look at it

Looks like it has errors and we cannot look at it, lets download it to our machine using wget.

wget http://10.10.112.81/thm.jpg

Lets look at the header of the image as there is something wrong with the image and we can try find information about it.

Oh that's strange, this is a jpg file, but it has a PNG header, lets change it using hexeditor

hexeditor thm.jpg

Looking at the header, it is that of a png file, we can look at this information here. The numbers that are supposed to be here are these

Lets change it.

From this

To this

Now lets save it with Ctrl + x and hit Enter. Now lets look at the image.

We have a hidden directory, lets go check it out

Looks like we need to guess the secret, lets look at the source code

So it is a number between 1 and 100, lets write a simple python script to type our all 100 number to us and save it in a file to load in burp suite so that we can use intruder to find the right number, lets first make the python script.

Now lets print it and save it into a file called nums.txt

Now lets load up burp and capture the request, then send it to intruder.

Now lets go to the Positions tab in Intruder and add the parameter. Now select the number one and click this option

This will specify the place or position we want to attack. Now lets go to the payloads tab and load the nums.txt file.

Now lets start the attack. Looking through the output, there is one number with the length different

The number is 73, lets now send this number in the secret parameter.

Looks like a cipher, lets decrypt it . Well I spent time decrypting it but got nowhere, so lets look the image file and see if it has something else.

steghide --extract -sf thm.jpg

It asked for a password, so I gave the text we just found.

Lets read this file

We have a username but it looks like a cipher, lets crack it with CyberChef.

We have the username.

Now we do not have a password as the password we found before does not work, so as this room is a steganography challenge, lets download the image in the tryhackme room.

Now lets look for information using steghide. Just hit enter for the password

Now lets read the password.txt file.

We have a password, lets login through ssh.

We can read the user.txt file

Privilege Escalation

Lets look at the SUID bits.

These files are interesting, lets look for exploits on this. Looking for it on google I found this.

Lets copy it from searchsploit

Lets copy the code in the file to a file called exploit.sh on the victim machine.

Once copied, make the file executable and run the exploit.

We are root, we can read the root flag