Madness
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the website
Its a apache 2 default page, lets run gobuster
to find hidden directories.
Looking the at the page, there is a broken image, lets see what it is in the source code
We have a image, lets look at it
Looks like it has errors and we cannot look at it, lets download it to our machine using wget
.
Lets look at the header of the image as there is something wrong with the image and we can try find information about it.
Oh that's strange, this is a jpg
file, but it has a PNG header
, lets change it using hexeditor
Looking at the header, it is that of a png file, we can look at this information here. The numbers that are supposed to be here are these
Lets change it.
From this
To this
Now lets save it with Ctrl + x
and hit Enter. Now lets look at the image.
We have a hidden directory, lets go check it out
Looks like we need to guess the secret, lets look at the source code
So it is a number between 1 and 100, lets write a simple python script to type our all 100 number to us and save it in a file to load in burp suite
so that we can use intruder
to find the right number, lets first make the python script.
Now lets print it and save it into a file called nums.txt
Now lets load up burp and capture the request, then send it to intruder.
Now lets go to the Positions tab in Intruder and add the parameter. Now select the number one and click this option
This will specify the place or position we want to attack. Now lets go to the payloads tab and load the nums.txt
file.
Now lets start the attack. Looking through the output, there is one number with the length different
The number is 73, lets now send this number in the secret parameter
.
Looks like a cipher, lets decrypt it . Well I spent time decrypting it but got nowhere, so lets look the image file and see if it has something else.
It asked for a password, so I gave the text we just found.
Lets read this file
We have a username but it looks like a cipher, lets crack it with CyberChef.
We have the username.
Now we do not have a password as the password we found before does not work, so as this room is a steganography challenge, lets download the image in the tryhackme room.
Now lets look for information using steghide
. Just hit enter for the password
Now lets read the password.txt
file.
We have a password, lets login through ssh.
We can read the user.txt
file
Privilege Escalation
Lets look at the SUID
bits.
These files are interesting, lets look for exploits on this. Looking for it on google I found this.
Lets copy it from searchsploit
Lets copy the code in the file to a file called exploit.sh
on the victim machine.
Once copied, make the file executable and run the exploit.
We are root, we can read the root flag
Last updated