📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Year of the Rabbit

PreviousBrute ItNextChillHack

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.165.1

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.165.1

Enumeration

Lets visit the webserver

It an apache2 default page, lets run gobuster to find hidden directories and pages.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.165.1 

We found a directory called /assets lets go visit it.

There are two files, lets check the first one which is a mp4 file , a video file. First we get a message telling us to turn off Javascript, followed by a redirection to a Rick Astley video . RICK ROLLED!

Lets go turn off Javascript, Navigate to about:config in the browser and then search for Javascript, change the javascript.enabled parameter to false.

Also looking at the other file, we need something interesting

Lets visit this page.

Listening through the audio, at second 56 we get the hint: "I'll put you out of your misery burp you're looking in the wrong place. Looking at this they are probably hinting to use Burpsuite so lets do that.

Lets capture the request of visiting this page. After capturing the request and forwarding it once, you get something interesting

Its a directory, lets go visit it.

There is one file, lets check it out

Its a picture. Lets use our steganography skills to see if there is anything hidden in the picture. First we need to download the file, so lets do that.

wget http://10.10.165.1/WExYY2Cv-qU/Hot_Babe.png

Now lets use steghide and binwalk to see if we can find anything in this image. There was nothing, so l just used strings on the image.

strings Hot_Babe.png

Once I did this, I got some output and scrolling up a bit I got something interest

So we have a username and a password list, lets copy the password list to a file and use hydra to bruteforce ftp with the username and password list we have. I saved the password into a list called passwords.lst

Exploitation

hydra -l ftpuser -P password.lst 10.10.165.1 ftp

We found the password, lets login through ftp

ftp 10.10.165.1

We are logged in, lets list the files.

Looks like there is a text file, lets transfer this to our machine

get Eli's_Creds.txt

Lets read the file

I don't understand this code, so lets put it in a tool that does understand it.

Now we have a password, lets use this to login through ssh with the username we found too.

ssh eli@10.10.165.1 

We are logged in, we can see a message for us. We can find the user flag here but we are not allowed to read it. So we have to escalate privileges.

When we logged in, we see a message for us, there seems to be a leet s3cr3t hiding place, and there is a hidden message there waiting for us. Lets find it using this command.

find / -name s3cr3t 2>/dev/null

Its a directory so lets change directories into it.

cd /usr/games/s3cr3t

Lets list the files in the directory.

Lets read the this file

Looks like we have the password to the user Gwendoline , so lets switch users.

su gwendoline

We can now read the user.txt file

Privilege Escalation

Lets run sudo -l to see what this user can run as root

sudo -l
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

And then we use this command

:!/bin/bash

And you are now root.

We can read the root flag.

Looks like we can run /usr/bin/vi /home/gwendoline/user.txt as root, I found this that explains very well on what to do. First we use the command

article