Hello. I’m Rahmos. Here is my NerdHerd — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
So there are 5 ports opened: 21(FTP), 22(SSH), 139 and 445(SMB), 1337(HTTP).
As FTP can be logged in as anonymous, let’s login and get files inside:
I found an image and a txt file inside .jokesonyou. Get all the files using mget command.
Let’s see the content of txt file:
Read metadata of the image:
The owner name seems very suspicious. Let’s google this name and I found this link:
In order to decrypt this Cipher, I need the “key”.
I will find the key later. “leet” is “1337”, which is the http port. So let’s access its website:
Well, looks like it was hacked by XSS. Press “OK”:
View page source (Ctrl+U):
So it’s not XSS, but just a function. Let’s see the youtube link:
It’s a song called “Surfin Bird”. Look at its lyrics:
The word “bird” is repeated many times. Maybe it’s the key to decrypt the cipher text above? Let’s try:
YES it’s! But it’s not fully decoded. What about birdistheworld?
Finally it’s fully decoded! Now I’ve got another hint.
Now I’ll scan for hidden dirs using gobuster:
gobuster dir -u http://<ip>:1337 -w /path-to-wordlist
Again, page source:
Decode this string from Base64, you can use this link:
Well so I can only decode the username, the password is in invalid format.
Up to now, the hints I’ve known are:
Now let’s see which folder is shared on SMB:
smbclient -L //<ip>
A folder named “nerdherd_classified” is shared. Let’s try access it:
smbclient -L //<ip>/nerdherd_classified
However, I cannot access it right now. Next, I’ll use a script call “enum4linux” to enum more on this machine:
I’ve known another username: chuck
Let’s try login to SMB as chuck:
smbclient -L //<ip>/nerdherd_classified -U chuck
So chuck is the real username! Now what I need to find is chuck’s password. Let’s try all the hints above, and I’ve found the password.
Move around to view files:
get the txt file and view its content:
Access the hidden dir:
Now I’ve got the ssh credential. Login to ssh as chuck:
And i’m in! Get the 1st flag:
Now I’ll find a way to own root and get the 2nd flag. First, let’s try find command with SUID:
find / -perm -u=s 2>/dev/null
Well, nothing useful. Next, try sudo -l to see if chuck can run sudo:
Chuck cannot run sudo also.
Check kernel version: uname -a
It’s from 2016, which means it’s really old. Look on google for exploit and I found this link. It’s written in C, and gcc is existed on the target machine:
So, let’s transfer this exploit to the machine, compile and run! Start a http server on your machine:
python3 -m http.server 9000
Then from the target machine:
The exploit code has been transferred. Compile using gcc:
gcc exploit.c -o exploit
chmod +x exploit
Now I’m root! Let’s get the 2nd flag:
Wait, it’s not the flag! I will find all .txt files which are owned by root:
find / -name *.txt -user root
Well it’s in /opt. Get the flag!
Now it’s time for the final flag. Look at the hint, it’s something about “memories”.. So maybe it’s about history? Let’s read the .bash_history inside root folder: