Revenge — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Revenge — TryHackMe — WriteUp. Check it out!

First, let’s download Billy’s message.

Billy’s message

Well looks like he wants me to deface the website! Next up, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

nmap

There are 2 ports opened: 22 (SSH) and 80 (HTTP). First, let’s access the website.

website

I’ve checked the page source (Ctrl + U), but nothing valuable. Next, find hidden dirs and files using gobuster:

gobuster dir -u http://<ip>:80/ -w /path-to-wordlist

gobuster

Let’s access /login:

/login

and /admin:

/admin

Ok so there are 2 login pages: for customer and for admin. But I haven’t got any credential yet.

Look at the description:

Ok so I’ll use sqlmap to look for SQLi on this website:

sqlmap -u http://<ip>:80/products/1 — batch — current-db

**Why /products/1? Because it’s where the website will load the products from database and display in the website.

sqlmap

After a while, I’ve got the database name: “duckyinc”. Follow the database name to look for tables inside it:

sqlmap -u http://<ip>/products/1 — batch -D duckyinc — tables

sqlmap

And yes, I’ve found 3 tables inside “duckyinc” database. Let’s dump everything from that 3 tables:

sqlmap -u http://<ip>/products/1 — batch -D duckyinc — dump

Focus on the “user” table, you will see your 1st flag:

Now for the “system_user” table:

system_user

I’ve found credential of the server-admin. Let’s crack that hash password using john. It’s a Bcrypt hash. I will copy the hash password to a text file called “server_admin.txt”.

john — wordlist=rockyou.txt server_admin.txt

password

The password has been cracked! Let’s login at /admin using the credential:
server-admin : inuyasha

However, I cannot login! So what’s this password for? Let’s try SSH:

ssh server-admin@<ip>

Enter the password:

ssh

And that’s it! Now I’m into the machine. Find the flag:

flag2.txt

Now I’ll find a way to own root to get the 3rd flag. First, sudo -l to see if server-admin can run sudo:

Because server-admin can edit the duckyinc.service, I will modify this service to get root:

sudoedit /etc/systemd/system/duckyinc.service

This is the original duckyinc.service

original duckyinc.service

This is the modified duckyinc.service.

modified duckyinc.service

So what the service does is that it will give /bin/bash SUID bit set. Save the file and then:

sudo systemctl daemon-reload

sudo systemctl restart duckyinc.service

Then:

/bin/bash -p

root

Now I’m root! Let’s cd root and see what’s inside:

/root

Well there’s no flag here. So I need to deface the website to get the final flag.

First:

cd /var/www/duckyinc/templates

Then edit the “index.html”:

index.html

After that, cd to /root and you will see flag3:

flag3.txt

The end.

HAPPY HACKING