Hello. I’m Rahmos. Here is my Year of the Rabbit — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T5 -v <ip>
As port 80 (HTTP) is opened, let’s access its website. It’s a default Apache website. Crtl+U to view page source. But there’s nothing valuable for us.
So let’s use dirbuster to search for hidden dirs.
I found /assets with response code 200. Let’s access it.
Well there is a mp4 video and a style.css file. Let’s take a look at the style.css
Here we found another hidden dir. Access it.
So maybe there are other hidden dirs in this subdirectory. Use dirbuster again, but this time start searching from /sup3r_s3cret_fl4g/. However, there are no hidden dirs. So let’s try another way.
This time use Burpsuite to intercept the request and see where it led us to. Note that the url has been change from s3cr3t to s3cret when we hit enter. So maybe there are some tricks here!
Here we go! There is another hidden dir. Let’s now access this dir.
There is an image. wget this image and use some OSINT tools to get hidden data from this image.
Use binwalk to check if there is any zip file inside:
Absolutely! There is a zip file inside! Let’s try to get all the strings inside this image using strings.
Finally! We’ve got our FTP credential. Let’s just copy all the password to a txt file and use Hydra to find the correct one.
hydra -l ftpuser -P ftppass ftp://<ip>
*I named my file ftppass. So remember to change it to your file’s name.
After a while we’ve found the correct password:
Login to ftp using this credential.
Successfully! ls to list file and mget * to get all the file to our machine
Now let’s see content of this .txt file.
Wait what is this? Some kind of ancient language? Just copy a line and paste to Google search. And we know that this is Brainfuck programming language. Let’s decrypt it and get the content. You can use this website:
Now we have our credential. Now login to SSH with this.
Now we’re in. I tried to look for user.txt inside /home/eli, but it’s not in it. So let’s use find to look for the flag.
find / -name *.txt 2>/dev/null
Scroll down to the bottom and you can see the user.txt is in /home/gwendoline. However, we cannot read the content right now, cause only gwendoline has the permission to read it.
Look at the message from root to Gwendoline, he said he put something in the s3cr3t folder. So let’s find where this folder is.
find / -name “s3cr3t” 2>/dev/null
We found it. Let cd to this dir and get our information
Now we’ve got Gwendoline’s password: MniVCQVhQHUNI. Su to her and get our first flag in her home folder.
Now let’s get root. First sudo -l to see which cmd can Gwendoline run as root on this machine.
Uh-oh!! We cannot run sudo as root on this machine! So let’s find another way. sudo -V to see sudo version.
It’s 1.8.10p3. Let’s look on Google for CVE of this version. After a while, I found this link:
Privilege escalation in sudo
This security advisory describes one low risk vulnerability. CVSSv3: 6.3…
Reference to this, run this command:
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
After that, press “:” and type !/bin/sh
Now I’m root! Let’s get our final flag.