Year of the Rabbit — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my Year of the Rabbit — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T5 -v <ip>

As port 80 (HTTP) is opened, let’s access its website. It’s a default Apache website. Crtl+U to view page source. But there’s nothing valuable for us.

So let’s use dirbuster to search for hidden dirs.

I found /assets with response code 200. Let’s access it.

Well there is a mp4 video and a style.css file. Let’s take a look at the style.css

Here we found another hidden dir. Access it.

It told us to turn off javascript. So if you’re using Firefox as me, type about:config in your search bar and search for javascript, double click javascript.enabled to disable javascript.

After disable javascript, the site became like this:

So maybe there are other hidden dirs in this subdirectory. Use dirbuster again, but this time start searching from /sup3r_s3cret_fl4g/. However, there are no hidden dirs. So let’s try another way.

This time use Burpsuite to intercept the request and see where it led us to. Note that the url has been change from s3cr3t to s3cret when we hit enter. So maybe there are some tricks here!

Here we go! There is another hidden dir. Let’s now access this dir.

There is an image. wget this image and use some OSINT tools to get hidden data from this image.

Use binwalk to check if there is any zip file inside:

binwalk Hot_Babe.png

Absolutely! There is a zip file inside! Let’s try to get all the strings inside this image using strings.

strings Hot_Babe.png

Finally! We’ve got our FTP credential. Let’s just copy all the password to a txt file and use Hydra to find the correct one.

hydra -l ftpuser -P ftppass ftp://<ip>

*I named my file ftppass. So remember to change it to your file’s name.

After a while we’ve found the correct password:

Login to ftp using this credential.

Successfully! ls to list file and mget * to get all the file to our machine

Now let’s see content of this .txt file.

Wait what is this? Some kind of ancient language? Just copy a line and paste to Google search. And we know that this is Brainfuck programming language. Let’s decrypt it and get the content. You can use this website:

https://www.dcode.fr/brainfuck-language

Now we have our credential. Now login to SSH with this.

ssh eli@<ip>

Now we’re in. I tried to look for user.txt inside /home/eli, but it’s not in it. So let’s use find to look for the flag.

find / -name *.txt 2>/dev/null

Scroll down to the bottom and you can see the user.txt is in /home/gwendoline. However, we cannot read the content right now, cause only gwendoline has the permission to read it.

Look at the message from root to Gwendoline, he said he put something in the s3cr3t folder. So let’s find where this folder is.

find / -name “s3cr3t” 2>/dev/null

We found it. Let cd to this dir and get our information

Now we’ve got Gwendoline’s password: MniVCQVhQHUNI. Su to her and get our first flag in her home folder.

Now let’s get root. First sudo -l to see which cmd can Gwendoline run as root on this machine.

Uh-oh!! We cannot run sudo as root on this machine! So let’s find another way. sudo -V to see sudo version.

It’s 1.8.10p3. Let’s look on Google for CVE of this version. After a while, I found this link:

Reference to this, run this command:

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

After that, press “:” and type !/bin/sh

Now I’m root! Let’s get our final flag.

The end.

HAPPY HACKING

I’m Groot