<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Write Ups - Eric Logan</title>
	<atom:link href="https://eric.cc/category/write-ups/feed/" rel="self" type="application/rss+xml" />
	<link>https://eric.cc/category/write-ups/</link>
	<description>A security and programming blog.</description>
	<lastBuildDate>Wed, 14 Jan 2026 02:53:54 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/favicon.png?fit=16%2C16&#038;ssl=1</url>
	<title>Write Ups - Eric Logan</title>
	<link>https://eric.cc/category/write-ups/</link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">211060323</site>	<item>
		<title>10 Information Technology Systems Every Company Should Have</title>
		<link>https://eric.cc/it-systems-every-company-should-have/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=it-systems-every-company-should-have</link>
					<comments>https://eric.cc/it-systems-every-company-should-have/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Thu, 15 Jan 2026 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[Information Technology]]></category>
		<category><![CDATA[Infosec]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=1382</guid>

					<description><![CDATA[<p><a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Every company invests a percentage of its budget towards technology. Security solutions includes tooling for endpoint security, network security, cloud security, data security, and identity access management. Not every solution will be covered in this post, and I will not go into vendor specifics. In no order of priority, every company should have these 10 [&#8230;]</p>
<p>The post <a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">Every company invests a percentage of its budget towards technology. Security solutions includes tooling for endpoint security, network security, cloud security, data security, and identity access management. Not every solution will be covered in this post, and I will not go into vendor specifics. In no order of priority, every company should have these 10 IT Systems in place.</p>



<h2 class="wp-block-heading">EDR/AntiVirus</h2>



<p class="wp-block-paragraph">Endpoints are laptops, desktops, servers, and virtual machines. They are often the first to get compromised and all need to be secured from bad actors. This is where AntiVirus and Endpoint Defender Response (EDR) solutions come in. AntiVirus offers real-time malware protection, blocking known threats and alerting analysts of malicious activity. EDR solutions can identify suspicious behavior and enable analysts to respond to a security incident.</p>



<p class="wp-block-paragraph">How many times a month do you read about computers being compromised and spreading ransomware throughout a company? An antivirus solution could have prevented the malware from running in the first place. EDR software could have detected the suspicious behavior and quarantined the device from communicating with the rest of the network, preventing the malware from spreading.</p>



<p class="wp-block-paragraph">It cannot be emphasized enough how crucial it is to deploy software on endpoints that can monitor, protect, and prevent attacks.</p>



<p class="wp-block-paragraph">Although Microsoft has improved its Windows Defender product, it is the first hurdle any attacker is going to clear for creating malware. It is enabled by default on every Windows computer after all. </p>



<h2 class="wp-block-heading">SIEM &#8211; Logging</h2>



<p class="wp-block-paragraph">The Security Information Event Management (SIEM) collects system, application, cloud, and networking logs in a central location. Analysts can investigate alerts, visualize data, and monitor their IT environments. </p>



<p class="wp-block-paragraph">This provides visibility for the Security Operations Center (SOC) to perform their investigations. For example, an employee downloads a malicious file from a website, the malware elevates its privileges to admin and starts connecting to a botnet. A SIEM can log all this information and correlate these events for an analyst to investigate which websites the employee visited, what the malware is doing on the machine, and where its communicating to.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" fetchpriority="high" decoding="async" width="1024" height="576" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-3-1024x576.png?resize=1024%2C576" alt="IT Systems - SIEM technology" class="wp-image-1458" style="width:754px;height:auto" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=1024%2C576&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=300%2C169&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=768%2C432&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=800%2C450&amp;ssl=1 800w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?w=1280&amp;ssl=1 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading">VPN &#8211; Virtual Private Network</h2>



<p class="wp-block-paragraph">No, I am not talking about consumer VPN products you might have heard from your favorite influencer.</p>



<p class="wp-block-paragraph">With the rise of remote working, employees need a Virtual Private Network to securely connect to the office network to work on their projects. An enterprise VPN is going to be a split tunnel VPN that allows internal routing to go through, and external access through the employee&#8217;s own Internet Service Provider. Consumer-based VPNs are full tunnel routing all traffic through the VPN for security and encryption.</p>



<p class="wp-block-paragraph">VPNs are the best way to access resources remotely without having to expose assets to the public internet. VPN gateways, clients, and infrastructure must be protected heavily, as they could allow anyone access to the corporate network.</p>



<h2 class="wp-block-heading">Proxy &#8211; Internet Traffic Inspection</h2>



<p class="wp-block-paragraph">Another key point is once a device or user is connected, anything can happen on a network. It is important to monitor the traffic ingress and egress; and determine if it is malicious/inappropriate usage. This is the best way to block traffic that is not meant to go out of your corporate environment. NSFW or malicious.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" decoding="async" width="1024" height="393" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-2-1024x393.png?resize=1024%2C393" alt="IT Systems - Proxy Technology" class="wp-image-1457" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=1024%2C393&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=300%2C115&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=768%2C295&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=1536%2C589&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=2048%2C786&amp;ssl=1 2048w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?w=2400&amp;ssl=1 2400w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading"><br>Segmentation &amp; Firewall</h2>



<p class="wp-block-paragraph">Typically home networks are flat, meaning that once a device is connected, it can communicate to every other device on the network. With the spirit of least privilege access, organizations should never have a flat network. If devices do not need it, they should not access different network segments.</p>



<p class="wp-block-paragraph">The best way to segment networks is by using Virtual LANs (VLANs) and Firewalls. VLANs will separate where on the network a device or application will communicate. Firewalls will allow or block cross-network communication when talking to different parts of the network.</p>



<p class="wp-block-paragraph">Generally speaking, networks should be separated by intranet, DMZ, extranet, production separated from development, and BYOD/IoT devices to be their own isolated network. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" decoding="async" width="1024" height="668" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-1-1024x668.png?resize=1024%2C668" alt="IT Systems - Firewall technology" class="wp-image-1456" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=1024%2C668&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=300%2C196&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=768%2C501&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?w=1033&amp;ssl=1 1033w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading"><br>Backups</h2>



<p class="wp-block-paragraph">It&#8217;s always good to have backups of systems. Whether it is a system image or an application configuration. Backups should be taken regularly and are essential for dealing with a ransomware incident. Everybody needs a backup, and you will be glad you backed it up before things went wrong. </p>



<p class="wp-block-paragraph">To minimize the risk of data loss, follow the 3-2-1 backup rule. Keep 3 copies of your data, stored on 2 different types of media, with 1 copy kept off-site.</p>



<h2 class="wp-block-heading">Multifactor &#8211; Authentication</h2>



<p class="wp-block-paragraph">Every month, there is a new article about a leak of billions of passwords hitting the internet. Here&#8217;s an <a href="https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/">article</a> about that happening recently.</p>



<p class="wp-block-paragraph">As cybersecurity professionals, we get it, passwords alone are no longer secure enough to protect accounts. Multifactor authentication provides security by checking that the user authenticating has their smartphone or biometrics. In today&#8217;s threat landscape, MFA should not rely on sending a text message to phone numbers due to attacks like SIM swapping. MFA should be done with a mobile authenticator app or a device like a yubikey.</p>



<h2 class="wp-block-heading">Email Security</h2>



<p class="wp-block-paragraph">Email is the lifeblood of professional communication over the last 25 years on the Internet. Everyone online has an email address. </p>



<p class="wp-block-paragraph">Not every emailer has their recipients&#8217; best interests in mind. Any IT security-related exam will tell you all the various Phishing techniques that can be done through email. So it is imperative to have good technologies in place to block suspicious looking emails, including those that contain suspicious attachments.</p>



<p class="wp-block-paragraph">Technology is not the only solution to this problem. The best way to defend against email based attacks is training. Employees should know the signs of a phishing attack and learn the processes of reporting it to the IT department. </p>



<h2 class="wp-block-heading"><strong>Patch Management</strong></h2>



<p class="wp-block-paragraph">What good are securing servers and workstations if they are not up to date on security patching? New exploits come out all the time. For example, a JavaScript framework React had a critical vulnerability named React2Shell, which allowed attackers to remotely execute code on any affected machine with an HTTP request. Updating software is the best way to avoid being vulnerable.</p>



<p class="wp-block-paragraph">Microsoft releases a patch for Microsoft Windows machines on every second Tuesday of the month. Linux does not have a fixed timeline for releaseing patches, they are released whenever they become available.</p>



<h2 class="wp-block-heading">Vulnerability Scanning</h2>



<p class="wp-block-paragraph">Lastly, vulnerability scanners can bring attention to analysts what technologies should be addressed, the priority it should be fixed in, and to catch concerns early before they become an issue. It is too common for organizations to keep old devices around because they run an applciation that stopped receiving updated years ago. Vulnerability scanners can call out these old devices and justify that they reached the end of their lifecycle.</p>



<p class="wp-block-paragraph">As mentioned before, patch management is a good way to knock out the easy wins. However, some applications or software require a more in depth look to remediate the vulnerabilities.</p>
<p>The post <a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/it-systems-every-company-should-have/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1382</post-id>	</item>
		<item>
		<title>TryHackMe: Thompson</title>
		<link>https://eric.cc/tryhackme-thompson/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-thompson</link>
					<comments>https://eric.cc/tryhackme-thompson/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Tue, 04 Jul 2023 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=487</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Thompson is a boot2root machine for FIT and bsides guatemala CTFs. Challenging players to generate payloads and abuse file perms.</p>
<p>The post <a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">TryHackMe: <a href="https://tryhackme.com/room/bsidesgtthompson">Thompson</a> was first released for the FIT and bsides Guatemala CTF.  To get right into it, Thompson&#8217;s server is running a default installation of Tomcat, with default administrator credentials. We gain initial access to the web server by uploading a malicious war file. Then misuse file permissions to read protected files.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="309" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/1.-Task-1-1-1024x309.png?resize=1024%2C309" alt="Thompson Task 1" class="wp-image-1043" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=1024%2C309&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=300%2C90&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=768%2C231&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">In a CTF-like fashion, there is no prior information about this engagement. The goal of this room is to find, get access, and read the user.txt and root.txt flags. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="769" height="347" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/2.-nmap-j.png?resize=769%2C347" alt="Thompson nmap scan" class="wp-image-1163" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/2.-nmap-j.png?w=769&amp;ssl=1 769w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/2.-nmap-j.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 769px) 100vw, 769px" /><figcaption class="wp-element-caption">Nmap scan</figcaption></figure>



<p class="wp-block-paragraph">The Nmap scan indicates that there are three ports open. The services running are SSH, Apache Jserver, and Apache Tomcat.</p>



<p class="wp-block-paragraph">By opening the browser, we navigate the website hosting Tomcat on <strong>port 8080</strong>. This is a default installation of Apache Tomcat version 8.5.5. Tomcat is an open-source Java web application server.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1019" height="726" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=1019%2C726" alt="Tomcat version 8.5.5" class="wp-image-1165" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?w=1019&amp;ssl=1 1019w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=300%2C214&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=768%2C547&amp;ssl=1 768w" sizes="(max-width: 1019px) 100vw, 1019px" /><figcaption class="wp-element-caption">Tomcat dashboard</figcaption></figure>



<p class="wp-block-paragraph">Have a look around on the Apache Tomcat dashboard. The Server Status displays general server information, system resources, and service status. Manager App provides basic functionality to deploy web apps. The Host Manager&#8217;s purpose is to deploy, configure, and manage virtual hosts. You can access these services by using Tomcat&#8217;s default credentials,  <strong>tomcat</strong>:<strong>s3cret</strong>. </p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">Welcome to the Tomcat Web Application Manager for all your web app needs. </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/7.-uploaded-shell-1024x603.png?resize=840%2C494" alt="" class="wp-image-1153" width="840" height="494" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=1024%2C603&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=300%2C177&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=768%2C452&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=1536%2C904&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?w=1881&amp;ssl=1 1881w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">Tomcat web app manager</figcaption></figure>



<p class="wp-block-paragraph">The file type we use to deploy a web app is a war file. War stands for Web Application Resource and it is <a href="https://www.baeldung.com/java-jar-war-packaging"><strong>used to package web applications</strong> that we can deploy on any Servlet/JSP container.</a> </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="726" height="75" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/5.-war-file.png?resize=726%2C75" alt="Thompson msfvenom payload" class="wp-image-1047" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/5.-war-file.png?w=726&amp;ssl=1 726w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/5.-war-file.png?resize=300%2C31&amp;ssl=1 300w" sizes="(max-width: 726px) 100vw, 726px" /><figcaption class="wp-element-caption">msfvenom payload</figcaption></figure>



<p class="wp-block-paragraph">Using the payload above, we can craft a malicious war file named shell3.war. This is a reverse TCP shell, meaning we can upload the file and have it connect back to our attacking machine. msfvenom is a repository of payloads that can be crafted into many extensible files. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="813" height="519" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/8.-msf-handler.png?resize=813%2C519" alt="Thompson metasploit" class="wp-image-1049" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?w=813&amp;ssl=1 813w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?resize=300%2C192&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?resize=768%2C490&amp;ssl=1 768w" sizes="(max-width: 813px) 100vw, 813px" /><figcaption class="wp-element-caption">Metasploit handler</figcaption></figure>



<p class="wp-block-paragraph">Run Metasploit&#8217;s multi-handler module and launch the malicious payload by opening it on your web browser. The shell will connect to our machine, and we now have access to the victim server.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Let&#8217;s get our bearing now that we are on the machine. We can see that we are the <strong>tomcat</strong> user of the system and in the root directory. The user.txt file lives in Jack&#8217;s home directory, and we have permission to read the file.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="97" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_2-h.png?resize=490%2C97" alt="Thompson user.txt flag" class="wp-image-1167" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_2-h.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_2-h.png?resize=300%2C59&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">user.txt flag</figcaption></figure>



<p class="wp-block-paragraph">Looking at the rest of the contents in Jack&#8217;s home directory, we see a file named <code>id.sh</code>. The purpose of this file is to execute the <code>id </code>command and output it into the test.txt file. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="540" height="354" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_3-h.png?resize=540%2C354" alt="" class="wp-image-1169" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_3-h.png?w=540&amp;ssl=1 540w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_3-h.png?resize=300%2C197&amp;ssl=1 300w" sizes="(max-width: 540px) 100vw, 540px" /></figure>



<p class="wp-block-paragraph">Let&#8217;s take a look closer at the highlight portion above. We can see that the file&#8217;s permissions allow anyone to read, write, and execute this file. Meaning that we can potentially change the contents of the file.</p>



<p class="wp-block-paragraph">With the following bash command, we can change the contents of the <code>id.sh</code> file without changing any of the permissions or ownership of the file.</p>



<p class="wp-block-paragraph"><code>echo "cat /root/root.txt &gt; test.txt" &gt; id.sh</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="565" height="130" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_4-h-1.png?resize=565%2C130" alt="Thompson root.txt" class="wp-image-1172" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_4-h-1.png?w=565&amp;ssl=1 565w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_4-h-1.png?resize=300%2C69&amp;ssl=1 300w" sizes="(max-width: 565px) 100vw, 565px" /></figure>



<p class="wp-block-paragraph">Finally, we can cat out the test.txt file and find the root.txt file contents inside of it!</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">To conclude, TryHackMe: Thompson presented a nice challenge for FIT and bsides Guatemala CTFs. In my experience, gaining initial access to Tomcat&#8217;s system was trivial but I enjoyed misusing file permissions to read protected files. Running web applications like Tomcat with default credentials is asking for your system to get owned!</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="307" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Task-1-Solutions-1024x307.png?resize=1024%2C307" alt="TryHackMe: Thompson Task 1 Solutions" class="wp-image-1148" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=1024%2C307&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=300%2C90&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=768%2C230&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>The post <a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-thompson/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">487</post-id>	</item>
		<item>
		<title>TryHackMe: tomghost</title>
		<link>https://eric.cc/tryhackme-tomghost/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-tomghost</link>
					<comments>https://eric.cc/tryhackme-tomghost/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Mon, 01 May 2023 00:18:12 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=492</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Introduction Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, TryHackMe tomghost, your goal is to use the GhostCat exploit to read files, gain user access, decrypt [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, <a href="https://tryhackme.com/room/tomghost">TryHackMe tomghost</a>, your goal is to use the GhostCat exploit to read files, gain user access, decrypt PGP files, and escalate to root privileges.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="541" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/14.-Task-1-1024x541.png?resize=1024%2C541" alt="tomghost tasks" class="wp-image-917" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=1024%2C541&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=300%2C158&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=768%2C406&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Tasks</figcaption></figure>



<p class="wp-block-paragraph">As always, we use our trusty Nmap tool to scan the ports to see what services are running on this machine.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="759" height="377" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/1.-nmap.png?resize=759%2C377" alt="tomghost nmap results" class="wp-image-916" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/1.-nmap.png?w=759&amp;ssl=1 759w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/1.-nmap.png?resize=300%2C149&amp;ssl=1 300w" sizes="(max-width: 759px) 100vw, 759px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">It looks like port 8080 is running the vulnerable Apache Tomcat version 9.0.30.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1000" height="716" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=1000%2C716" alt="Tomcat dashboard" class="wp-image-918" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?w=1000&amp;ssl=1 1000w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=300%2C215&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=768%2C550&amp;ssl=1 768w" sizes="(max-width: 1000px) 100vw, 1000px" /><figcaption class="wp-element-caption">tomcat dashboard</figcaption></figure>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">Tomcat version 9.0.30 has a vulnerability with Apache JServ Protocol (AJP). <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938">CVE-2020-1938</a> allows attackers the ability to read and include files on the server because &#8220;Tomcat treats AJP connections as having higher trust&#8221;.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/4.-searchsploit-1024x234.png?resize=840%2C191" alt="" class="wp-image-921" width="840" height="191" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=1024%2C234&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=300%2C69&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=768%2C176&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?w=1413&amp;ssl=1 1413w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">tomcat exploit</figcaption></figure>



<p class="wp-block-paragraph">Somebody already wrote an <a href="https://www.exploit-db.com/exploits/48143">exploit</a> for this vulnerability. After downloading this, we can run the Python script and point it to the web server.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="618" height="633" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/6.-ghostcat.png?resize=618%2C633" alt="Running ghostcat exploit" class="wp-image-922" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/6.-ghostcat.png?w=618&amp;ssl=1 618w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/6.-ghostcat.png?resize=293%2C300&amp;ssl=1 293w" sizes="(max-width: 618px) 100vw, 618px" /><figcaption class="wp-element-caption">tomcat exploit</figcaption></figure>



<p class="wp-block-paragraph">We can see here that there is something hosted on <code>/asdf</code>. It&#8217;s an XML file with metadata included. There is also something in the description that looks like login credentials.  </p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Returning to our Nmap scan, we can see that SSH is open on this machine. Let&#8217;s see if we can log into the skyfuck account.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="648" height="526" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/7.-user.txt.png?resize=648%2C526" alt="tomghost user.txt" class="wp-image-923" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/7.-user.txt.png?w=648&amp;ssl=1 648w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/7.-user.txt.png?resize=300%2C244&amp;ssl=1 300w" sizes="(max-width: 648px) 100vw, 648px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">Changing the directory to Merlin&#8217;s home directory we can find the <code>user.txt</code> flag.</p>



<p class="wp-block-paragraph">Returning to our home directory, we can see a couple of files called <code>credential.pgp</code> and <code>tryhackme.asc</code>. Using a tool like gpg2john we can convert <code>tryhackme.asc</code> into a format that can be interpreted by johntheripper.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="924" height="567" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/8.-gpg2john.png?resize=924%2C567" alt="Decrypting PGP " class="wp-image-924" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?w=924&amp;ssl=1 924w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?resize=300%2C184&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?resize=768%2C471&amp;ssl=1 768w" sizes="(max-width: 924px) 100vw, 924px" /><figcaption class="wp-element-caption">cracked .asc and pgp</figcaption></figure>



<p class="wp-block-paragraph">Johntheripper, in combination with the rockyou.txt dictionary file, we can dictionary brute-force the password for the .asc file. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="936" height="341" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/9.-passphrase.png?resize=936%2C341" alt="Decrypting PGP " class="wp-image-926" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?w=936&amp;ssl=1 936w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?resize=300%2C109&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?resize=768%2C280&amp;ssl=1 768w" sizes="(max-width: 936px) 100vw, 936px" /></figure>



<p class="wp-block-paragraph">Using gpg import the <code>tryhackme.asc</code> file and enter the password <strong>alexandru</strong>. It looks like it is an OpenPGP secret key for stuxnet@tryhackme.com</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="638" height="265" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/10.-decrypted.png?resize=638%2C265" alt="PGP contents" class="wp-image-927" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/10.-decrypted.png?w=638&amp;ssl=1 638w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/10.-decrypted.png?resize=300%2C125&amp;ssl=1 300w" sizes="(max-width: 638px) 100vw, 638px" /></figure>



<p class="wp-block-paragraph">We can then decrypt the <code>credential.pgp</code> file and see Merlin&#8217;s login information.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="748" height="151" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/11.-sudo-l.png?resize=748%2C151" alt="Privilege escalation tomghost" class="wp-image-928" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/11.-sudo-l.png?w=748&amp;ssl=1 748w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/11.-sudo-l.png?resize=300%2C61&amp;ssl=1 300w" sizes="(max-width: 748px) 100vw, 748px" /><figcaption class="wp-element-caption">privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">After logging into Merlin&#8217;s account we still do not have access to the root system. However, after running sudo -l we can see that Merlin can run root permissions on the command zip.</p>



<p class="wp-block-paragraph">Using gtfobins, we can see the binary allowing us to run superuser and drop escalated privileged access to the system.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="824" height="208" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/12.-gtfobins.png?resize=824%2C208" alt="Gtfobins results" class="wp-image-929" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?w=824&amp;ssl=1 824w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?resize=300%2C76&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?resize=768%2C194&amp;ssl=1 768w" sizes="(max-width: 824px) 100vw, 824px" /><figcaption class="wp-element-caption">gtfobins results</figcaption></figure>



<p class="wp-block-paragraph">Finally, we run the command. Allowing us to be root user.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="452" height="229" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/13.-root.txt.png?resize=452%2C229" alt="tomghost root.txt" class="wp-image-931" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/13.-root.txt.png?w=452&amp;ssl=1 452w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/13.-root.txt.png?resize=300%2C152&amp;ssl=1 300w" sizes="(max-width: 452px) 100vw, 452px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">We can finally navigate to the root directory and read out the <code>root.txt</code> flag.</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, these exploits only existed because the software inherently trusted these AJP files. Software developers will have to use caution on when to trust anything involving inputs as they may become compromised. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="542" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/15.-Task-1-Solutions-1024x542.png?resize=1024%2C542" alt="tomghost Tasks solutions" class="wp-image-925" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=1024%2C542&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=300%2C159&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=768%2C406&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-tomghost/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">492</post-id>	</item>
		<item>
		<title>TryHackMe: LazyAdmin</title>
		<link>https://eric.cc/tryhackme-lazyadmin/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-lazyadmin</link>
					<comments>https://eric.cc/tryhackme-lazyadmin/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Thu, 01 Dec 2022 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=436</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe LazyAdmin is a classic story of sysadmins being lazy. Use public exploits and misconfigured settings to your advantage!</p>
<p>The post <a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading" id="introduction">Introduction</h2>



<p class="wp-block-paragraph"><a href="http://tryhackme.com/room/lazyadmin">TryHackMe: LazyAdmin</a> outlines a story as old as time. Outdated software, exposed MySQL database backups, and easy to crack passwords that spell disaster for our lazy Linux administrator. Learn what could go wrong when these elements are combined below.</p>



<h2 class="wp-block-heading" id="information-gathering">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="335" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/1.-Task-1-1024x335.png?resize=1024%2C335" alt="LazyAdmin Task 1" class="wp-image-731" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=1024%2C335&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=300%2C98&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=768%2C251&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">To get started, scan for the open ports and services running on those ports. It looks like SSH and a web server are running on this server. We can use a tool like <a href="https://github.com/OJ/gobuster">gobuster</a>, to brute force if there are any open directories.</p>



<figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large is-style-default"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="222" data-id="883" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/info-1024x222.png?resize=1024%2C222" alt="LazyAdmin Nmap and GoBuster results" class="wp-image-883" title="" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=1024%2C222&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=300%2C65&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=768%2C166&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?w=1506&amp;ssl=1 1506w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<figcaption class="blocks-gallery-caption wp-element-caption">Nmap and GoBuster results</figcaption></figure>



<p class="wp-block-paragraph">Going to <code>http://10.10.222.75/content</code> we were met with SweetRice installed webpage. <a href="https://www.sweetrice.xyz/">SweetRice</a> is an open-source website management system that creates common blogs or websites. </p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/4.-SweetRice.png?resize=642%2C172" alt="website" class="wp-image-734" style="width:642px;height:172px" width="642" height="172" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/4.-SweetRice.png?w=685&amp;ssl=1 685w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/4.-SweetRice.png?resize=300%2C80&amp;ssl=1 300w" sizes="(max-width: 642px) 100vw, 642px" /><figcaption class="wp-element-caption">website</figcaption></figure>



<p class="wp-block-paragraph">I could not find what version of SweetRice this website was running by inspecting the website&#8217;s source code.</p>



<h2 class="wp-block-heading" id="exploitation">Exploitation</h2>



<p class="wp-block-paragraph">Sometimes it is best to take a shot in the dark when trying to exploit a machine. SweetRice version 1.5.1 has a vulnerability that exposes their MySQL <a href="https://www.exploit-db.com/exploits/40718">backup file</a> for anyone to come in and download it.</p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/7.-mysql_backup.png?resize=676%2C216" alt="mysql backup file" class="wp-image-737" style="width:676px;height:216px" width="676" height="216" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/7.-mysql_backup.png?w=676&amp;ssl=1 676w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/7.-mysql_backup.png?resize=300%2C96&amp;ssl=1 300w" sizes="(max-width: 676px) 100vw, 676px" /><figcaption class="wp-element-caption">exposed MySQL backup</figcaption></figure>



<p class="wp-block-paragraph">Going to the URL, we can find a MySQL backup file from October 29, 2019. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="778" height="467" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=778%2C467" alt="sweetrice mysql leak" class="wp-image-905" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?w=778&amp;ssl=1 778w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=300%2C180&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=768%2C461&amp;ssl=1 768w" sizes="(max-width: 778px) 100vw, 778px" /><figcaption class="wp-element-caption">exposed user database</figcaption></figure>



<p class="wp-block-paragraph">Going through the MySQL file we can see the users of the website. There is a user <code>manager</code> with a convenient MD5 password hash value. We can run this hash through hashcat and crack the password to enter it into SweetRice&#8217;s admin portal.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="773" height="123" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/9.-sql-pass.png?resize=773%2C123" alt="password cracked" class="wp-image-739" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?w=773&amp;ssl=1 773w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?resize=300%2C48&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?resize=768%2C122&amp;ssl=1 768w" sizes="(max-width: 773px) 100vw, 773px" /><figcaption class="wp-element-caption">cracked admin password</figcaption></figure>



<p class="wp-block-paragraph">Easy peasy, the administrator chose a weak password!</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="738" height="158" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/10-a.-as-directory.png?resize=738%2C158" alt="sweetrice" class="wp-image-740" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10-a.-as-directory.png?w=738&amp;ssl=1 738w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10-a.-as-directory.png?resize=300%2C64&amp;ssl=1 300w" sizes="(max-width: 738px) 100vw, 738px" /><figcaption class="wp-element-caption">admin dashboard url</figcaption></figure>



<p class="wp-block-paragraph">There are several ways to find the SweetRice admin portal. I found it on exploit-db when looking at SweetRice&#8217;s <a href="https://www.exploit-db.com/exploits/40716">arbitrary file upload exploit</a>. Alternatively, it could be found by recursively brute-forcing all the directories with dirbuster or looking through SweetRice&#8217;s documentation. All in all, the admin login page is located at <code>/as/</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="423" height="579" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/10.-login-panel.png?resize=423%2C579" alt="LazyAdmin Sweetrice login" class="wp-image-741" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10.-login-panel.png?w=423&amp;ssl=1 423w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10.-login-panel.png?resize=219%2C300&amp;ssl=1 219w" sizes="(max-width: 423px) 100vw, 423px" /><figcaption class="wp-element-caption">admin dashboard login</figcaption></figure>



<p class="wp-block-paragraph">Using the username and password we just cracked, we can log into the SweetRice admin portal. Admins can Post, Change settings, and upload files.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="618" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/11.-SweetRice-manager-1024x618.png?resize=1024%2C618" alt="SweetRice dashboard" class="wp-image-742" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=1024%2C618&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=300%2C181&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=768%2C463&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?w=1363&amp;ssl=1 1363w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">SweetRice admin dashboard</figcaption></figure>



<p class="wp-block-paragraph">We are interested in uploading files. Instead of using the arbitrary file upload exploit, I decided to use the reverse PHP shell from <a href="https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php">pentestmonkey</a>. They&#8217;ll both get a shell on the web server. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/13.-file-upload-1024x345.png?resize=1024%2C345" alt="File upload" class="wp-image-744" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=1024%2C345&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=300%2C101&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=768%2C259&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=1536%2C518&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?w=1890&amp;ssl=1 1890w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">SweetRice media center</figcaption></figure>



<h2 class="wp-block-heading" id="post-exploitation">Post Exploitation</h2>



<p class="wp-block-paragraph">After connecting to the web server. Head to the home directory and find a user named itguy and read the user.txt flag. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="771" height="229" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=771%2C229" alt="LazyAdmin user.txt" class="wp-image-906" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?w=771&amp;ssl=1 771w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=300%2C89&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=768%2C228&amp;ssl=1 768w" sizes="(max-width: 771px) 100vw, 771px" /><figcaption class="wp-element-caption">SweetRice user.txt</figcaption></figure>



<p class="wp-block-paragraph">Finally, to escalate our privileges to the root user run the command <code>sudo -l</code>. It will display which commands can run as a super user that does not need a password.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="774" height="136" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/15.-sudo-l.png?resize=774%2C136" alt="sudo -l" class="wp-image-749" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?w=774&amp;ssl=1 774w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?resize=300%2C53&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?resize=768%2C135&amp;ssl=1 768w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption class="wp-element-caption">sudo -l output</figcaption></figure>



<p class="wp-block-paragraph">It looks like we can run Perl as root on the itguy&#8217;s backup.pl file.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="808" height="157" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/16.-gtfobin.png?resize=808%2C157" alt="gtfobins result" class="wp-image-750" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?w=808&amp;ssl=1 808w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?resize=300%2C58&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?resize=768%2C149&amp;ssl=1 768w" sizes="(max-width: 808px) 100vw, 808px" /><figcaption class="wp-element-caption">Perl command</figcaption></figure>



<p class="wp-block-paragraph">This is pretty straightforward. According to <a href="https://gtfobins.github.io/gtfobins/perl/#sudo">gtfobins</a>, all we will need to run the superuser do Perl command using the backup.pl file and it will run as root. Unfortunately, we only have read and execute privileges on the backup.pl file. So let&#8217;s read the file and see what backup.pl even does.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="238" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/17.-perl-priv.png?resize=238%2C82" alt="LazyAdmin perl script" class="wp-image-751"/><figcaption class="wp-element-caption">backup.pl</figcaption></figure>



<p class="wp-block-paragraph">It looks like <code>backup.pl</code> runs the script of <code>copy.sh</code>. When going over to the /etc/ directory it looks like we have read, write, and execute permissions on the <code>copy.sh</code> file. The plan is to overwrite the file with a reverse shell, run the <code>backup.pl</code> as root, and connect the server to our client as root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="770" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=770%2C82" alt="LazyAdmin copy.sh" class="wp-image-908" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?w=770&amp;ssl=1 770w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=300%2C32&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=768%2C82&amp;ssl=1 768w" sizes="(max-width: 770px) 100vw, 770px" /><figcaption class="wp-element-caption">copy.sh</figcaption></figure>



<p class="wp-block-paragraph"><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-openbsd">Payload all the things</a> is an open-source resource with hundreds of ways to create a reverse shell. I first tried the netcat traditional commands. However, after running them it said that the version of netcat the server was using was netcat-openbsd package.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="46" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/22.-sudo-perl.png?resize=490%2C46" alt="" class="wp-image-752" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/22.-sudo-perl.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/22.-sudo-perl.png?resize=300%2C28&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">running backup.pl</figcaption></figure>



<p class="wp-block-paragraph">Running the command exactly how it is written out in the <code>sudo -l</code> output is the only way for the terminal not to prompt with password input.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="195" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/24.-root-highlighted.png?resize=490%2C195" alt="LazyAdmin root.txt" class="wp-image-909" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/24.-root-highlighted.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/24.-root-highlighted.png?resize=300%2C119&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">SweetRice root.txt</figcaption></figure>



<p class="wp-block-paragraph">Lastly, launching another shell on my attacker machine and running the Perl command, I became root. It&#8217;s now as easy as going to the root directory and reading the root.txt flag.</p>



<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>



<p class="wp-block-paragraph">This is a scenario that would most certainly happen in the real world. It doesn&#8217;t necessarily have to come down to laziness, projects come and go. IT staff need to be aware when this happens and take the necessary steps to avoid running vulnerable software on their systems.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="311" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/25.-Task-1-Solutions-1024x311.png?resize=1024%2C311" alt="LazyAdmin Task 1 Solutions" class="wp-image-747" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=1024%2C311&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=300%2C91&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=768%2C233&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?w=1212&amp;ssl=1 1212w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1 Solution</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-lazyadmin/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">436</post-id>	</item>
		<item>
		<title>TryHackMe: Bounty Hacker</title>
		<link>https://eric.cc/tryhackme-bounty-hacker/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-bounty-hacker</link>
					<comments>https://eric.cc/tryhackme-bounty-hacker/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 28 Sep 2022 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=493</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Bounty Hacker is an easily guided challenge. It involves enumeration, cracking passwords, and Linux privilege escalation!</p>
<p>The post <a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">It looks like our bragging brought the attention of Spike Spiegal and his crew, the TryHackMe: Bounty Hacker. They need us to <a href="https://tryhackme.com/room/cowboyhacker">hack and gain root in this system</a> no questions asked.  With some enumeration and an anonymous FTP account, we can crack the SSH passphrase to become a user on the system and exploit tar to escalate our privileges to root. </p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="681" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-1024x681.png" alt="Bounty Hacker Task 1 " class="wp-image-838" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=300%2C200&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">Like any other challenge, I want to get the lay of the land.  We are looking for any open ports and what kind of services they are running. </p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="768" height="586" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png" alt="Bounty Hacker nmap results" class="wp-image-839" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png?w=768&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png?resize=300%2C229&amp;ssl=1 300w" sizes="(max-width: 768px) 100vw, 768px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">Nice! It looks like they left an anonymous account enabled on their FTP server. </p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="547" height="436" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png" alt="anonymous ftp" class="wp-image-841" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png?w=547&amp;ssl=1 547w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png?resize=300%2C239&amp;ssl=1 300w" sizes="(max-width: 547px) 100vw, 547px" /><figcaption class="wp-element-caption">ftp</figcaption></figure>



<p class="wp-block-paragraph">These files look interesting: <code>locks.txt</code> and <code>task.txt</code>. I will just go ahead and download that onto my system and give them a read.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="267" height="452" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png" alt="Bounty Hacker locks.txt" class="wp-image-862" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png?w=267&amp;ssl=1 267w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png?resize=177%2C300&amp;ssl=1 177w" sizes="(max-width: 267px) 100vw, 267px" /><figcaption class="wp-element-caption">locks.txt</figcaption></figure>



<p class="wp-block-paragraph">Score! This file looks like it contains passwords. Not sure which is the right one but let us check out the <code>task.txt</code> for further clues.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="324" height="119" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png" alt="Bounty Hacker task.txt" class="wp-image-842" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png?w=324&amp;ssl=1 324w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png?resize=300%2C110&amp;ssl=1 300w" sizes="(max-width: 324px) 100vw, 324px" /><figcaption class="wp-element-caption">task.txt</figcaption></figure>



<p class="wp-block-paragraph">Now, if you have never seen the show there is some context to the message. Vicious, the main antagonist in Cowboy Bebop and Red Eye, is an illegal performance-enhancing drug.  Lin is one of Vicious&#8217;s henchmen and I would be willing to bet that he was the one that set up this server.</p>



<p class="wp-block-paragraph">Going back to our Nmap scan, we can see that SSH is running on the machine. Using a tool like <a href="https://www.kali.org/tools/hydra/">Hydra</a>, we can use the passwords found in <code>locks.txt</code> and brute force our way into Lin&#8217;s account.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="781" height="315" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png" alt="Bounty Hacker hydra results - cracked user password" class="wp-image-843" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?w=781&amp;ssl=1 781w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?resize=300%2C121&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?resize=768%2C310&amp;ssl=1 768w" sizes="(max-width: 781px) 100vw, 781px" /><figcaption class="wp-element-caption">hydra results</figcaption></figure>



<p class="wp-block-paragraph">And just like that, we have Lin&#8217;s login information! </p>



<h2 class="wp-block-heading">Exploitation</h2>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="615" height="328" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png" alt="Bounty Hacker user.txt flag" class="wp-image-844" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png?w=615&amp;ssl=1 615w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png?resize=300%2C160&amp;ssl=1 300w" sizes="(max-width: 615px) 100vw, 615px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">The <code>user.txt</code> flag is found immediately in lin&#8217;s home directory. The last thing we need to do is escalate our privileges and read the <code>root.txt</code> flag.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph"><code>Sudo -l</code> allows us to list the allowed commands the user can invoke with root privileges.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="747" height="148" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png" alt="linux privilege escalation" class="wp-image-845" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png?w=747&amp;ssl=1 747w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png?resize=300%2C59&amp;ssl=1 300w" sizes="(max-width: 747px) 100vw, 747px" /><figcaption class="wp-element-caption">sudo -l</figcaption></figure>



<p class="wp-block-paragraph">The <code>tar</code> command is used to compress a group of files into an archive. Let&#8217;s check out GTFObins to see if there are any commands we can leverage to our advantage.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="818" height="168" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png" alt="ghostbin - sudo command for (root) /bin/tar" class="wp-image-846" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?w=818&amp;ssl=1 818w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?resize=300%2C62&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?resize=768%2C158&amp;ssl=1 768w" sizes="(max-width: 818px) 100vw, 818px" /><figcaption class="wp-element-caption">ghostbins</figcaption></figure>



<p class="wp-block-paragraph">There is a couple of things going on in this command. First, tar is creating an archived file at /dev/null. Since it is running in super user do, spawning a bash shell at checkpoint 1 makes it possible to escalate our privileges to root.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="776" height="133" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png" alt="Bounty Hacker root.txt flag" class="wp-image-848" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?w=776&amp;ssl=1 776w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?resize=300%2C51&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?resize=768%2C132&amp;ssl=1 768w" sizes="(max-width: 776px) 100vw, 776px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">And there you have it! The <code>root.txt</code> flag file is easy to find in the root directory.</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this TryHackMe room earns its easy badge. Enumeration and privilege escalation was pretty straightforward and a piece of cake for this braggadocious hacker.</p>



<figure class="wp-block-image size-large is-resized"><img loading="lazy" decoding="async" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions-1024x681.png" alt="Bounty Hacker Task 1 Solutions" class="wp-image-849" style="width:840px;height:558px" width="840" height="558" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=300%2C199&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">Task 1 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-bounty-hacker/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">493</post-id>	</item>
		<item>
		<title>TryHackMe: RootMe</title>
		<link>https://eric.cc/tryhackme-rootme/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-rootme</link>
					<comments>https://eric.cc/tryhackme-rootme/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 23 Feb 2022 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=438</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe RootMe is arranged to help newcomers hack this box. Enumerate, bypass restrictions, and abuse SUID perms to escalate to root.</p>
<p>The post <a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading" id="introduction">Introduction</h2>



<p class="wp-block-paragraph"><a href="https://tryhackme.com/room/rrootme">RootMe</a> is a beginner-level capture-the-flag challenge from TryHackMe. The tasks are arranged to help newcomers through the processes of hacking this machine. It starts with enumerating the system by scanning for open ports and directories. Next, we will bypass the website&#8217;s upload restrictions and gain a reverse shell on the webserver. Finally, we will abuse SUID permissions to escalate user privileges to root.</p>



<h2 class="wp-block-heading" id="information-gathering">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="521" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/1.-Task-2-1024x521.png?resize=1024%2C521" alt="Task 2" class="wp-image-757" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=1024%2C521&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=300%2C153&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=768%2C391&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2</figcaption></figure>



<p class="wp-block-paragraph">There is not a lot of information to be gathered during the information-gathering phase. Almost all of the reconnaissance task questions can be answered through Nmap.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="757" height="388" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/2.-nmap-h.png?resize=757%2C388" alt="RootMe Nmap results" class="wp-image-790" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/2.-nmap-h.png?w=757&amp;ssl=1 757w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/2.-nmap-h.png?resize=300%2C154&amp;ssl=1 300w" sizes="(max-width: 757px) 100vw, 757px" /><figcaption>Nmap</figcaption></figure>



<p class="wp-block-paragraph">There are <code>2</code> open ports on this machine. This Ubuntu server is using Apache version <code>2.4.29</code> and is running <code>SSH</code> on port 22.</p>



<p class="wp-block-paragraph">The last thing to find is if there are any hidden directories on the Apache webserver.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="779" height="400" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=779%2C400" alt="GoBuster results" class="wp-image-791" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?w=779&amp;ssl=1 779w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=300%2C154&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=768%2C394&amp;ssl=1 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption>directories</figcaption></figure>



<p class="wp-block-paragraph">Gobuster found a couple of directories, but the ones of importance are <code>/panel</code> and <code>/uploads</code>.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="520" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/5.-Task-2-Solutions-1024x520.png?resize=1024%2C520" alt="RootMe Task 2 Solutions" class="wp-image-762" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=1024%2C520&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=300%2C152&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=768%2C390&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2 Solutions</figcaption></figure>



<h2 class="wp-block-heading" id="exploitation">Exploitation</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="208" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/6.-Task-3-1024x208.png?resize=1024%2C208" alt="Task 3" class="wp-image-763" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=1024%2C208&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=300%2C61&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=768%2C156&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3</figcaption></figure>



<p class="wp-block-paragraph">Let&#8217;s check out the <code>/panel/</code> directory. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="669" height="707" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/4.-panel.png?resize=669%2C707" alt="panel directory" class="wp-image-761" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/4.-panel.png?w=669&amp;ssl=1 669w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/4.-panel.png?resize=284%2C300&amp;ssl=1 284w" sizes="(max-width: 669px) 100vw, 669px" /><figcaption>/panel</figcaption></figure>



<p class="wp-block-paragraph">It looks like we can upload any file we want to it. Let&#8217;s try uploading a <a href="https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php">PHP reverse shell</a>. <a href="https://www.netsparker.com/blog/web-security/understanding-reverse-shells/">&#8220;A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="669" height="696" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/7.-php-denied.png?resize=669%2C696" alt="failed php upload" class="wp-image-764" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/7.-php-denied.png?w=669&amp;ssl=1 669w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/7.-php-denied.png?resize=288%2C300&amp;ssl=1 288w" sizes="(max-width: 669px) 100vw, 669px" /><figcaption>PHP failed upload</figcaption></figure>



<p class="wp-block-paragraph">It looks like the webserver does not allow PHP files to be uploaded to it. <a href="https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass">&#8220;Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="302" height="111" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/8.-php2php5.png?resize=302%2C111" alt="php to php5 file" class="wp-image-765" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/8.-php2php5.png?w=302&amp;ssl=1 302w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/8.-php2php5.png?resize=300%2C110&amp;ssl=1 300w" sizes="(max-width: 302px) 100vw, 302px" /><figcaption>changing the file to php5</figcaption></figure>



<p class="wp-block-paragraph">We can try to bypass the file upload blacklist by changing the extension of the file. For example, I have changed the file from <code>reverse.php</code> to <code>reverse.php.php5.</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="670" height="694" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/9.-php5-accepted.png?resize=670%2C694" alt="successful php5 file upload" class="wp-image-766" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/9.-php5-accepted.png?w=670&amp;ssl=1 670w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/9.-php5-accepted.png?resize=290%2C300&amp;ssl=1 290w" sizes="(max-width: 670px) 100vw, 670px" /><figcaption>php5 successful upload</figcaption></figure>



<p class="wp-block-paragraph">The file has been successfully uploaded! We can even check out the <code>/uploads/</code> directory to confirm that the file has been uploaded.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="495" height="222" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/10.-uploads.png?resize=495%2C222" alt="uploads directory" class="wp-image-767" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/10.-uploads.png?w=495&amp;ssl=1 495w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/10.-uploads.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 495px) 100vw, 495px" /><figcaption>/uploads directory</figcaption></figure>



<p class="wp-block-paragraph">We can use the <code>netcat</code> tool to listen for incoming IP connections to port 4444. After opening the <code>/uploads/reverse.php.php5</code> file on the web browser it makes the connection.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="774" height="277" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/13.-user-h.png?resize=774%2C277" alt="RootMe user.txt" class="wp-image-795" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?w=774&amp;ssl=1 774w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?resize=300%2C107&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?resize=768%2C275&amp;ssl=1 768w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption>user.txt</figcaption></figure>



<p class="wp-block-paragraph">We can use the <code>find</code> command to search for files on the system. Since we know the file we are searching for is named user.txt we can use the <code>-name</code> flag to search for it. The <code>2&gt; /dev/null</code> at the end of the command make sure that nothing else is outputted to the command line.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="209" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/14.-Task-3-Solutions-1024x209.png?resize=1024%2C209" alt="RootMe Task 3 solutions" class="wp-image-771" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=1024%2C209&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=300%2C61&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=768%2C157&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3 Solutions</figcaption></figure>



<h2 class="wp-block-heading" id="post-exploitation">Post Exploitation</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="357" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/15.-Task-4-1024x357.png?resize=1024%2C357" alt="Task 4" class="wp-image-772" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=1024%2C357&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=300%2C104&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=768%2C267&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4</figcaption></figure>



<p class="wp-block-paragraph">Before this challenge, I had no idea what SUID permissions were. <a href="https://www.geeksforgeeks.org/finding-files-with-suid-and-sgid-permissions-in-linux/">&#8220;It is special file permission for executable files. This enables other users to run the file with the effective permissions of the file owner.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="500" height="106" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/16.-question-hint.png?resize=500%2C106" alt="" class="wp-image-773" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/16.-question-hint.png?w=500&amp;ssl=1 500w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/16.-question-hint.png?resize=300%2C64&amp;ssl=1 300w" sizes="(max-width: 500px) 100vw, 500px" /><figcaption>SUID permission question hint</figcaption></figure>



<p class="wp-block-paragraph">The question hint gives the command <code>find / -user root -perm /4000</code>.  This command finds files and directories, starting at directory /,  displays files owned by root, and with permissions set to 4000. With permissions set to 4000, a user can set the setuid bit and if the file is owned by root, they can escalate their privileges to root.  <a href="https://www.liquidweb.com/kb/how-do-i-set-up-setuid-setgid-and-sticky-bits-on-linux/">If a user executes that program it will do so as if they are the user root instead of themselves.</a></p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="455" height="595" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png" alt="" class="wp-image-816" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png?w=455&amp;ssl=1 455w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png?resize=229%2C300&amp;ssl=1 229w" sizes="(max-width: 455px) 100vw, 455px" /></figure>



<p class="wp-block-paragraph">One that sticks out to us is the <code>/usr/bin/python</code> file. We might be able to execute python code that will set the SUID bit and escalate our privileges to root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="814" height="312" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/18.-gtfobin.png?resize=814%2C312" alt="GTFObin" class="wp-image-775" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?w=814&amp;ssl=1 814w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?resize=300%2C115&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?resize=768%2C294&amp;ssl=1 768w" sizes="(max-width: 814px) 100vw, 814px" /><figcaption>GTFObin</figcaption></figure>



<p class="wp-block-paragraph">This <a href="https://gtfobins.github.io/gtfobins/python/#suid">python code</a> should spawn an interactive bash shell as root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="471" height="115" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/19.-root-h.png?resize=471%2C115" alt="RootMe root.txt" class="wp-image-797" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/19.-root-h.png?w=471&amp;ssl=1 471w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/19.-root-h.png?resize=300%2C73&amp;ssl=1 300w" sizes="(max-width: 471px) 100vw, 471px" /><figcaption>root.txt</figcaption></figure>



<p class="wp-block-paragraph">Just like that, after changing our directory to the /usr/bin and executing the python code we are root. The root.txt file is found in the root directory.</p>



<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, RootMe was a fun challenge with a lot to learn from. We enumerated the services running on the machine, bypassed file upload restrictions, and escalated our privileges through setting SUID permissions. File permissions can cause unauthorized users to have access to resources that they were not intended to have. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="358" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/20.-Task-4-Solutions-1024x358.png?resize=1024%2C358" alt="RootMe Task 4 Solutions" class="wp-image-777" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=1024%2C358&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=300%2C105&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=768%2C269&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-rootme/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">438</post-id>	</item>
		<item>
		<title>TryHackMe: Kiba</title>
		<link>https://eric.cc/tryhackme-kiba/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-kiba</link>
					<comments>https://eric.cc/tryhackme-kiba/#comments</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Dec 2021 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=335</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Kiba is a beginner-level challenges that focuses on enumeration and exploitation of the open source software Kibana.</p>
<p>The post <a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph"><a href="https://tryhackme.com/room/kiba">Kiba</a> is a beginner-level challenge from TryHackMe. The point of this challenge is to &#8220;Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.&#8221; By identifying the vulnerable service, and their public CVE&#8217;s, we can find an exploit that will give us a foothold onto the server and abuse Linux capabilities to escalate privileges to root.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="662" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/Task-1-1024x662.png?resize=1024%2C662" alt="Kiba tasks" class="wp-image-485" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=1024%2C662&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=300%2C194&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=768%2C496&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 1</figcaption></figure>



<p class="wp-block-paragraph">The first question of this challenge: <strong>What is the vulnerability that is specific to programming languages with prototype-based inheritance?</strong> I did not know the answer, but I did know where to find it.  After a quick Google search, we got the answer. It is <code>Prototype pollution</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="691" height="152" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/prototype-pollution.png?resize=691%2C152" alt="" class="wp-image-537" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/prototype-pollution.png?w=691&amp;ssl=1 691w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/prototype-pollution.png?resize=300%2C66&amp;ssl=1 300w" sizes="(max-width: 691px) 100vw, 691px" /><figcaption>Prototype pollution</figcaption></figure>



<p class="wp-block-paragraph">To start this challenge, we will use Nmap to scan the server for its open ports. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="560" height="1024" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/nmap-h-560x1024.png?resize=560%2C1024" alt="Kiba Nmap results" class="wp-image-722" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=560%2C1024&amp;ssl=1 560w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=164%2C300&amp;ssl=1 164w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=768%2C1404&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?w=773&amp;ssl=1 773w" sizes="(max-width: 560px) 100vw, 560px" /><figcaption>Nmap</figcaption></figure>



<p class="wp-block-paragraph">On Port 5601, we can see that an application named Kibana is running on the server. Kibana provides &#8220;<a href="https://www.elastic.co/what-is/kibana">search and data visualization capabilities for data indexed in Elasticsearch… It also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster</a>&#8220;. </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/app-1024x493.png?resize=840%2C404" alt="Kibana dashboard" class="wp-image-538" width="840" height="404" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=1024%2C493&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=300%2C145&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=768%2C370&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=1536%2C740&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?w=1918&amp;ssl=1 1918w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption>Kibana Dashboard</figcaption></figure>



<p class="wp-block-paragraph">The answer to the second question can be found hidden within the website&#8217;s source code.  The version of Kibana they are running is version number 6.5.4.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="237" height="30" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/version.png?resize=237%2C30" alt="" class="wp-image-539"/><figcaption>Kibana version</figcaption></figure>



<p class="wp-block-paragraph">Now that we know the server is running Kibana version 6.5.4 it&#8217;s time to do some research and find if there are any public CVEs related to it.  </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="869" height="218" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/CVE-number.png?resize=869%2C218" alt="" class="wp-image-540" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?w=869&amp;ssl=1 869w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?resize=300%2C75&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?resize=768%2C193&amp;ssl=1 768w" sizes="(max-width: 869px) 100vw, 869px" /></figure>



<p class="wp-block-paragraph">Published on several large cybersecurity blogs,  CVE-2019-7609 is a vulnerability that allows for remote code to be executed on servers running Kibana version 6.5.4. Luckily, one of the <a href="https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability">articles</a> that posted about it links to a GitHub repository containing an exploit script.</p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">All I had to do was download the <a href="https://github.com/LandGrey/CVE-2019-7609/">GitHub repository</a>, set up a netcat listener on port 4444, and run the script.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="775" height="414" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/07/exploit.png?resize=775%2C414" alt="CVE-2019-7609" class="wp-image-511" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?w=775&amp;ssl=1 775w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?resize=300%2C160&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?resize=768%2C410&amp;ssl=1 768w" sizes="(max-width: 775px) 100vw, 775px" /><figcaption>Kiba Exploit</figcaption></figure>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Finding the user.txt flag was trivial, all I had to do was change my directory to /home/Kiba and use the command <code>cat user.txt</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="625" height="646" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/user-h.png?resize=625%2C646" alt="Kiba user.txt flag" class="wp-image-723" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/user-h.png?w=625&amp;ssl=1 625w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/user-h.png?resize=290%2C300&amp;ssl=1 290w" sizes="(max-width: 625px) 100vw, 625px" /><figcaption>user.txt</figcaption></figure>



<p class="wp-block-paragraph">Questions 5 and 6 give us a direction we can take to gain root privileges. Question 5 does not need to be answered, but it should be noted. Question 6: <strong>How would you recursively list all of these capabilities?</strong> The <code>getcap -r /</code> command will recursively <a href="https://man7.org/linux/man-pages/man8/getcap.8.html">examine file capabilities</a> within the directory. </p>



<p class="wp-block-paragraph">When running this command in the Kiba home directory, we can see that <code>python3 = cap_setuid+ep</code>. This means that I manipulate my user identifier to <a href="https://medium.com/@gggauravgandhi/uid-user-identifier-and-gid-group-identifier-in-linux-121ea68bf510">any number used to identify the user to the system and to determine which system resources</a> I have access to. </p>



<p class="wp-block-paragraph">This <a href="https://gtfobins.github.io/gtfobins/python/#capabilities">snippet</a> from GTFObins allows me to use python to escalate my privileges to root by setting my uid to 0.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="786" height="226" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/root-h.png?resize=786%2C226" alt="privilege escalation" class="wp-image-724" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?w=786&amp;ssl=1 786w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?resize=300%2C86&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?resize=768%2C221&amp;ssl=1 768w" sizes="(max-width: 786px) 100vw, 786px" /></figure>



<p class="wp-block-paragraph">Now that we have rooted the box, we can change to the root directory and read the root.txt flag.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="432" height="195" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/root-txt-h.png?resize=432%2C195" alt="Kiba root.txt flag" class="wp-image-725" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-txt-h.png?w=432&amp;ssl=1 432w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-txt-h.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 432px) 100vw, 432px" /><figcaption>root.txt</figcaption></figure>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this was a really fun and straightforward challenge to complete. The questions were able to guide me in the right direction without giving too much away. Through this, I learned about Linux capabilities and how to exploit its privileges.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="681" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/07/Task-1-Solutions-1024x681.png?resize=1024%2C681" alt="Kiba Solutions" class="wp-image-515" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=300%2C199&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 1 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-kiba/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">335</post-id>	</item>
		<item>
		<title>TryHackMe: GamingServer</title>
		<link>https://eric.cc/tryhackme-gamingserver/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-gamingserver</link>
					<comments>https://eric.cc/tryhackme-gamingserver/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Sep 2021 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">http://eric.cc/?p=92</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe: GamingServer is an easy boot2root challenge on TryHackMe. This challenge simulates a &#8220;gaming server built by amateurs with no experience in web development.&#8221; With an exposed RSA Private Key, we can gain a foothold onto the server and take advantage of lxd, a development system, to escalate privileges to root. Information Gathering As always, [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">TryHackMe: <a href="https://tryhackme.com/room/gamingserver">GamingServer</a> is an easy boot2root challenge on TryHackMe. This challenge simulates a &#8220;gaming server built by amateurs with no experience in web development.&#8221; With an exposed RSA Private Key, we can gain a foothold onto the server and take advantage of lxd, a development system, to escalate privileges to root.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<p class="wp-block-paragraph">As always, to start the information gathering phase of this challenge, we will use Nmap to scan all ports at the GamingServer&#8217;s IP address. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="758" height="326" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/nmap.png?resize=758%2C326" alt="GamingServer Nmap results" class="wp-image-447" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/nmap.png?w=758&amp;ssl=1 758w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/nmap.png?resize=300%2C129&amp;ssl=1 300w" sizes="(max-width: 758px) 100vw, 758px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">On this Ubuntu Linux machine, 2 out of the 65535 ports are open. Port 22 is running SSH version OpenSSH 7.6p1 and port 80 is running Apache 2.4.29. By going to this IP address in our browser, we can see that the apache web server is hosting a website called Draagan. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="698" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/website-1-1024x698.png?resize=1024%2C698" alt="GamingServer Draagan website" class="wp-image-450" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=1024%2C698&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=300%2C204&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=768%2C523&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?w=1199&amp;ssl=1 1199w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">GamingServer website</figcaption></figure>



<p class="wp-block-paragraph">It looks like the gaming server&#8217;s website is still under construction.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="695" height="19" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/view-source-username-john.png?resize=695%2C19" alt="Draagan source code." class="wp-image-451" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/view-source-username-john.png?w=695&amp;ssl=1 695w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/view-source-username-john.png?resize=300%2C8&amp;ssl=1 300w" sizes="(max-width: 695px) 100vw, 695px" /><figcaption class="wp-element-caption">HTML source code</figcaption></figure>



<p class="wp-block-paragraph">Going to the browser&#8217;s source code, we can see that the developers left a comment for John. We can conclude that John is the user account we should be targeting during this assessment. </p>



<p class="wp-block-paragraph">The overall functionality of this website is limited and does not give us an ample foothold onto the server. Therefore, another directory will give us the information we need to gain access to this machine.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="778" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/gobuster.png?resize=778%2C345" alt="GamingServer Gobuster results" class="wp-image-452" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?w=778&amp;ssl=1 778w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?resize=300%2C133&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?resize=768%2C341&amp;ssl=1 768w" sizes="(max-width: 778px) 100vw, 778px" /><figcaption class="wp-element-caption">Gobuster results</figcaption></figure>



<p class="wp-block-paragraph">Using a tool like Gobuster, we can enumerate the directories and files on the webserver. The results above show that the /uploads and /secret directories could hold valuable information. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="275" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/uploads.png?resize=490%2C275" alt="GamingServer uploads directory" class="wp-image-453" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploads.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploads.png?resize=300%2C168&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">/uploads directory</figcaption></figure>



<p class="wp-block-paragraph">Unless you want to read <a href="http://phrack.org/issues/7/3.html">the hacker manifesto</a> by The Mentor or look at a picture of a shocked Beaker from the Muppets, there isn&#8217;t any particular value from the manifesto.txt or meme.jpg files. However, the file of interest is the dict.lst file a dictionary list that contains common passwords.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/secrets-1024x345.png?resize=1024%2C345" alt="GamingServer secret directory" class="wp-image-503" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=1024%2C345&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=300%2C101&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=768%2C259&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?w=1364&amp;ssl=1 1364w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">/secret directory</figcaption></figure>



<p class="wp-block-paragraph">The /secret directory only has one file named secretKey. The secretKey refers to an RSA Private Key which can be used to authenticate SSH access. </p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">To start, we will copy the RSA private key into a file called id_rsa and permit it 600. Then will use the tool ssh2john.py to convert the id_rsa file into a format that John the Ripper will be able to crack. Finally, using the dict.lst we copied from the /uploads directory, we can then crack the RSA Private Key passphrase. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="667" height="443" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/john.png?resize=667%2C443" alt="GamingServer Cracked RSA passphrase" class="wp-image-481" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/john.png?w=667&amp;ssl=1 667w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/john.png?resize=300%2C199&amp;ssl=1 300w" sizes="(max-width: 667px) 100vw, 667px" /><figcaption class="wp-element-caption">RSA passphrase cracked</figcaption></figure>



<p class="wp-block-paragraph">After a couple of minutes, the RSA Private Key passphrase has been cracked, and the passphrase is <code>letmein</code>.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="653" height="484" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/user.txt.png?resize=653%2C484" alt="GamingServer user.txt" class="wp-image-459" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/user.txt.png?w=653&amp;ssl=1 653w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/user.txt.png?resize=300%2C222&amp;ssl=1 300w" sizes="(max-width: 653px) 100vw, 653px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">Using the private key file, id_rsa, we can then use the id_rsa file to ssh into the machine as John. That&#8217;s where we can find the user.txt flag <code>a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e</code>.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">The last thing we need to do to complete this challenge is escalating our privileges to root and find the root.txt flag. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="344" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/sudo-l.png?resize=344%2C82" alt="sudo -l (fail)" class="wp-image-460" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/sudo-l.png?w=344&amp;ssl=1 344w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/sudo-l.png?resize=300%2C72&amp;ssl=1 300w" sizes="(max-width: 344px) 100vw, 344px" /><figcaption class="wp-element-caption">sudo -l</figcaption></figure>



<p class="wp-block-paragraph">Unlike other privilege escalation challenges, the sudo -l command does not bear much information because we do not have john&#8217;s password.  </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="734" height="171" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/transfer-linpeas.png?resize=734%2C171" alt="uploading linpeas.sh to the server" class="wp-image-463" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/transfer-linpeas.png?w=734&amp;ssl=1 734w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/transfer-linpeas.png?resize=300%2C70&amp;ssl=1 300w" sizes="(max-width: 734px) 100vw, 734px" /><figcaption class="wp-element-caption">uploading linpeas.sh</figcaption></figure>



<p class="wp-block-paragraph">However, we can upload a tool called linpeas.sh onto the server to <a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS">search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.</a>  LinPEAS, Linux Privilege Escalation Awesome Script, is a great tool to automate the privilege escalation process. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="779" height="328" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/linpeas.png?resize=779%2C328" alt="GamingServer linpeas.sh results" class="wp-image-461" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?w=779&amp;ssl=1 779w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?resize=300%2C126&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?resize=768%2C323&amp;ssl=1 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption class="wp-element-caption">linpeas.sh results</figcaption></figure>



<p class="wp-block-paragraph">As the legend states, anything with a highlighted RED/YELLOW text indicates it is 95% a Privilege escalation vector.  LXD, highlighted above, <a href="https://searchitoperations.techtarget.com/definition/LXD-Linux-container-hypervisor">is an open-source container management extension for Linux Containers (LXC)</a>. </p>



<p class="wp-block-paragraph">The LinPeas README file states that all of LinPeas&#8217; checks are explained in book.hacktricks.xyz. This <a href="https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation">website</a> has instructions on how to escalate our privileges to root because we are a part of lxd/lxc group.  </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="476" height="705" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/lxd-priv.png?resize=476%2C705" alt="lxd privilege escalation" class="wp-image-462" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/lxd-priv.png?w=476&amp;ssl=1 476w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/lxd-priv.png?resize=203%2C300&amp;ssl=1 203w" sizes="(max-width: 476px) 100vw, 476px" /><figcaption class="wp-element-caption">lxd privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">Run the first block of commands on your host machine and then upload it to the victim server.  </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/uploaded.png?resize=747%2C346" alt="uploading lxd.tar.xz and rootfs.squashfs files" class="wp-image-465" style="width:747px;height:346px" width="747" height="346" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploaded.png?w=747&amp;ssl=1 747w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploaded.png?resize=300%2C139&amp;ssl=1 300w" sizes="(max-width: 747px) 100vw, 747px" /><figcaption class="wp-element-caption">uploading lxd privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">After uploading the lxd.tar.xz and rootfs.squashfs file, we add the image, create a container and add root path, and finally execute the container to become root.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="775" height="175" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/root.png?resize=775%2C175" alt="Privilege escalation" class="wp-image-466" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?w=775&amp;ssl=1 775w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?resize=300%2C68&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?resize=768%2C173&amp;ssl=1 768w" sizes="(max-width: 775px) 100vw, 775px" /><figcaption class="wp-element-caption">becoming root</figcaption></figure>



<p class="wp-block-paragraph">The last thing to do is to find the root.txt flag. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="604" height="260" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/root.txt.png?resize=604%2C260" alt="GamingServer root.txt" class="wp-image-467" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.txt.png?w=604&amp;ssl=1 604w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.txt.png?resize=300%2C129&amp;ssl=1 300w" sizes="(max-width: 604px) 100vw, 604px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">It took some time but the root directory was accessible in the /mnt directory. Revealing that the root.txt flag is <code>2e337b8c9f3aff0c2b3e8d4e6a7c88fc</code>. </p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this challenge was really fun and seemed more realistic than previous challenges. People upload their RSA private keys in directories they think people won&#8217;t find all the time. Like I said above, it took some time to find the root flag but it was better than just rushing over to the /root directory and finding it there.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="297" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/Task-1-1024x297.png?resize=1024%2C297" alt="GamingServer solutions" class="wp-image-446" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=1024%2C297&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=300%2C87&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=768%2C223&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1 Solution</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-gamingserver/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">92</post-id>	</item>
		<item>
		<title>TryHackMe: Brute It</title>
		<link>https://eric.cc/tryhackme-brute-it/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-brute-it</link>
					<comments>https://eric.cc/tryhackme-brute-it/#comments</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Thu, 10 Jun 2021 11:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">http://eric.cc/?p=91</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-brute-it/">TryHackMe: Brute It</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Brute It is a beginner-friendly challenge by TryHackMe. It is separated into three tasks reconnaissance, getting a shell, and privilege escalation with questions along the way to guide you throughout the engagement. It is a bit more hand-holding but was a fun challenge nonetheless. This box requires you to brute force, crack hashes, and escalate [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-brute-it/">TryHackMe: Brute It</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-brute-it/">TryHackMe: Brute It</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph"><a href="https://tryhackme.com/room/bruteit">Brute It</a> is a beginner-friendly challenge by TryHackMe. It is separated into three tasks reconnaissance, getting a shell, and privilege escalation with questions along the way to guide you throughout the engagement. It is a bit more hand-holding but was a fun challenge nonetheless. This box requires you to brute force, crack hashes, and escalate privileges to root.</p>



<h2 class="wp-block-heading">Task 2 &#8211; Reconnaissance </h2>



<div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow">
<p class="wp-block-paragraph">The reconnaissance phase of this challenge is equivalent to gathering information on an assessment. Information such as how many ports are open, what services they are running, and what operating system it uses is important to determine how to attack this system. Other than discovering the web server&#8217;s hidden directories, most of the information can be gathered through Nmap. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="526" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/task-2-incomplete-1024x526.png?resize=1024%2C526" alt="Brute It Reconnaissance" class="wp-image-384" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-2-incomplete.png?resize=1024%2C526&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-2-incomplete.png?resize=300%2C154&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-2-incomplete.png?resize=768%2C394&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-2-incomplete.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2</figcaption></figure>



<p class="wp-block-paragraph">To start off the reconnaissance phase, we run Nmap to scan against all the ports, 1-65535. Nmap, short for network mapper, &#8220;<a href="https://en.wikipedia.org/wiki/Nmap">is used to discover hosts and services on a computer network by sending packets and analyzing the responses.</a>&#8220;</p>
</div></div>



<div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow">
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="765" height="325" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/nmap-h.png?resize=765%2C325" alt="Brute It Nmap results" class="wp-image-385" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/nmap-h.png?w=765&amp;ssl=1 765w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/nmap-h.png?resize=300%2C127&amp;ssl=1 300w" sizes="(max-width: 765px) 100vw, 765px" /><figcaption>Nmap results</figcaption></figure>



<p class="wp-block-paragraph">The highlighted sections of the scan will be used to answer the questions. This Ubuntu Linux machine has 2 open ports. Port 22 is running SSH version OpenSSH 7.6p1 and port 80 is running HTTP Apache web server version 2.4.29.</p>



<p class="wp-block-paragraph">All there is left to do is to find the hidden directory running on the server&#8217;s website. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="773" height="294" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/gobuster-h.png?resize=773%2C294" alt="Brute It Gobuster results" class="wp-image-386" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gobuster-h.png?w=773&amp;ssl=1 773w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gobuster-h.png?resize=300%2C114&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gobuster-h.png?resize=768%2C292&amp;ssl=1 768w" sizes="(max-width: 773px) 100vw, 773px" /><figcaption>gobuster results</figcaption></figure>



<p class="wp-block-paragraph">Tools like Gobuster and Dirbuster use wordlists to enumerate directories and files. The /admin directory gives us a response status code of 301, meaning it has moved permanently, which will redirect us to another page. As one can guess, by going to this page we are greeted with an admin login panel.</p>
</div></div>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="525" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/03/Task-2-1024x525.png?resize=1024%2C525" alt="" class="wp-image-98" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-2.png?resize=1024%2C525&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-2.png?resize=300%2C154&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-2.png?resize=768%2C394&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-2.png?resize=1200%2C615&amp;ssl=1 1200w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-2.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2 Solutions</figcaption></figure>



<h2 class="wp-block-heading">Task 3 &#8211; Getting a shell</h2>



<p class="wp-block-paragraph">Now that the necessary information has been gathered, it is time to get a shell on this system. To start, we will need to brute force the username and password of the admin panel. As well as crack John&#8217;s RSA Private Key phrase. Finally, we will enumerate the system for the challenge&#8217;s Web and <em>user.txt</em> flags.</p>



<div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow">
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="445" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/task-3-imcomplete-1024x445.png?resize=1024%2C445" alt="" class="wp-image-387" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-3-imcomplete.png?resize=1024%2C445&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-3-imcomplete.png?resize=300%2C130&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-3-imcomplete.png?resize=768%2C334&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-3-imcomplete.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3</figcaption></figure>



<p class="wp-block-paragraph">When going to the /admin/ directory, there is a login screen needing a username and password. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="493" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/admin-portal-1024x493.png?resize=1024%2C493" alt="" class="wp-image-388" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/admin-portal.png?resize=1024%2C493&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/admin-portal.png?resize=300%2C145&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/admin-portal.png?resize=768%2C370&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/admin-portal.png?resize=1536%2C740&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/admin-portal.png?w=1918&amp;ssl=1 1918w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>admin panel</figcaption></figure>



<p class="wp-block-paragraph">By using a tool like Hydra, we can brute force the login credentials to the admin account. The web browser&#8217;s built-in dev tools can analyze the traffic being sent to and from the server. Every time we log in we send a post request to /admin/index.php with the user and pass in the body parameters. We add <code>Username or password invalid</code> at the end of the command to know if a login has been successful.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="774" height="248" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/hydra.png?resize=774%2C248" alt="" class="wp-image-389" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra.png?w=774&amp;ssl=1 774w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra.png?resize=300%2C96&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra.png?resize=768%2C246&amp;ssl=1 768w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption>admin panel credentials</figcaption></figure>



<p class="wp-block-paragraph">After going through thousands of common passwords, we can see that the admin uses the password <code>xavier</code> to log in. The /admin/panel directory has the web flag <code>THM{brut3_f0rce_is_e4sy}</code> as well as a link to John&#8217;s RSA Private Key.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/web-and-rsa-1024x330.png?resize=1045%2C336" alt="" class="wp-image-476" width="1045" height="336" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/web-and-rsa.png?resize=1024%2C330&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/web-and-rsa.png?resize=300%2C97&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/web-and-rsa.png?resize=768%2C247&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/web-and-rsa.png?w=1426&amp;ssl=1 1426w" sizes="(max-width: 1045px) 100vw, 1045px" /><figcaption>Web flag and RSA Private Key</figcaption></figure>



<p class="wp-block-paragraph">The admin of this system has set up SSH key-based authentication. Key-based authentication &#8220;<a href="https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/">uses cryptography to ensure secure connections… The private key should be kept secret and is used to connect to machines that have the matching public key</a>&#8220;. By cracking the private key&#8217;s passphrase, we will be able to SSH into the system as John.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="675" height="249" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/id_rsa-hash-cracked-1.png?resize=675%2C249" alt="" class="wp-image-393" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/id_rsa-hash-cracked-1.png?w=675&amp;ssl=1 675w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/id_rsa-hash-cracked-1.png?resize=300%2C111&amp;ssl=1 300w" sizes="(max-width: 675px) 100vw, 675px" /><figcaption>RSA passphrase cracked</figcaption></figure>



<p class="wp-block-paragraph"><em>ssh2john.py</em> is a program that will convert the <em>id_rsa</em> file into a format that John the Ripper will be able to crack. With a file like <em>rockyou.txt</em>, filled with millions of common passwords, we can find the password by performing a dictionary attack against the <em>id_rsa.hash</em> file. The password associated with the SSH Private Key is <code>rockinroll</code>. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="564" height="500" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/user.txt-2.png?resize=564%2C500" alt="Brute It user.txt" class="wp-image-395" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/user.txt-2.png?w=564&amp;ssl=1 564w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/user.txt-2.png?resize=300%2C266&amp;ssl=1 300w" sizes="(max-width: 564px) 100vw, 564px" /><figcaption>user.txt</figcaption></figure>



<p class="wp-block-paragraph">After changing the <em>id_rsa&#8217;s</em> file permissions to 600, we can use SSH&#8217;s identity option to log in as John. Found in John&#8217;s home directory is the <em>user.txt</em> file containing the flag <code>THM{a_password_is_not_a_barrier}</code>.</p>
</div></div>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="432" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/03/Task-3-1024x432.png?resize=1024%2C432" alt="" class="wp-image-99" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-3.png?resize=1024%2C432&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-3.png?resize=300%2C127&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-3.png?resize=768%2C324&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-3.png?resize=1200%2C506&amp;ssl=1 1200w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-3.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3 Solutions</figcaption></figure>



<h2 class="wp-block-heading">Task 4 &#8211; Privilege Escalation</h2>



<p class="wp-block-paragraph">The last thing we need to do on this system is to escalate our privileges to root. By becoming root, we have effectively taken over this system and owned it.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="284" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/task-4-imcomplete-1024x284.png?resize=1024%2C284" alt="" class="wp-image-396" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-4-imcomplete.png?resize=1024%2C284&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-4-imcomplete.png?resize=300%2C83&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-4-imcomplete.png?resize=768%2C213&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/task-4-imcomplete.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4</figcaption></figure>



<p class="wp-block-paragraph"><code>Sudo -l</code> lists commands John can use with root privileges without being root. The <code>cat</code> command can read data from files but because John can run it as root <a href="https://gtfobins.github.io/gtfobins/cat/#sudo">&#8220;it may be used to do privileged reads or disclose files outside a restricted file system&#8221;</a>.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="746" height="147" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/root.txt-1.png?resize=746%2C147" alt="Brute It root.txt" class="wp-image-397" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root.txt-1.png?w=746&amp;ssl=1 746w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root.txt-1.png?resize=300%2C59&amp;ssl=1 300w" sizes="(max-width: 746px) 100vw, 746px" /><figcaption>root.txt</figcaption></figure>



<p class="wp-block-paragraph">This means that our user John has the ability to read the <em>root.txt</em> flag. All we need to do is navigate to the root directory to read it. The <em>root.txt</em> flag is <code>THM{pr1v1l3g3_3sc4l4t10n}</code>.</p>



<p class="wp-block-paragraph">Reading any file on the system is nice, but it does not mean we owned this system entirely. I collected the <em>/etc/passwd</em> and <em>/etc/shadow</em> files off the system to get the root&#8217;s password. These files are the operating system&#8217;s authentication schemes and store the operating system&#8217;s login information.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/etc-passwd-shadow-1024x344.png?resize=1049%2C352" alt="" class="wp-image-398" width="1049" height="352" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/etc-passwd-shadow.png?resize=1024%2C344&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/etc-passwd-shadow.png?resize=300%2C101&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/etc-passwd-shadow.png?resize=768%2C258&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/etc-passwd-shadow.png?w=1527&amp;ssl=1 1527w" sizes="(max-width: 1049px) 100vw, 1049px" /><figcaption>/etc/passwd and /etc/shadow files</figcaption></figure>



<p class="wp-block-paragraph">Before we use John the Ripper to find out the root&#8217;s password we need to put it in a format that john will understand. To do this we will use the unshadow command. <code>unshadow passwd.txt shadow.txt &gt; pass.txt</code></p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="766" height="278" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/root-password.png?resize=766%2C278" alt="" class="wp-image-401" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root-password.png?w=766&amp;ssl=1 766w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root-password.png?resize=300%2C109&amp;ssl=1 300w" sizes="(max-width: 766px) 100vw, 766px" /><figcaption>root password</figcaption></figure>



<p class="wp-block-paragraph">Having John the Ripper work its magic for a couple of minutes, we can see that the root&#8217;s password is <code>football</code>. We will then be able to switch users and become root.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/root-1.png?w=1200" alt="" class="wp-image-400"  /><figcaption>root</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="281" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/03/Task-4-1024x281.png?resize=1024%2C281" alt="Brute It solutions" class="wp-image-100" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-4.png?resize=1024%2C281&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-4.png?resize=300%2C82&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-4.png?resize=768%2C211&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-4.png?resize=1200%2C329&amp;ssl=1 1200w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-4.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4 Solutions</figcaption></figure>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this is a nice follow-up to the <a href="http://vps-1a659a37.vps.ovh.us/thm-brooklyn-nine-nine/">Brooklyn Nine Nine</a>. This box required various types of brute force attacks. The admin panel credentials, the RSA key, and the root password all had to be brute forced to complete this challenge. It just goes to show that passwords are not the end all be all to security.</p>
<p>The post <a href="https://eric.cc/tryhackme-brute-it/">TryHackMe: Brute It</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-brute-it/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">91</post-id>	</item>
		<item>
		<title>TryHackMe: Brooklyn Nine Nine</title>
		<link>https://eric.cc/tryhackme-brooklyn-nine-nine/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-brooklyn-nine-nine</link>
					<comments>https://eric.cc/tryhackme-brooklyn-nine-nine/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 12 May 2021 20:22:31 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">http://eric.cc/?p=77</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-brooklyn-nine-nine/">TryHackMe: Brooklyn Nine Nine</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe: Brooklyn Nine Nine is a beginner-level boot2root style challenge. The goal of the challenge is to find and read the contents of the user.txt and root.txt files located on the machine. Brooklyn Nine Nine shows the importance of information gathering and how to use it to gain access to a system. It also highlights [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-brooklyn-nine-nine/">TryHackMe: Brooklyn Nine Nine</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-brooklyn-nine-nine/">TryHackMe: Brooklyn Nine Nine</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">TryHackMe: <a href="https://tryhackme.com/room/brooklynninenine" target="_blank" rel="noreferrer noopener">Brooklyn Nine Nine</a> is a beginner-level boot2root style challenge.  The goal of the challenge is to find and read the contents of the user.txt and root.txt files located on the machine. Brooklyn Nine Nine shows the importance of information gathering and how to use it to gain access to a system. It also highlights the importance of avoiding weak passwords. As noted by the challenge&#8217;s author, there are two main intended ways to complete this room.  This write-up goes through one of the solutions. </p>



<h2 class="wp-block-heading"><strong>Information Gathering</strong></h2>



<p class="wp-block-paragraph">After booting the machine up, I use Nmap to scan every port at the IP address. </p>



<div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow">
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="762" height="578" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/nmap-1.png?resize=762%2C578" alt="Brooklyn Nine Nine nmap scan" class="wp-image-377" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/nmap-1.png?w=762&amp;ssl=1 762w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/nmap-1.png?resize=300%2C228&amp;ssl=1 300w" sizes="(max-width: 762px) 100vw, 762px" /><figcaption class="wp-element-caption">nmap results</figcaption></figure>



<p class="wp-block-paragraph">Looking at these results, we see that the ftp port is open and allows anonymous ftp login. Highlighted above, the user anonymous has read write privileges to the file <em>note_to_jake.txt</em>.</p>
</div></div>



<h2 class="wp-block-heading"><strong>Exploitation</strong></h2>



<div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow">
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="589" height="269" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/ftp.png?resize=589%2C269" alt="Brooklyn Nine Nine ftp access" class="wp-image-366" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/ftp.png?w=589&amp;ssl=1 589w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/ftp.png?resize=300%2C137&amp;ssl=1 300w" sizes="(max-width: 589px) 100vw, 589px" /><figcaption class="wp-element-caption">anonymous ftp</figcaption></figure>



<p class="wp-block-paragraph">Using the command <code>ftp 10.10.207.118</code> and putting anonymous as our username, any password is valid and can log me in. After logging in, we can see that there is a <em>note_to_jake.txt</em> file waiting for us. The command <code>get note_to_jake.txt</code><em> </em>will then download the file to our client.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/note_to_jake.png?resize=772%2C103" alt="Brooklyn Nine Nine note_to_jake.txt" class="wp-image-367" style="width:772px;height:103px" width="772" height="103" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/note_to_jake.png?w=772&amp;ssl=1 772w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/note_to_jake.png?resize=300%2C40&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/note_to_jake.png?resize=768%2C102&amp;ssl=1 768w" sizes="(max-width: 772px) 100vw, 772px" /><figcaption class="wp-element-caption">note_to_jake.txt</figcaption></figure>



<p class="wp-block-paragraph">Amy is letting us know that Jake has a weak password. We can then use a tool called Hydra to brute force Jake&#8217;s ssh password.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="778" height="282" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/hydra-jake.png?resize=778%2C282" alt="Brooklyn Nine Nine Jake's password" class="wp-image-368" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra-jake.png?w=778&amp;ssl=1 778w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra-jake.png?resize=300%2C109&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/hydra-jake.png?resize=768%2C278&amp;ssl=1 768w" sizes="(max-width: 778px) 100vw, 778px" /><figcaption class="wp-element-caption">hydra results</figcaption></figure>



<p class="wp-block-paragraph">By setting the username and using the <em>rockyou.txt</em> password list we can launch a dictionary attack against the server&#8217;s ssh protocol. The results show that Jake&#8217;s password is 987654321.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="631" height="214" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/ssh-jake.png?resize=631%2C214" alt="ssh access" class="wp-image-369" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/ssh-jake.png?w=631&amp;ssl=1 631w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/ssh-jake.png?resize=300%2C102&amp;ssl=1 300w" sizes="(max-width: 631px) 100vw, 631px" /><figcaption class="wp-element-caption">connecting to the server as jake</figcaption></figure>



<p class="wp-block-paragraph">We can ssh to the server by using Jake&#8217;s credentials. </p>
</div></div>



<h2 class="wp-block-heading"><strong>Post Exploitation</strong></h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="393" height="162" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/user.txt.png?resize=393%2C162" alt="Brooklyn Nine Nine user.txt" class="wp-image-370" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/user.txt.png?w=393&amp;ssl=1 393w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/user.txt.png?resize=300%2C124&amp;ssl=1 300w" sizes="(max-width: 393px) 100vw, 393px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">By knowing which directory we are in on the system, we can start having a look around. By changing to Holt&#8217;s directory we can locate and read the<em> user.txt</em> document which hold&#8217;s the user flag of this challenge.</p>



<p class="wp-block-paragraph">Now it is time to use privilege leverage escalation techniques to become root on the system. The <code>sudo -l</code> command lists the allowed (and forbidden) commands for the invoking user.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/sudo-l.png?resize=746%2C136" alt="privilege escalation" class="wp-image-371" style="width:746px;height:136px" width="746" height="136" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/sudo-l.png?w=746&amp;ssl=1 746w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/sudo-l.png?resize=300%2C55&amp;ssl=1 300w" sizes="(max-width: 746px) 100vw, 746px" /><figcaption class="wp-element-caption">linux privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">As we can see, the user Jake can invoke sudo commands by using the <code>less</code> command. Going to <a href="https://gtfobins.github.io/gtfobins/less/" target="_blank" rel="noreferrer noopener">gtfobins</a> we can find a section that tells us how we can use this command to become root.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="868" height="208" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/gtfobin-priv-esc.png?resize=868%2C208" alt="gtfobin results" class="wp-image-372" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gtfobin-priv-esc.png?w=868&amp;ssl=1 868w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gtfobin-priv-esc.png?resize=300%2C72&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/gtfobin-priv-esc.png?resize=768%2C184&amp;ssl=1 768w" sizes="(max-width: 868px) 100vw, 868px" /><figcaption class="wp-element-caption">gtfobin results</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="580" height="455" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/bin-sh.png?resize=580%2C455" alt="sudo less" class="wp-image-373" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/bin-sh.png?w=580&amp;ssl=1 580w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/bin-sh.png?resize=300%2C235&amp;ssl=1 300w" sizes="(max-width: 580px) 100vw, 580px" /><figcaption class="wp-element-caption">becoming root</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="621" height="341" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/04/root.txt.png?resize=621%2C341" alt="Brooklyn Nine Nine root.txt" class="wp-image-375" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root.txt.png?w=621&amp;ssl=1 621w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/04/root.txt.png?resize=300%2C165&amp;ssl=1 300w" sizes="(max-width: 621px) 100vw, 621px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">And there you have it. We now have root access over this machine and can change the root directory to read the <em>root.txt</em> flag.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="288" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/03/Task-1-1-1024x288.png?resize=1024%2C288" alt="Brooklyn Nine Nine flags" class="wp-image-102" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-1-1.png?resize=1024%2C288&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-1-1.png?resize=300%2C84&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-1-1.png?resize=768%2C216&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-1-1.png?resize=1200%2C337&amp;ssl=1 1200w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/Task-1-1.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">flags</figcaption></figure>



<h2 class="wp-block-heading"><strong>Conclusion</strong></h2>



<p class="wp-block-paragraph">Overall, this was a pretty straightforward challenge. I would recommend it to new hackers as their first challenge on TryHackMe. Doing this challenge has taught me about network mapping, brute force, and Linux privilege escalation.</p>
<p>The post <a href="https://eric.cc/tryhackme-brooklyn-nine-nine/">TryHackMe: Brooklyn Nine Nine</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-brooklyn-nine-nine/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">77</post-id>	</item>
	</channel>
</rss>
