DEV Community: qwezii

Walkthrough - Bounty Hacker - TryHackMe

qwezii — Sat, 01 Aug 2020 16:43:53 +0000

This is a walkthrough on the Bounty Hacker room in TryHackMe

This is a beginner room.

I think this could be helpful for CEH preparation, this is not too complex.

These are the steps I followed to get all the answers in the room.

I used nmap to do a port scan on the system.
nmap -sS <IP-address>

I found three open ports:
-- 21 ftp
-- 22 ssh
-- 80 http

We see a website and we have some information on the website.
Then I tried to do a sub-directory scan using Gobuster, available in Kali Linux.

gobuster dir -u HTTP://<IP-address>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Here the option
dir is for directory scan
-u is for URL
-w is for wordlist
-t is for number of threads to run the scan

The scan does not show much either.

And with this information, we can't do much. So, I went through an aggressive scan:
nmap -A <IP-address>

We can see that the ftp is vulnerable with anonymous login.

Found this useful for this step

ftp <IP-address>
And type Name as anonymous and then no need for a password.

When in FTP can use ? to display a help menu.

To list all the files in your FTP session use ls
We see two files available. task.txt and locks.txt

We can set the local directory using lcd command.

Then we can use the get command to get the files from the system to our system to analyze them.

Check the files using cat command.
First I checked the task.txt file I see that the author is named lin. I assumed that must be the user of the system.

Now I checked the lock.txt this file looks like a password list for the user.

Now we have to brute-force the login for ssh, assuming the username is lin and passwords must be from this list (lock.txt).

I then used the hydra password cracking tool.

hydra -l lin -P locks.txt 10.10.234.166 -t 4 -e nsr ssh

Cracked the password.
Logged in as the user lin with the cracked password.
And at this point, we can exit the FTP connection.

Checked the files in the user directory using ls.

We see the user.txt file containing the user flag.
cat user.txt

Then I tried to pivot to the root directory, to see that we do not have sufficient permissions.

So can we do when we do not have enough permissions?
We can check what else we can do as the user lin using the command sudo -l.

We can see that the user lin can run tar as root.
Then I tried to check that in gtfobins. Found the exploit for that.

Ran the mentioned command and could pivot to root.

Then cd into the root user directory to find the root flag.

There were some dead ends but I could go around them.
Found this room a fun one.

Walkthrough - OWASP Top 10 - TryHackMe

qwezii — Fri, 17 Jul 2020 18:17:30 +0000

Hi Guys!
This is my very first Walkthrough/Write-Up.
This is a Walkthrough on the OWASP Top 10 room in TryHackMe.
This is a beginner room - as in

The challenges are designed for beginners and assume no previous knowledge of security.

I am going to walk you through the steps I followed to find the answers.

Day 1 Injection
1. Strange Text
2. Number Of Users
3. User
4. User shell as
5. Ubuntu Version
6. MOTD
Day 2 Broken Authentication
1. Darren's Account
2. Arthur's Account
Day 3 Sensitive Data Exposure
1. Sensitive Directory
2. DB File
3. Sensitive Data
4. Admin Password
5. Admin Flag

Day 1 Injection

Strange Text:

A strange text file in the website root directory:
I used ls. We see the output something like this:

ls command lists all the available files and folders in the current directory. And with that output, we understand that drpepper.txt is a strange text file.
Take me to Top

Number Of Users

The number of non-root/non-service/non-daemon users:
We can use the command: cat /etc/passwd | cut -d: -f1
I found this command here: LinuxHandBook

And the output from the command shows there are no users that are non-root/non-service/non-daemon. And therefore the number is 0. The cat command prints all the contents of a file mentioned and we are using pipe - | to send the output of the cat to the following command i.e, cut -d: -f1 which cuts(or only prints) a repeating part of an output. In our case - we mention the delimiter as : and the -f1 would print the first part of the delimited string.
Take me to Top

User:

The user of the app:

whoami is a command that shows the current user of the application through which the shell/bash is running. So the user is www-data
Take me to Top

User Shell As:

I used id to find the user id. Which is 33. id prints the current user-id and group-id.

And then I used cat /etc/passwd/ to print all the list of user information.

With the command, we see a lot of information here, and we need to find the one with the id 33, or the one with the user as www-data as we found in question 3. And we see that the user is set as /usr/sbin/nologin.
Take me to Top

Ubuntu Version

The version of Ubuntu:
I found this command cat /etc/os-release, can print comprehensive information on the Operating System.

Here we see the version as 18.04.4.
Take me to Top

MOTD:

I first could not find the motd as I first thought its at /etc/motd. Then I found that it's a different directory.

With the command ls /etc/update-motd.d/ I could see the files and one of them is 00-header and this is mentioned in the hint. So I used the command cat /etc/update-motd.d/00-header

Now we can see in the last line of the output talks about "Dr Pepper" and that is the favorite beverage.

Take me to Top

Day 2 Broken Authentication

I found this type of attack cool. Now, if we just follow the instructions we can find the answers to the given questions.

Darren's Account:

We try to register a new account using the name "darren" but we see a message saying user already exists. But the problem with this is in the backend of the application, with this step we now have overridden the password for darren with what we have used for the registration. Now we just have to login using the same password but add a space to the username: " darren".

Now we are logged in as darren and we see the flag.

Take me to Top

Arthur's Account:

We follow the same steps that we followed for darren's account.
We try to register using username "arthur" and some password.
Then we see the message that user already exists.
Then we login as " arthur" and the same password we used to register. We are taken to arthur's account.

Take me to Top

Day 3 Sensitive Data Exposure

Sensitive Directory:

For this task, I used a subdirectory enumerator software called DirBuster that is available in Kali Linux by default.

I used the following settings:

I used the wordlist file that is available by default here:
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Then I let it run for a while and found.

But it will be a lot simpler if we use the hint. We see that there is something in the login page source code.

We see that the developer has stored something in the /assets directory.

Take me to Top

DB File:

When you open the directory you will see the .db file. Click on it to download.

Or you could directly go to http://MACHINE_IP/assets/webapp.db to download.

Take me to Top

Sensitive Data:

Then I used the mentioned commands in the given Material. And found the following:

We see the Admin, Bob, Alice users and their password hash.

Admin Password:

I used the website Crackstation mentioned in the given material to crack the password hash.

Take me to Top

Admin Flag:

I used the login page to login as admin and found the flag.

Take me to Top

The current room is a progressive room and releases one task per day. I will try to update this page as and when I find the answers.