So this is the Brains room on TryHackMe. Its a two part challenge, you hack into a box (red team) and then you investigate what happened (blue team). Pretty cool combo actually.
Here's my video walkthrough if you wanna follow along:
Part 1: Hacking the Box
First thing, start the machine and grab the IP address. Then open a terminal and run nmap to see whats available:
nmap <target-ip>
You'll see three things open:
- Port 22 (SSH)
- Port 80 (HTTP)
- Port 50000 (something weird, looks like a database but its not)
If you go to port 80 in the browser its just a blank page, nothing there. You can run gobuster to discover hidden folders and files on it but trust me, waste of time, there's nothing.
The interesting one is port 50000. Try connecting with telnet:
telnet <target-ip> 50000
Hit enter a few times and you'll see it returns HTML. So its actually a web server not a database. Open it in Firefox:
<target-ip>:50000
You'll see TeamCity running. Note the version number, in this case 2023.11.3.
Finding the Exploit
Go to exploit-db.com and search for "TeamCity". You'll find a bunch of vulnerabilities, the one we want is the authentication bypass / remote code execution one. Note the CVE number and search for it on GitHub.
I used the exploit from wolf hacker. Copy the code, save it as a .py file. When you run it you might get a missing module error:
pip install faker
Then run the exploit pointing at your target:
python exploit.py -t <target-ip>
If it works youll get a shell. Test it:
whoami
You should see something like "ubuntu". Then check the home folder:
ls /home/ubuntu
Youll find a flag.txt, cat it out:
cat /home/ubuntu/flag.txt
Thats your first flag, machine hacked.
Privilege Escalation
While your in there check what you can run as sudo:
sudo -l
In this case everything is allowed which means you can just do:
sudo whoami
And youll see root. Thats it, full privilege escalation. Pretty easy one but good to practice the concept.
Part 2: Investigation with Splunk
Now close that machine and start the second one (the blue team box). Put the new IP in your browser and youll see the Splunk interface.
Go to Search and Reporting. Start with a broad search to see everything:
index=*
Set the time to "All Time" and search. Youll see around 4000 events.
Question 1: What plugin was installed after exploitation?
Just search:
index=* plugin
Youll see an event about a plugin being uploaded. The full name is right there in the log, copy it.
Question 2: What malicious package was installed?
Search for:
dpkg
Then filter to look through installed packages. Youll see loads of normal Linux stuff, lib this, lib that. Keep going through the pages and youll spot one called "data-collector". Thats the dodgy one, nothing legit should be called that.
Question 3: What is the backdoor user?
Search for:
useradd
Youll find an entry where useradd was run with the username "evil-user" and a home folder to match. Yeah not subtle lol. Thats your answer.
Done
Thats the full Brains room. Red team side you exploited a TeamCity auth bypass to get a shell and escalated to root. Blue team side you used Splunk to find the plugin, the malicious package and the backdoor user that the attacker left behind.
If you want to practice the Linux commands used in this walkthrough check out https://practicelinux.com
Top comments (0)