DEV Community

Cover image for AoC 2 [2020] TryHackMe CTF 🐱‍💻Day 13 & 14
Wiz Lee
Wiz Lee

Posted on

AoC 2 [2020] TryHackMe CTF 🐱‍💻Day 13 & 14

Table Of Contents


Day 1️⃣3️⃣ - Linux Enumeration, Discovering and Priv Escalation

👣Steps

  • Initial access
    • The first few questions only need to follow the info provided in the questions
    • After running nmap {machine IP}, out of the 3 open ports telnet is the old, deprecated service that stands out.
    • To get the password, just run telnet {machine IP} {telnet port number}. The username and password are shown in the login welcome messages.
  • Enumeration
    • Run the 3 commands recommended by the questions to learn more about the machine
      • cat /etc/*release
      • uname -a
      • cat /etc/issue
    • The answer for the first question is shown in the output of the first command above
    • Running cat cookies_and_milk.txt will show the answer for the question of Who got here first?
  • Privilege Escalation via DirtyC0w 🐮
    • The question provided a link that contains more info about this exploit.
    • That link contains this page where it has a lot of proof of concepts (POCs) for this exploit.
      • However, non of them is the one that this question intend us to use.
    • Ended up using grep.app to search code online to find the original code.
      • The search string used is struct Userinfo user;
    • All the top search results are the correct original dirtyc0w C source code
    • Choose the C file in exploitdb even though it's filename is not correct because exploitdb is a known repo to me
    • The answer to the question on how to compile the code is found in line 17.
    • The subsequent question is what is the new user that is created when ran using the original source
      • The answer can be found by reading the original source
      • The answer is in line 131
    • Lastly, to obtained the flag ⛳
      • first create a file named dirty.c, then copy all the content of 40839.c into in
        • This can be done in various ways, what I did were the following:
          • touch dirty.c
          • nano dirty.c
          • Paste all the content by right click / shirt-insert / any other paste shortcut of your terminal
          • Ctrl+o to save to file
          • Followed by Ctrl+x to exit the Nano text editor
      • run gcc -pthread dirty.c -o dirty -lcrypt to compile the exploit
      • run the exploit -> ./dirty
        • enter any new password for firefart user
      • Either background the current process, or open another telnet connection
      • su firefart to attempt to switch user to firefart
        • enter your new password
      • read the message left by prepertrator as mentioned in the question
        • cat message_from_the_grinch.txt
        • inside it explains what it means to "leave behind the coal"
          • perform the action explained
        • finally run tree | md5sum as explain in the text file and the question
        • flag obtained == profit 💰

Day 1️⃣4️⃣ - OSINT (Open Source Intelligence)

🧠 Info

👣Steps

  • Task #1
    • To begin, search for reddit IGuidetheClaus2020 in DuckDuckGo
    • Go to the first result, clicked on the comment tab and the URL is the answer for the first question
    • For the second question, the answer is in the overview tab
    • Google'd IGuidetheClaus2020 creator robert will reveals IGuidetheClaus2020's creator last name
    • Along side IGuidetheClaus2020's creator, among the search results is IGuidetheClaus2020 twitter account. This is the answer for the fourth question
  • Task #2
    • In a few of the retweets, IGuideClaus2020 mentioned a TV show.
    • Two of the tweets mentioned about parade, with the first one explicitly giving hint about going to a parade
      • Performing a visual search of the image will reveal in which city the parade is held.
    • The question about where exactly the parade image is taken is the most technical so far
      • First, find an image metadata viewer AKA EXIF viewer. Search for online exif data viewer and use the first result. For me it is https://onlineexifviewer.com/
      • Using this we can avoid the need to download and install a software
      • Using the 2 URLs of the 2 images of the parade, we found that they don't contain any EXIF data.
      • However, another post shared a high quality photo of one of the parade image.
      • Using that URL in https://onlineexifviewer.com/ reveals the exact GPS location coordinate.
      • Round down the precision to 6 decimal will yields the answer.
      • In the same EXIF data, there's a flag in the copyright field
    • The question about has Rudolph been pawned and what password of his appeared in a breach is a more open ended question
      • There is hints in the task#2 description where it mentioned questions #6 -11 can be solved by using info on his twitter account
      • Steps to answer this question is as follows
        • Follow the steps in this site to use Scylla
        • However, found out that the tools are outdated and don't work on the current Twitter
        • Visit the twitter user page and noticed the email is listed in the user description
        • Use haveibeenpwn to search and it only mentioned about the password is being breached in LiveJournal
        • Search online for more data breached site and came across breach directory
        • Here it shows two sha1 which hints of what are the password
          • live************: 7ae929950f2d937538eee064371ceb612ed9c59e
          • spyg***: 6e3f262dccc80924be40aa96554ce5df182e939a
        • Then, use a site called md5decrypt to search for the decryted password. Usually the sha1 of common password are easily searchable without the need to crack 🦀 them ourself
          • Another alternative is where it manages to find decrypt the first sha1 while md5decrypt fails.
          • Try it for yourself and get the excitement of figuring out a password!
    • For the question of what is the street number of the hotel Rudolph is staying
      • Originally can't figure out where to start.
      • However, after some pondering and failed online search got a relization that this question probably is asking about Rudolph when he is in Parade as those twitter post will still be consider new during the time this CTF is on-going
      • Check the EXIF data of the parade high-res photo using https://onlineexifviewer.com/ screenshot of EXIF data of parade image
      • Opening the GPS coordinate using google map, and search for the closest hotel.
      • The street number of the hotel address is the answer to the final question

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more