tryhackme &mdash; drsh0's llog https://drsh0.writeas.com/tag:tryhackme my learning log; notes on cybersec activities, ctfs, and ill-equipped cyber adventures. Consume responsibly. Sun, 26 Apr 2026 19:20:43 +0000 https://i.snap.as/v7Oo2ci6.png tryhackme &mdash; drsh0's llog https://drsh0.writeas.com/tag:tryhackme Jack - TryHackMe https://drsh0.writeas.com/jack-tryhackme?pk_campaign=rss-feed <![CDATA[https://tryhackme.com/room/jack Summary exploit Wordpress web server gain user shell use Python to escalate to root Tools Used nmap, wpscan, python, pspy !--more-- Enum Nmap sudo nmap -A jack.thm -oN jack nmap tells us we have a host running ssh and serving a wordpress application. details Nmap 7.80 scan initiated Sun Aug 30 03:57:41 2020 as: nmap -A -oN jack -v jack.thm Nmap scan report for jack.thm (10.10.126.131) Host is up (0.30s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA) | 256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA) | 256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E |http-generator: WordPress 5.3.2 | http-methods: | Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |/wp-admin/ |http-server-header: Apache/2.4.18 (Ubuntu) |http-title: Jack&#039;s Personal Site &#8211; Blog for Jacks writing adven... No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=8/30%OT=22%CT=1%CU=42716%PV=Y%DS=4%DC=T%G=Y%TM=5F4B15C OS:E%P=x8664-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ OS:(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST11NW7%O OS:3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=68DF%W2= OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M509NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.014 days (since Sun Aug 30 03:38:38 2020) Network Distance: 4 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 167.61 ms 10.13.0.1 2 ... 3 4 304.95 ms jack.thm (10.10.126.131) Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Sun Aug 30 03:58:22 2020 -- 1 IP address (1 host up) scanned in 41.89 seconds /details WPScan wpscan --url jack.thm XML-RPC seems to be enabled We can use this to enumerate usernames. Let's try: http://jack.thm/wp-json/wp/v2/users/1 - 200 - we are able to see the jack user (that we already know about) http://jack.thm/wp-json/wp/v2/users/2 - 401 - not allowed to view this user http://jack.thm/wp-json/wp/v2/users/99 - 404 - user not found WPScan to the rescue as it provides user enumerition AND bruteforcing which may allow us into the wp-admin panel. We find 2 additional users. wpscan --wpscan --url jack.thm --enumerate u Put all three users into a users.txt file and use a wordlist of your choice to brute force. We are able to sucesfully obtain a password for a user. Use that to login to wp-admin. wpscan --url jack.thm --passwords rockyou.txt --usernames users.txt Unfortunately, once logged in, the user does not have any administrative rights. Time to move onto exploitation. Exploit User https://www.exploit-db.com/exploits/44595 edit plugin php insert php reverse shell gain access to www-data user shell obtain user flag Priv Esc Our next aim is to move from www-data to jack. Fortunately, according to reminder.txt in jack's home directory, this user has an issue setting permissions on backups. Doing a quick check we find /var/backups that contains some goodies that www-data is able to read. Using this, we can SSH to the host. find / -name backup* 2 /dev/null Root linPEAS (or any other privesc script of choice) nothing of interest can be found apart from various interesting file access rights. hint reveals that python is being used. use pspy to monitor for any strange cronjobs by root 👀 2020/08/30 00:26:01 CMD: UID=0 PID=3036 | /usr/bin/python /opt/statuscheck/checker.py python exploitation checker.py: import os os.system("/usr/bin/curl -s -I http://127.0.0.1 /opt/statuscheck/output.log") From previous linenum scripts jack is a part of family which has write access to /usr/lib/python2.7/ Since we know os.system is being used in the script we have a lot of options to gain root access such as: modify os.py to facilitate a reverse shell. change permissions of other files and folders within the system (as root). change ssh configs to allow for password-less root access via ssh. obtain the root flag and write it to a file that is world readable. #tryhackme #wordpress #python]]> https://tryhackme.com/room/jack

Summary

  • exploit Wordpress web server
  • gain user shell
  • use Python to escalate to root

Tools Used

  • nmap, wpscan, python, pspy

Enum

Nmap

sudo nmap -A jack.thm -oN jack

nmap tells us we have a host running ssh and serving a wordpress application.

# Nmap 7.80 scan initiated Sun Aug 30 03:57:41 2020 as: nmap -A -oN jack -v jack.thm
Nmap scan report for jack.thm (10.10.126.131)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
|   256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_  256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.3.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack&#039;s Personal Site &#8211; Blog for Jacks writing adven...
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/30%OT=22%CT=1%CU=42716%PV=Y%DS=4%DC=T%G=Y%TM=5F4B15C
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST11NW7%O
OS:3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M509NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.014 days (since Sun Aug 30 03:38:38 2020)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   167.61 ms 10.13.0.1
2   ... 3
4   304.95 ms jack.thm (10.10.126.131)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 30 03:58:22 2020 -- 1 IP address (1 host up) scanned in 41.89 seconds

WPScan

wpscan --url jack.thm

XML-RPC seems to be enabled

We can use this to enumerate usernames. Let's try: * http://jack.thm/wp-json/wp/v2/users/1 – 200 – we are able to see the jack user (that we already know about) * http://jack.thm/wp-json/wp/v2/users/2 – 401 – not allowed to view this user * http://jack.thm/wp-json/wp/v2/users/99 – 404 – user not found

WPScan to the rescue as it provides user enumerition AND bruteforcing which may allow us into the wp-admin panel. We find 2 additional users.

wpscan --wpscan --url jack.thm --enumerate u

Put all three users into a users.txt file and use a wordlist of your choice to brute force. We are able to sucesfully obtain a password for a user. Use that to login to wp-admin.

wpscan --url jack.thm --passwords rockyou.txt --usernames users.txt

Unfortunately, once logged in, the user does not have any administrative rights. Time to move onto exploitation.

Exploit

User

Priv Esc

Our next aim is to move from www-data to jack. Fortunately, according to reminder.txt in jack's home directory, this user has an issue setting permissions on backups. Doing a quick check we find /var/backups that contains some goodies that www-data is able to read. Using this, we can SSH to the host.

find / -name backup* 2>/dev/null

Root

  • linPEAS (or any other privesc script of choice)
  • nothing of interest can be found apart from various interesting file access rights.
  • hint reveals that python is being used.
  • use pspy to monitor for any strange cronjobs by root

  • 👀

    • 2020/08/30 00:26:01 CMD: UID=0 PID=3036 | /usr/bin/python /opt/statuscheck/checker.py

      python exploitation

checker.py:

import os

os.system("/usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log")

From previous linenum scripts jack is a part of family which has write access to /usr/lib/python2.7/

Since we know os.system is being used in the script we have a lot of options to gain root access such as:

  • modify os.py to facilitate a reverse shell.
  • change permissions of other files and folders within the system (as root).
  • change ssh configs to allow for password-less root access via ssh.
  • obtain the root flag and write it to a file that is world readable.

#tryhackme #wordpress #python

]]> https://drsh0.writeas.com/jack-tryhackme Tue, 01 Dec 2020 06:04:31 +0000 TryHackMe | Advent of Cyber 2019 https://drsh0.writeas.com/tryhackme-advent-of-cyber-2019?pk_campaign=rss-feed <![CDATA[Link: https://tryhackme.com/room/25daysofchristmas Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas Day 1 cookies that have fixed values are bad as it allows attackers to guess the pattern and values. a new cookie can be created from Firefox dev tools storage cookies add new Day 2 check source pages dir searching github search for website Day 3 for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh follow stream to export to txt johntheripper can work on /etc/shadow without needeing /etc/passwd. Day 4 to find text within all files: grep -Ril "text" to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt It's wise to search for .bak files in case some world readable backups exist : find / -name .bak 2 /dev/null Day 5 OSINT required creative google searches, social media, and the use of waybackmachine. Day 6 Tools used: wireshark-gtk fcrackzip steghide Day 7 strange protocols running on weird ports are worth trying out via http. Day 8 if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.: find /home/igor -name flag1.txt -exec cat /home/igor/flag1.txt \; commonly used command to list all suid binaries: find / -user root -perm -4000 -exec ls -ldb {} \; 2 /dev/null Day 10: Metasploit After a quick nmap scan, there seems to be a tomcat server running on port 80. Version enumeration reveals that it may be prone to the struts2 vuln. Let's use the struts2contenttypeognl exploit via MSF and configure hosts, ports, and path (path = ""). exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container. SSH creds are available -- this is how we break out. Day 11: Network Exploitation nmap -A $IP -oA filename We can see the following services open: ftp, nfs, mysql Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials. NFS showmount -e $IP to check if NFS is present and directory path. cd /tmp && mkdir thm-nfs-11 sudo mount $IP:/opt/files thm-nfs-11 thm-nfs-11 contains a file with the flag. MySQL I'll be using mycli to connect to the msql database. mycli -h $IP -P 3306 -u root show databases use data show tables SELECT * FROM 'USERS' Creds are now retrieved from the table. Day 12 1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2encrypted.txt -out note2_decrypted.txt to obtain decrypted note. Day 14: AWS S3 Buckets Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name Day 15: Local File Inclusion Webservers will often pull files from local locations to display on a webpage. It's best to have a look at the HTTP requests and start crafting potential LFI that way. Be sure to encode the / using %2F. Example payload: http://host/get-file/%2fetc%2fpasswd #writeups #ctf #tryhackme ]]> Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

  • cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
  • a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

  • check source pages
  • dir searching
  • github search for website

Day 3

  • for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
  • follow stream to export to txt
  • johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

  • to find text within all files: grep -Ril "text"
    • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
  • It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

  • OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

  • Tools used:
    • wireshark-gtk
    • fcrackzip
    • steghide

Day 7

  • strange protocols running on weird ports are worth trying out via http.

Day 8

  • if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:
find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;
  • commonly used command to list all suid binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

  • After a quick nmap scan, there seems to be a tomcat server running on port 80.
  • Version enumeration reveals that it may be prone to the struts2 vuln.
  • Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
  • exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
  • SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

  • nmap -A $IP -oA <filename>
  • We can see the following services open: ftp, nfs, mysql
  • Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

  • showmount -e $IP to check if NFS is present and directory path.
  • cd /tmp && mkdir thm-nfs-11
  • sudo mount $IP:/opt/files thm-nfs-11
  • thm-nfs-11 contains a file with the flag.

MySQL

  • I'll be using mycli to connect to the msql database.
  • mycli -h $IP -P 3306 -u root
  • show databases
  • use data
  • show tables
  • SELECT * FROM 'USERS'
  • Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

  • Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
  • Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

  • Webservers will often pull files from local locations to display on a webpage.
  • It's best to have a look at the HTTP requests and start crafting potential LFI that way.
  • Be sure to encode the / using %2F.
  • Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme

]]> https://drsh0.writeas.com/tryhackme-advent-of-cyber-2019 Sun, 08 Dec 2019 23:40:33 +0000