Different CTF a.k.a Adana Room from TryHackMe [THM] Writeup

Room link : https://tryhackme.com/room/adana

Excellent room. Spend much time on Recon and Enum. The room developer has also put a sweet spot rabbit hole. The WordPress.

I am not making this write-up in detail. You perform the initial nmap scan, get couple of open ports and services. Then perform a dirbuster or gobuster scan. You get the secret directory. Announcement. In the Announcement directory, you can see an image and a word-list. As common with THM, we can easily assume that there might be some kind of stenography involved. And yes, but with a point. I used steghide and exif tools at first but you need to use brute-force method to crack the hidden data. Also the hint is given on the room poster. Anyway.

Use Stegbrute to crack the image.
Stegbrute gives an output file and its encrypted. Do a Base64 conversion to decode and here it is, the FTP credentials.

Decode using icyberchef. 

Now we have the FTP creds and let's try it.
Well, the directory structe looks like the web folder. We can upload a reverse php shell and execute from the browser directly, so that we can get the shell. Right? Well, same thoughts.

I uploaded the reverse shell (php) file, changed the permissions (777). Opened up the netcat listener and accessed the URL from the browser. Ummm. Nothing happens. No reverse shell.

Something is not right. Let's browse the FTP directories. Saw the wp-admin.php file that contains the configurations, downloaded to my machine and examined. Yay Yay, got another set of credentials. This time the phpadmin. okay, lets check that.

After we logged in to the phpmyadmin page, we can see the databases associated with the Wordpress sites. Examine the pages for important information.

Wow. There is an another identical website with a subdomain. So the reverse shell file that we have uploaded might be gone to the other website. After adding the subdomain to the etc/hosts file, access the website. Same right? Yes same same. Try to access the reverse shell file from the new website [subdomain.adana.thm]. There you go. We got the reverse shell. The web-flag is right in the folder. That was easy. Now hunt for the user flag.

After examining the home folder and the etc/passwd file, we identified the user "hakanbey". Tried the sudo -l , no permission and linpeas, not much help.
Actually got stuck. Went to the room page seeking some hints. Yes. They have mentioned sucrack in the poster. sucrack is used to crack the user password. Downloaded Sucrack from Github , tar it and transferred to the target machine. Follow the installation details of sucrack regarding the installation and usage. Also here is a reference guide on sucrack 

I used the same wordlist and tried to crack the user hakanbey. Nope. Didn't help. Some thoughts on password reuse and patterns. The FTP password of hakan begins with 123adana. So the user might be having a password in that pattern. Append 123adana to the all words in the wordfile.

sed 's/^/123adana/' /var/www/html/announcements/wordlist.txt > newlist.txt

Use that new wordlist to crack the password. And that works. We got the user credentials.

Switch user, and get the user flag from the home directory of hakanbey. Well done so far.

Now the root flag. Lets hunt for the SUIDs and there is one unusual candidate. /usr/bin/binary.
Upon examining the binary using ltrace , we got some hints. A key for executing the binary. 

Execute, give the correct key and there we get an output. root.jpg. The hint says to use hexeditor, an offset location and use icyberchef for base85 conversion. Transfer the file to your machine using netcat or any other desired methods.

Use the hexeditor, look for the mentioned offset. Copy it. Convert it using icyberchef. And we get the root credentials. Go back to the target machine, switch user with the root creds and grab the root flag.

Spend a lot of time , especially exploring the rabbit hole. Losing the DB connections and multiple resets. However, that was funny. Kudos to the developer.