Skip to main content

Different CTF a.k.a Adana Room from TryHackMe [THM] Writeup

Room link : https://tryhackme.com/room/adana

Excellent room. Spend much time on Recon and Enum. The room developer has also put a sweet spot rabbit hole. The WordPress.

Different CTF Adana Room from TryHackMe [THM] Writeup

I am not making this write-up in detail. You perform the initial nmap scan, get couple of open ports and services. Then perform a dirbuster or gobuster scan. You get the secret directory. Announcement. In the Announcement directory, you can see an image and a word-list. As common with THM, we can easily assume that there might be some kind of stenography involved. And yes, but with a point. I used steghide and exif tools at first but you need to use brute-force method to crack the hidden data. Also the hint is given on the room poster. Anyway.

Different CTF Adana Room from TryHackMe [THM] Writeup
Use Stegbrute to crack the image.
Stegbrute gives an output file and its encrypted. Do a Base64 conversion to decode and here it is, the FTP credentials.
Different CTF Adana Room from TryHackMe [THM] Writeup

Decode using icyberchef. 

Different CTF Adana Room from TryHackMe [THM] Writeup

Now we have the FTP creds and let's try it.
Well, the directory structe looks like the web folder. We can upload a reverse php shell and execute from the browser directly, so that we can get the shell. Right? Well, same thoughts.

Different CTF Adana Room from TryHackMe [THM] Writeup

I uploaded the reverse shell (php) file, changed the permissions (777). Opened up the netcat listener and accessed the URL from the browser. Ummm. Nothing happens. No reverse shell.

Different CTF Adana Room from TryHackMe [THM] Writeup
Different CTF Adana Room from TryHackMe [THM] Writeup

Something is not right. Let's browse the FTP directories. Saw the wp-admin.php file that contains the configurations, downloaded to my machine and examined. Yay Yay, got another set of credentials. This time the phpadmin. okay, lets check that.

Different CTF Adana Room from TryHackMe [THM] Writeup

After we logged in to the phpmyadmin page, we can see the databases associated with the Wordpress sites. Examine the pages for important information.

Different CTF Adana Room from TryHackMe [THM] Writeup

Different CTF Adana Room from TryHackMe [THM] Writeup

Different CTF Adana Room from TryHackMe [THM] Writeup

Wow. There is an another identical website with a subdomain. So the reverse shell file that we have uploaded might be gone to the other website. After adding the subdomain to the etc/hosts file, access the website. Same right? Yes same same. Try to access the reverse shell file from the new website [subdomain.adana.thm]. There you go. We got the reverse shell. The web-flag is right in the folder. That was easy. Now hunt for the user flag.

Different CTF Adana Room from TryHackMe [THM] Writeup

After examining the home folder and the etc/passwd file, we identified the user "hakanbey". Tried the sudo -l , no permission and linpeas, not much help.
Actually got stuck. Went to the room page seeking some hints. Yes. They have mentioned sucrack in the poster. sucrack is used to crack the user password. Downloaded Sucrack from Github , tar it and transferred to the target machine. Follow the installation details of sucrack regarding the installation and usage. Also here is a reference guide on sucrack 

I used the same wordlist and tried to crack the user hakanbey. Nope. Didn't help. Some thoughts on password reuse and patterns. The FTP password of hakan begins with 123adana. So the user might be having a password in that pattern. Append 123adana to the all words in the wordfile.

sed 's/^/123adana/' /var/www/html/announcements/wordlist.txt > newlist.txt

Use that new wordlist to crack the password. And that works. We got the user credentials.

Different CTF Adana Room from TryHackMe [THM] Writeup

Switch user, and get the user flag from the home directory of hakanbey. Well done so far.

Different CTF Adana Room from TryHackMe [THM] Writeup

Now the root flag. Lets hunt for the SUIDs and there is one unusual candidate. /usr/bin/binary.
Upon examining the binary using ltrace , we got some hints. A key for executing the binary. 

Different CTF Adana Room from TryHackMe [THM] WriteupDifferent CTF Adana Room from TryHackMe [THM] Writeup

Execute, give the correct key and there we get an output. root.jpg. The hint says to use hexeditor, an offset location and use icyberchef for base85 conversion. Transfer the file to your machine using netcat or any other desired methods.

Different CTF Adana Room from TryHackMe [THM] Writeup

Use the hexeditor, look for the mentioned offset. Copy it. Convert it using icyberchef. And we get the root credentials. Go back to the target machine, switch user with the root creds and grab the root flag.

Different CTF Adana Room from TryHackMe [THM] Writeup

Spend a lot of time , especially exploring the rabbit hole. Losing the DB connections and multiple resets. However, that was funny. Kudos to the developer.

Popular Posts

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.

Download Microsoft Office 2019 offline installer.

When you do malware analysis of documents or office files, it is important to have Microsoft Office installed in your Lab machine. I am using flare VM and it doesn't comes with MS Office. Since Microsoft is promoting Microsoft 365 over the offline version, finding the offline installer is not that easy. Here is the list of genuine Microsoft links to download the office .img files.  Download Microsoft Office 2019 Professional Plus : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/ProPlus2019Retail.img Download Microsoft Office 2019 Professional : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/Professional2019Retail.img Download Microsoft Office 2019 Home and Business : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/HomeBusiness2019Retail.img Download Microsoft Office 2019 Home and Student : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-U...

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the AS...

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Onc...

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes ...

Unable to locate package linux-headers / E: Unable to locate package linux-headers-5.10.0-kali5-amd64

While compiling programs, you may encounter this particular error. E: Unable to locate package linux-headers-5.10.0-kali5-amd64 I encountered this while compiling a C code. To fix this, i first updated my Kali machine (v2020.2a).  sudo apt update -y && apt upgrade -y && apt dist-upgrade   Rebooted. Then installed the headers.   sudo apt install linux-headers-$(uname -r)  

Google Cloud : Basic Cloud Shell commands

Google Cloud resources can be managed in multiple ways. It can be done using Cloud Console, SDK or by using Cloud Shell. A few basic Google Cloud shell commands are listed below. 1)    List the active account name gcloud auth list 2)    List the project ID gcloud config list project 3)    Create a new instance using Gcloud shell gcloud compute instances create [INSTANCE_NAME] --machine-type n1-standard-2 --zone [ZONE_NAME] Use gcloud compute machine-types list to view a list of machine types available in particular zone. If the additional parameters, such as a zone is not specified, Google Cloud will use the information from your default project. To view the default project information, use gcloud compute project-info describe 4)    SSH in to the machine gcloud compute ssh [INSTANCE_NAME] --zone [YOUR_ZONE] 5)    RDP a windows server gcloud compute instances get-serial-port-output [INSTANCE_NAME...