BadByte | TryHackMe

TryHackMe writeup for Badbyte room

TryHackMe | badbyte by electronforce

Task 1 | Deploy the machine

Click the deploy button and wait a few extra minutes for this machine.

Task 2 | Reconnaissance

Q1: How many ports are open?

Answer: 2 (rustscan took 3 seconds)

rustscan

The suggested command below will perform a nmap scan of all ports, but will likely take about 10–30 minutes to run.

 nmap -p- -vv 10.10.206.236 -oA 10.10.206.236

Q2: What service is running on the lowest open port?

Answer: ssh

Q3:What non-standard port is open?

Answer: 30024

Q4: What service is running on the non-standard port?

Answer: ftp

Task 3 | Foothold

ftp to host

Convert the hash and then crack with john

python /opt/john/ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash -w=$(locate rockyou.txt)

Q5: What username do we find during the enumeration process?

note.txt

Q6: What is the passphrase for the RSA private key?

john the ripper

Now to ssh into the host and look around

root:~# chmod 600 id_rsa

root:~# ssh -i id_rsa username@$ip

After changing the permissions on the id_rsa file and then ssh’ing in as the correct username you will find a not at the root of the filesystem

Note.txt

Task 4 | Port Forwarding

Q7: What main TCP ports are listening on localhost?

Answer: 80,3306

first we need to set up a dynamic port forward (ssh tunnel)

ssh -ND 9050 -i id_rsa  username@$ip

ssh dynamic port forward

Now we can run our nmap scan via proxychains and scan the localhost of the remote machine.

Q8: What protocols are used for these ports?

Answer: http,mysql

Task 5 | Web Exploitation

Q9: What CMS is running on the machine?

First we need to be able to access the website from our machine, lets set up a local port forward as a proxy.

ssh local port forward

With the local port forward setup we can now browse using firefox.

Q10: Can you find any vulnerable plugins?

nmap http-wordpress-enum

Q11: What is the CVE number for directory traversal vulnerability?

Answer: search the plugin and it’s version

Q12: What is the CVE number for remote code execution vulnerability?

Answer: search the plugin and it’s version

Q13: There is a metasploit module for the exploit. You can use it to get the reverse shell. If you are feeling lucky you can follow any POC( Proof of Concept).

First: get get a php reverse shell ready to upload

cp /usr/share/webshells/php/php-reverse-shell.php /tmp/s.php

Make sure to put your attack machine IP and port number in the shell.

Second: Download the exploit script from mansoorr123

download exploit

run exploit and upload php reverse shell

manually used script by

Start netcat listener

Catching the shell

curl http://127.0.0.1:8080/wp-content/plugins/wp-file-manager/lib/php/../files/s.php

boom user.txt

Q14: What is the name of user that was running CMS?

Answer: This can be found from either doing a ls /home/ or by executing id

Q15: What is the user flag?

Task 6 | Privilege Escalation

Q16:What is the user’s old password?

.viminfo in home directory

.viminfo will show information regarding recent file edits

.viminfo contents

As we can see the file /var/log/bash.log was recently edited

Now that we have the old password, the new password is a small guess away.

Q17: What is the root flag?

SSH in with your password guess

ssh cth@ipaddress

w00t root.txt

Great room electronforce, Thank you!