TryHackMe writeup for Badbyte room
Task 1 | Deploy the machine
Click the deploy button and wait a few extra minutes for this machine.
Task 2 | Reconnaissance
Q1: How many ports are open?
Answer: 2 (rustscan took 3 seconds)
The suggested command below will perform a nmap scan of all ports, but will likely take about 10–30 minutes to run.
nmap -p- -vv 10.10.206.236 -oA 10.10.206.236
Q2: What service is running on the lowest open port?
Q3:What non-standard port is open?
Q4: What service is running on the non-standard port?
Task 3 | Foothold
Convert the hash and then crack with john
python /opt/john/ssh2john.py id_rsa > id_rsa.hashjohn id_rsa.hash -w=$(locate rockyou.txt)
Q5: What username do we find during the enumeration process?
Q6: What is the passphrase for the RSA private key?
Now to ssh into the host and look around
root:~# chmod 600 id_rsa
root:~# ssh -i id_rsa username@$ip
After changing the permissions on the id_rsa file and then ssh’ing in as the correct username you will find a not at the root of the filesystem
Task 4 | Port Forwarding
Q7: What main TCP ports are listening on localhost?
first we need to set up a dynamic port forward (ssh tunnel)
ssh -ND 9050 -i id_rsa username@$ip
Now we can run our nmap scan via proxychains and scan the localhost of the remote machine.
Q8: What protocols are used for these ports?
Task 5 | Web Exploitation
Q9: What CMS is running on the machine?
First we need to be able to access the website from our machine, lets set up a local port forward as a proxy.
With the local port forward setup we can now browse using firefox.
Q10: Can you find any vulnerable plugins?
Q11: What is the CVE number for directory traversal vulnerability?
Q12: What is the CVE number for remote code execution vulnerability?
Q13: There is a metasploit module for the exploit. You can use it to get the reverse shell. If you are feeling lucky you can follow any POC( Proof of Concept).
First: get get a php reverse shell ready to upload
cp /usr/share/webshells/php/php-reverse-shell.php /tmp/s.php
Make sure to put your attack machine IP and port number in the shell.
Second: Download the exploit script from mansoorr123
run exploit and upload php reverse shell
Start netcat listener
Q14: What is the name of user that was running CMS?
Answer: This can be found from either doing a
ls /home/ or by executing
Q15: What is the user flag?
Task 6 | Privilege Escalation
Q16:What is the user’s old password?
.viminfo will show information regarding recent file edits
As we can see the file /var/log/bash.log was recently edited
Now that we have the old password, the new password is a small guess away.
Q17: What is the root flag?
SSH in with your password guess
Great room electronforce, Thank you!