TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.
You have to first signup to join the room. There are few simple steps that you can follow in the Signup page. Next follow the steps in the Welcome room to configure the VPN connectivity.
I have connected to TryHackMe network using OpenVPN on Kali Linux. Once you connect, the access page will confirm the status by confirming your IP address and status.
Click on Deploy to start the target machine.
Once the machine has started, allow few minutes for all the services to start. To begin with start enumerating using nmap. The -sV option along with nmap is for fingerprinting.
The nmap revealed that there are 3 ports open. Port 22, 80 and 443. Explore port 80 and 443 using a web browser.
Hint is available on TryHackMe. It says Robots. It may be robots.txt page. Check the robots.txt
There are two things mentioned in robots.txt
The website is just playing mind games with you. There is nothing you can find. So don't waste your time answering those questions. Visit the two pages mentioned in robots.txt
The fsocity.dic might be a wordlist which we may need in future.
The key-1-of-3.txt has a flag. validate on TryHackMe.
Run gobuster for directory enumeration.
Found couple of interesting pages. admin and blog.
There are few more interesting pages to consider. There are wordpress pages. Explore these pages.
We reached the login page of the wordpress. We may have to bruteforce it to login. Use the wordlist fsocity.dic which we had downloaded. Also make sure to sort it out to have only unique words in it to save time.
Once the wordlist has been sorted out. Use wpscan to bruteforce the login page.
The wpscan has found the password. Having watched the series Mr Robot, I just used elliot as username. And the fsocity-u.dic for password list.
Now that we are able to login using elliot's credentials,explore the wordpress and the theme.
It has an editor section. It allows customization of pages. Use the 404 Template and get a reverse shell.
Locate the reverse shell on Kali VM. Kali VM already has some web shell available. Use PHP reverse shell.
Copy the contents of php-reverse-shell.php and paste it in the 404.php using the editor in the wordpress portal.
Save the changes.
Open a netcat session on Kali or attacker machine. And then access any random page to generate 404 error. The 404.php will be run and we would receive a reverse shell.
Once the reverse shell has been obtained, explore the home directory and try to find other flags.
The user daemon don't have permission to read the files of user robot. But there is file password.raw-md5 This file might have password for user robot. Use the hashcat tool to extract password from it.
hashcat was able to extract the password from the md5 hash.
Switch user to robot. Access the second flag and validate on TryHackMe.
The third flag is in root's home directory. Need to check weak-links for privilege escalation.
The nmap can be used for spawning a root shell. launch nmap interactive session and type !sh in the prompt.
Once root shell is obtained, access the 3rd flag.
Validate the flag on TryHackMe.
I hope this write-up was informative for you. Please leave a feedback. Thank you
-Srivathsa Dhanvantri
Comments