[EN] TryHackMe — NerdHerd Write-Up
What’s up guys it’s 0xpr0N3rd and in this write-up I will be sharing the walkthrough of the room named NerdHerd, which is made by me.
This is the very first vulnerable machine that I’ve created so feel free to share your opinions/reviews with me either from here or on discord.
Alright let’s start with nmap scan:
As we can see, we have a couple of ports open: 21 for FTP, 22 for SSH, 139&445 for SMB and lastly 1337 for HTTP.
One of the questions I’ve been asked on here was: “Wait, is there an HTTP port?????” Yes, enumerate carefully.
We can see that the anonymous FTP login is allowed so let’s check it first:
When we login to the FTP service, we see there is a directory named “pub”. Let’s see what it has inside when we navigate on it:
There is an image named “youfoundme.png”. On a second check with the hidden files, we can see there is an hidden directory named “.jokesonyou” (btw, always directly check hidden files with “-a” pameter):
Let’s first get the “youfoundme.png” and navigate on the hidden folder:
Lastly, get the “hellon3rd.txt” and exit from the FTP service and move on to HTTP service:
When we get on the HTTP service, we first see a little javascript joke (I saw that some people really got scared (honest)).
Then, we can see that there is something we need to find in this page. Maybe we can navigate to the bottom of the page and see the BIG hint:
When we click on the link, it redirects us to the cool song “Surfin’ Bird” made by Trashmen. Before going any further on this, let’s first check out the files that we previously got from the FTP service:
The message that is in “hellon3rd.txt” tells us that all the thing we need is in “leet”, which means “1337”, which also means the HTTP service and the Surfin’ Bird itself. Let’s check out the “.png” file before we go:
When we exif it, we see something encrypted in the Owner Name section. Now that when we go to the Surfin’ Bird’s lyrics, we see that the bird is the word:
I really don’t know how to make it more obvious and hide it at the same time but here it is. The encrypted text is encrypted with Vigénere Cipher (you can check it with some tools if you need it while solving) and the encryption key is “birdistheword”:
We got a password. Oh wait, we haven’t checked the SMB service yet!
When we try to check out the SMB shares anonymously, we see there is a share named “nerdherd_classified” but it’s not open for public access (don’t directly bruce-force it like many of the guys did):
On this point, I guess we can all understand that the “********” that we found previously is for SMB. But what about the username? I guess we can run a simple enum4linux scan for that one:
Now that we found our username, let’s login to SMB service:
Let’s get that “secr3t.txt”:
Looks like we found our-self another hidden directory:
We have some credentials!
Let’s SSH into the machine:
Get the “user.txt” first:
Now we can check our sudo privileges for user “Chuck”:
Unfortunately, user “Chuck” can’t run any sudo commands on this box. Next, we can do a quick linPEAS scan:
On our linPEAS output, we can see that there is a %99 P.E. vector which is related with our kernel version. On here, we can either go for a quick Google search or we can use Linux Exploit Suggester:
From the results, we can use CVE-2017-16995 for privilege escalation step. Note that using DirtyCow may crash the machine, as it is stated in the exploit’s comments:
So, we can use CVE-2017–16995 for our privilege escalation vector:
Let’s compile the exploit and run it on the system:
We are root! But, the root flag is not in the place where it’s supposed to be:
After a little bit of looking around, we can find that real root.txt is under “/opt” directory:
Now, it’s time to find the BONUS flag. When we check out the hint that is given in the task page, we can see that it brings back so many memories and memories are related with history:
History takes us to “.bash_history”:
That was all I wanted to share for this box. I enjoyed developing this box and I hope you enjoyed it while solving this. Hope you learned something.
PS: My aim on developing this box was trying to force people to be more careful on the little details that they generally don’t care about; such as getting the Vigenere key from Surfin Bird. Most of the CTFs containing similar scenario like redirecting to an external link such as youtube, they are most likely some rabbit holes, but this is not. So I hope you’ll be more careful on the next time :)
Thank you for reading my write-up.
See you on another one.
