Skip to content

Latest commit

 

History

History
101 lines (63 loc) · 3.91 KB

readme.md

File metadata and controls

101 lines (63 loc) · 3.91 KB
Raw

Time Eater

Category: Linux Description: This room requires account on Try Hack Me tryhackme.com/jr/darkctflo

User

Regular enumeration with nmap and gobuster:

# Nmap 7.80 scan initiated Sun Sep 27 22:20:56 2020 as: nmap -sC -sV -oN nmapInitial 10.10.202.112
Nmap scan report for 10.10.202.112
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 64:60:d1:e5:39:96:90:b9:3c:72:b0:35:c2:2a:e4:f9 (RSA)
|   256 3c:07:fb:86:de:65:9b:52:59:70:de:06:2e:58:21:48 (ECDSA)
|_  256 b7:ed:d9:dd:40:46:b4:dc:c8:c3:5c:a1:28:78:73:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dimension by HTML5 UP
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 27 22:21:42 2020 -- 1 IP address (1 host up) scanned in 45.62 seconds

Exploring the site while gobuster runs and gong through the paths found turns out to be a major rabbit hole hunt, quite literally indeed:

/images (Status: 301)
/info (Status: 301)
/assets (Status: 301)
/test (Status: 301)
/cd (Status: 301)
/git (Status: 301)
/rabbit (Status: 301)
/uniqueroot (Status: 301)

At this point, I was starting to be a bit lost as I was not finding much to proceed, until magically gobuster found /uniqueroot and this was the game changer I was waiting for. (note to self never stop gobuster before it finishes)

image

image

And finally:

image

So the way to gain initial access is to hydra ssh using rockyou, now the way the text is written is a bit confusing and indeed I ended up trying both wolfie and elliot as users.

hydra -l elliot -P /opt/rockyou.txt ssh://10.10.202.112 -t 60

Found password godisgood

image

SSH to the box ssh elliot@10.10.202.112:

image

sudo -l showed somthing pretty usefull:

image

And we have user flag:

image

flag{user_flag_for_this_challenge}

Root

After we gained access as dark we now need to find a privesc way to root.

At this point I was going for linpeas.sh but something caught my attention on dark user, he's on group docker, that is 99% a priesc vector.

This was probably not supposed to be on the machine but it proved my theory:

image

So can I just resume this and get done with it?

Yep !!!

image

image

And I am root in a docker container with the filesystem of /root mounted on /mnt, so I can just go and fetch the flag right? Wrong ... apparently there is no flag at the /root/root.flag, well nothing that a find cannot solve and it found the flag at /mnt/root/.rootflag/root.txt

image

darkCTF{Escalation_using_D0cker_1ss_c00l}