Tryhackme Writeups || Valley
Initial Recon
We start by doing an nmap scan. Nmap shows us 2 ports, ssh and http. Since we dont have creds on ssh, we focus on http
Visiting the website shows us this
When i click on View Gallery
We can see multiple images, if we click on one of these,we can see that the path to these images is http://10.10.99.157/static/1 . So i decided to fuzz this directory to see if there is any interesting files.
During the scan, one result stand out
00. Its Size is small compared to the other pages. When i visit 00 i saw this
dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts
I visited http://10.10.99.157/dev1243224123123/
and saw a login screen. At this point, we dont have any usernames yet so we cant bruteforce. I looked at the source code and saw an interesting js file named dev.js
At the bottom of the js files contains hard coded credentials
loginButton.addEventListener("click", (e) => {
e.preventDefault();
const username = loginForm.username.value;
const password = loginForm.password.value;
if (username === "siemDev" && password === "california") {
window.location.href = "/dev1243224123123/devNotes37370.txt";
} else {
loginErrorMsg.style.opacity = 1;
}
})
So, i logged in with the found credentials and we got redirected to /dev1243224123123/devNotes37370.txt
dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port
-stop reusing credentials
, with this note, i took note of the previous credentials we found as maybe it proves to be useful in the future. -change ftp port to normal port
this indicates an ftp port running on some other port number. So i scanned with nmap again and found the ftp running at port 37370
I connected to the ftp port, the ftp port doesnt seem to allow Anonymous access, but fortunately, the previous creds that we found worked. The ftp have three pcap files and i go through each of them one by one in wireshark
Out of the three pacp files, the third one is the most interesting one.
In wireshark, i right clicked a random tcp packet, and followed the tcp stream. On stream 31, i saw this
A post request with a username and password. Remember the -stop reusing credentials
note, so i tried this credential on ssh, to see if we can get a shell. And it worked. We also got our first flag
Next for privilege escalation, i used linpeas on the target server.
There is a cron job running a python script as root. This might be a good target for privilege escalation
This file import base64, so maybe, if we can overwrite the base64 module, we can get an rce
However, the base64.py library is only editable by root user and the valleyAdmin group. So maybe, we need to get access to valleyAdmin first
Looking at files in the system, i saw a file named valleyAuthenticator
in the /home
directory. It simply ask for a username and a password. I transferred it to my machine to reverse engineer it. When i open it in ida, i only saw 6 functions, strange. I checked the strings tab and saw this
This indicate that is packed. But it can easily be unpacked with upx -d valleyAuthenticator
I loaded it again in ida and inspected the main function
The program is simple, it hash our inputs and checked it with these two hashes
These hashes can be easily cracked using crackstation
These looks like the credentials for the user valley. So i ssh again as valley with the found creds. And it worked. Now we can edit base64.py
After a while, we got the reverse shell as root, and got the root flag.
Thanks for reading
Follow me on twitter @tomorrowisnew_