Tryhackme Writeups || Valley

Initial Recon

We start by doing an nmap scan. Nmap shows us 2 ports, ssh and http. Since we dont have creds on ssh, we focus on http

Visiting the website shows us this

When i click on View Gallery

We can see multiple images, if we click on one of these,we can see that the path to these images is http://10.10.99.157/static/1 . So i decided to fuzz this directory to see if there is any interesting files.

During the scan, one result stand out

00. Its Size is small compared to the other pages. When i visit 00 i saw this

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

I visited http://10.10.99.157/dev1243224123123/ and saw a login screen. At this point, we dont have any usernames yet so we cant bruteforce. I looked at the source code and saw an interesting js file named dev.js

At the bottom of the js files contains hard coded credentials

loginButton.addEventListener("click", (e) => {
    e.preventDefault();
    const username = loginForm.username.value;
    const password = loginForm.password.value;

    if (username === "siemDev" && password === "california") {
        window.location.href = "/dev1243224123123/devNotes37370.txt";
    } else {
        loginErrorMsg.style.opacity = 1;
    }
})

So, i logged in with the found credentials and we got redirected to /dev1243224123123/devNotes37370.txt

dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port

-stop reusing credentials , with this note, i took note of the previous credentials we found as maybe it proves to be useful in the future. -change ftp port to normal port this indicates an ftp port running on some other port number. So i scanned with nmap again and found the ftp running at port 37370

I connected to the ftp port, the ftp port doesnt seem to allow Anonymous access, but fortunately, the previous creds that we found worked. The ftp have three pcap files and i go through each of them one by one in wireshark

Out of the three pacp files, the third one is the most interesting one.

In wireshark, i right clicked a random tcp packet, and followed the tcp stream. On stream 31, i saw this

A post request with a username and password. Remember the -stop reusing credentials note, so i tried this credential on ssh, to see if we can get a shell. And it worked. We also got our first flag

Next for privilege escalation, i used linpeas on the target server.

There is a cron job running a python script as root. This might be a good target for privilege escalation

This file import base64, so maybe, if we can overwrite the base64 module, we can get an rce

However, the base64.py library is only editable by root user and the valleyAdmin group. So maybe, we need to get access to valleyAdmin first

Looking at files in the system, i saw a file named valleyAuthenticator in the /home directory. It simply ask for a username and a password. I transferred it to my machine to reverse engineer it. When i open it in ida, i only saw 6 functions, strange. I checked the strings tab and saw this

This indicate that is packed. But it can easily be unpacked with upx -d valleyAuthenticator I loaded it again in ida and inspected the main function

The program is simple, it hash our inputs and checked it with these two hashes

These hashes can be easily cracked using crackstation

These looks like the credentials for the user valley. So i ssh again as valley with the found creds. And it worked. Now we can edit base64.py

After a while, we got the reverse shell as root, and got the root flag.

Thanks for reading

Follow me on twitter @tomorrowisnew_