In this challenge, an image is given that is wrongly encoded, after fixing it, a secret directory is obtained and within this a clue for a password.
When obtaining the password, a key is obtained to extract data from an image which a user gives me in ROT13
Finally, you have to download the image of the challenge since within this is the user’s password (2 hours looking around…)
After gaining access to the machine, privileges are escalated thanks to an outdated command
[Task 1] Flag submission
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ nmap -sC -sV -T4 10.10.248.109
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 21:51 CEST
Nmap scan report for 10.10.248.109
Host is up (0.055s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA)
| 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA)
|_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.37 seconds
the port scan shows me only 2 ports,
ssh and an apache web server
In the source code of the main page I find an image that seems to have something hidden since it is not displayed correctly
the file is a
.jpg but the header contains the metadata of a
.png, I correct it with
hexeditor, I simply modify the header with the following numbers (which correspond to a
FF D8 FF E0 00 10 4A 46 49 46 00 01
once the image is displayed correctly, it indicates a hidden directory on the server
the web page seems to ask for a password, after spending a long time with burpsuite I realize that the password can be passed through a parameter in the url such as:
in the source code of the page found there is a comment that says that the password is a number between 0–99
so I create a script that launches 100 requests to the web page with 100 possible passwords
once inside, I find a password:
now I can extract data from the initially downloaded image:
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ steghide extract -sf thm.jpg
wrote extracted data to "hidden.txt".
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ cat hidden.txt
Fine you found the password! Here's a username wbxreI did't say I would make it easy for you!
I read the clue that they indicated in the room and they said that the username was ROTten so I passed the name through ROT13 and the next user came out:
From here on I was dangling against a wall for a long time cause i needed a passwd until they told me to look at the image that appears in the room, so I downloaded it and extracted a password from it!
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ steghide extract -sf 5iW7kC8.jpg
wrote extracted data to "password.txt".
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ cat password.txt
I didn't think you'd find me! Congratulations!Here take my password*axA&GF8dP
with this I can already
ssh to the remote machine
once inside the machine, I do some manual enumeration and I realize that the command
screen-4.5.0 contains the SUID as root and that it is a command that I do not have much seen
so I search the internet a bit and find the following bash script that allows a very simple privilege escalation
I download the code and run it and that’s it, I’m root