TryHackMe | CTF | MyBox
Spin up your kali machine and check out the box at https://tryhackme.com/room/box20mybox . If you don’t get to the link mentioned in the walkthrough, make sure that you go to tryhackme → rooms and then add box20mybox in the entry.
1. Information Gathering:
Using nmap to gather information on the available ports, conventional port 80 is not used. It is 8082 port that is available for inspection.
After that I went to the website on port 8082 and made sure to check out the page source information. Penetration testers should always do that on the website, it will mostly give you some useful information.
2. Flag Number One:
Wooop!! Wooop!! Flag1 found.
3. Flag Number Two:
I did not find any information for the second flag. After hours of frustration (Literally 5 hours), I copied the information present with second flag to decode it from base64 and I got username and password for port 22. Damn!!!!
Using the ssh command to login using toby, I found out that there is no flag present. I was disappointed since I was expecting a flag right after logging in on desktop. I found an image present in funny things directory.
I ran a python server on the remote machine to copy the contents from the remote machine to my machine.
Opening Firefox at my machine, downloading the machine image at my machine.
Check out the stegseek on github here: https://github.com/RickdeJager/stegseek
Kudos to this guy for building this amazing tool. It’s got some serious speed. I used the wordlist darkweb2017-top1000 from SecLists.
Alternatively, you can also use the command stegseek index.jpeg.out and it will give you the same results. I found the jpeg.out image.
Woop!!!Woop!!! Second flag found.
4. Flag Number Three:
Again, I found additional information on the flag. This time I was ready for a base64 decode😂😭😭. User credentials found.
Works like a charm. switched to user arun.
I found the sudoers file but I couldn’t read it from the same directory. I decided to cat the contents of /etc/sudoers
I realised that there is something on the file which I am not looking at. I decided to give everything a try at google search. I googled all the defaults to find out anything that can help me elevate privileges.
I found something pwfeedback. We can exploit this vulnerability but we will need the exploit to do so.
I googled information on exploits relating to pwfeedback, it redirected me to gihub. I downloaded code from the github repository on my kali machine.
After downloading my exploit on kali, I started python server to transfer the exploit from my machine to remote machine.
On remote machine I used the command wget to get the exploit from kali machine.
I need to compile the c code from gcc. Using gcc -o <new name> <previous name>, I got the exploit.
Ran the exploit and got the root shell.
I was trying to find the root flag, but I didn’t find any direct root flag on this machine. I went to the root directory and found .Finish file.
Woop!!Woop!! final flag found.
Follow me on medium to catch walkthroughs of CTF’s.
Peace✌🏽