Room: Advent of Cyber
“McSysadmin has been super excited with their new security role, but wants to learn even more. In an attempt to show their l33t skills, they have found a new box to play with.
This challenge accumulates all the things you’ve learnt from the previous challenges(that being said, it may be a little more difficult than the previous challenges). Here’s the general way to attempt exploitation when just given an IP address:
- Start out with an NMAP scan to see what services are running
- Enumerate these services and try exploit them
- Use these exploited services to get an initial access to the host machine
- Enumerate the host machine to elevate privileges”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question #1 A web server is running on the target. What is the hidden directory which the website lives on?
Let’s start by using Nmap to scan our target system. Open up your attacking machine (OpenVPN or THM Kali VM) and get to a command line.
nmap -sV -O <target ip>
We can see a ms-wbt-server (remote desktop) running on port 3389 and then port 80 running as a standard HTTP web server. Go to a browser and type the IP address of your deployed machine into the navigation bar:
There is talk of a hidden directory. In the past I have used DirSearch and DirBuster for situations like this. I generally prefer DirBuster for it’s simplicity, however, the THM Kali VM has GoBuster installed (and it is mentioned in the hint), so I will try that today.
You will need to know the path to the “directory-list-lowercase-2.3-medium.txt” word-list on your system. It is generally in the directory shown in the image below, but if you don’t have it, download it HERE.
gobuster dir -u <browser path> -w <path to word-list>
And here we can see that it dug up one hidden directory!
Question#2 Gain initial access and read the contents of user.txt
Append that hidden directory onto the end of the IP in your browser navigation bar and let’s see what we have!
http://<tryhackme target machine ip>/<hiddendirectory>
I love all the nostalgia I’m feeling!
Anyways, back to business. We are looking for the contents of a file. If you click on the author’s name in one of the posts, you will be brought to a different page:
If you click on his “Recent Comments” we see something curious:
So what is parzival? It could potentially be some sort of login name or password?
On Wikipedia we can see that it is a medieval story. “Parzival is a medieval romance by the knight-poet Wolfram von Eschenbach in Middle High German. The poem, commonly dated to the first quarter of the 13th century, centers on the Arthurian hero Parzival and his long quest for the Holy Grail following his initial failure to achieve it.”
Additionally, it is the username selected by the main character Wade in Ready Player One, which is a pretty good book/movie if you haven’t seen/read it (I prefer the book because the movie tries to condense too much into a short period of time).
There IS a login button on the right side of the page…let’s use wade:parzival and see what happens:
Nice! We hacked into his WordPress dashboard. I looked around a bit and didn’t really find anything useful here.
But, recall our Nmap scan:
We still have a remote desktop to try to get into, and that is more likely to have our file on it anyways. A lot of people use the same logins for everything, so it’s worth a shot.
In order to access it, we can use another tool already conveniently located on our THM desktop, Remmina (I kept getting errors when I tried the rdesktop command).
If you get an error message talking about your color depth, hit the + sign at the top left and change it to something like “True Color 32 bpp”, then try to connect again.
Here we have Wade’s desktop, with the file we need just sitting out in the open unprotected:
Open it up for your flag.
Question#3 [Optional] Elevate privileges and read the content of root.txt
The only other thing on the desktop is an executable called “hhupd”. When you open it up you see this:
After doing a Google search, I was able to see that this could be used for privilege escalation:
After watching some of the videos and reading through some stuff, I was able to figure out how to use the exploit (which is very old).
Open it up and click on the “Show more details” link, and then “Show information about the publisher’s certificate”:
Now, where it says “Issued By”, click on “VeriSign Commercial Software Publishers CA”.
It may take a little bit to get it open. I had to wait a few minutes and then exit out of the certificate details by hitting “OK”. Then Internet Explorer popped up with 6 tabs because I was repeatedly hitting the link. You should now see something like this:
Click on the little cogwheel in the upper right of your IE Browser to save the page:
You might get an error message here, just click OK.
We now need to navigate to the System 32 folder. Use the following search terms to get there quickly:
Hit enter. Now we need to look for an executable called “cmd.exe”
When you find it, right-click on it and open it. You should now see a shell you can use to traverse the system as an administrator! You can verify this by using the command, whoami.
We can look around a while until we find the file we are looking for:
Use type root.txt to view the contents and retrieve your flag!
This was a good one. I really enjoyed exploring Wade’s retro blog and brushing up on my Windows command line skills, which I always forget since I’m mostly using the Linux command line.
These past couple days I was busy doing an Escalate CTF for H@TH. Come to find out, they do not allow write-ups for their challenges, which I am kinda sad about because some of them were CRAZY.
Tomorrow I will be participating in the BsidesBOS CTF and will be posting my write-ups shortly after!
Happy Hacking! ❤