Harder - TryHackMe Walkthrough
Last updated
Last updated
Harder - “Real pentest findings combined. The machine is completely inspired by real world pentest findings. Perhaps you will consider them very challenging but without any rabbit holes. Once you have a shell it is very important to know which underlying linux distribution is used and where certain configurations are located. Hints to the initial foodhold: Look closely at every request. Re-scan all newly found web services/folders and may use some wordlists from seclists (https://tools.kali.org/password-attacks/seclists). Read the source with care.”
We are given the IP 10.10.16.92. Add this to the /etc/hosts file. Let’s scan the open ports with the following command:
We see that 2 ssh services are running on the machine as well as a webserver on port 80, running nginx 1.18.0.
I run a directory scan but the results aren’t helpful:
It looks like everything is being redirected to an error page, no matter what.
Let’s take a look at the request for this page. I inspect-element and look at the network tab to analyse the headers:
Let’s change our etc hosts file to use the domain we saw in the Set-Cookie field on our web request.
Let’s revisit the page:
Now we are prompted with a login page.
Anytime you are asked for credentials, it’s always worth trying admin:admin. Works 1 in a 100 times, like this CTF.
We’re then sent to a page which says:
There is nothing else on the page. I tried another directory scan since we know about pwd.harder.local but nothing from that either.
I don’t see anymore leads so let’s rerun a directory scan but with a better wordlist. I didn’t see this when I first started but there is a hint on the Tryhackme page about using a good wordlist.
Also, the source code will be reviewed soon hints at something git related?
Here is my new wfuzz command which ignores 404 and 400:
I picked fuzz-Bo0oM.txt becasue I saw a load of ‘hidden’ directory names including git. Here are the results:
Great, they have left their git repo on the webserver :)
Now we can try and download all of their git files using the following script:
Git Repository Downloader - Github
For some reason, this script had the wrong way slashes so I edited the script to use / instead of \, otherwise it wasn’t downloading the files properly. I’m pretty sure there are better scripts to use but I chose this.
Now that we have all the git files, we can enumerate to find some more info.
I found some information about a previous commit:
I tried reverting the commits but didn’t get anywhere. Maybe a rabbit hole.
Take a look at hmac.php:
Researching some ways for bypassing an HMAC check, I came across this article:
Spot The Bug challenge 2018 warm-up
To make hash_hmac return false, we need to supply an array for the nonce value.
We need to generate a new HMAC like the following:
So, according to the article, we can use this new generated HMAC:
This is an example of a payload, taken from the website:
Let’s change the variable names as our code will be slightly different. For example, nonce = n, hostname = host, hmac = h. This is our final payload:
We have some new credentials:
I also added this domain to my etc hosts file: shell.harder.local/
Logging in with the new credentials, we see this:
This could be a simple WAF, where we can forge our IP by intercepting and modifying the web request. Here is what I captured with Burpsuite:
Sent this to the repeater so I could try to add some new parameters, which could be one of the following: X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr.
Adding the following line did the trick:
Here is the rendered HTML:
Looks like we can execute commands. Let’s get the request for this new page by forwarding our modified request and intercepting again:
I’ll send this to repeater again so we can test out some commands, making sure I am still 10.10.10.10. This is the rendered page in burp suite:
I couldn’t upload my own payload nor add .ssh (since ssh was open?) so I did some more enumeration.
I had a look at /etc/periodic and found an interesting file with some info about using ssh:
Did some enumeration, I looked for any interesting SUID binaries with the following command:
And found this binary:
Running this binary gave the following result:
Cool, so let’s do that?
And we got root flag. Pretty easy. However, I’m not satisfied as I am not root. Since ssh is open maybe we can add our own key for root? Generate a key:
Now we want to add this to /root/.ssh. Assuming .ssh isn’t there, we can create the directory and echo our key into a file called authorized_keys:
Our key should be in root’s ssh key file so connect by ssh:
We are root: