TryHackMe Cat Pictures 2 Walkthrough: Complete CTF Solution.

0xodinx

Tryhackme Cat Pictures 2: Writeup  Step by Step

 

Tryhackme Cat Pictures 2: Writeup - DP1h3R0X

 

 Problems :-


1. Find the flag1

2. Find the flag2

3. Find the flag3

 

Solutions :-

 

Step 1 :- 


Enumerations the Target  IP using Nmap. [nmap -Pn -sV {target_ip}].

 

Enumerations the Target IP using Nmap

 

I found 5 open ports: 22 and 222 are OpenSSH, and 80, 8080, and 3000 are web servers.

 

 

Step 2 :-  


Let's visit the website running on port 80 and see what's important. Enumerate the website.

 

visit the website running on port 80

 

I found the photo album; there are seven images of a cat. I tried to brute-force the directory, but found nothing important. I also checked the photo management framework 'Lychee' version  on this website, but didn't find any vulnerabilities.


Step 3 :-  


Download all the pictures, ensuring the image extensions are [.jpg].

 

Download all the pictures

 

View full screen  and download the  images,  Then use 'exiftool' to extract hidden data from the images. I found a hidden path in one of the pictures.

 

 

use 'exiftool' to extract hidden data from the images

 

You can see on port 8080 (nginx server), there is a text file. Let's navigate to the file.

 

 

found a credential of "gitea" running on port 3000

 I found a credential of "gitea"  running on port 3000. Let's navigate to it.

 

What is gitea? 


Gitea is a forge software package for hosting software development version control using Git as well as other collaborative features like bug tracking, code review, continuous integration, kanban boards, tickets, and wikis. It supports self-hosting but also provides a free public first-party instance.(wiki.)

 

 
used the credentials and logged into 'Gitea'

I used the credentials and logged into 'Gitea' in ansible repo. where I found flag1. 

 

 

 

Step 4 :-  


In the repository, there is a [playbook.yaml] file.

 

In the repository, there is a [playbook.yaml] file.




 

 This seems to run the 'whoami' command as the user 'bismuth.' Let's run the Ansible playbook runner on port 1337 and check the logs.

 



run the Ansible playbook runner on port 1337


 

 

The command run successfully.

 

The command run successfully.

 

 

Step5 :- 


Replace 'whoami' with a reverse shell.

 

Replace 'whoami' with a reverse shell.

 






and set netcat listener,  then the 'playbook' wait for the reverse connection.



set netcat listener and wait for the reverse connection


I found the flag2.



Step 6 :- 


Privilege Escalation, Let's run the best useful script(linpeas) to check vuln.



run the best useful script(linpeas) to check vuln


The sudo version is vulnerable. Let's check exploit and I found a github repo.

 

check exploit and I found a github repo

 

upload the exploit and compile it, in the victim machine , and just run .

 

 

upload the exploit and compile it, in the victim machine

After run the exploit , we got the root shell and I found the flag3.



we got the root shell and I found the flag3





Thank you for reading this writeups


0 Comments