TryHackMe IDE Writeup: Full CTF Challenge Solution.

0xodinx

TryHackMe IDE Writeup: Full Walkthrough and CTF Challenge Solution Step by Step.


TryHackme: IDE Writeup Step by Step - DP1H3R0X


Problem :-


1. Find the user flag

2. Find the root flag


Solutions :-


Step 1 :- 


Enumerate the target using Nmap to see which services are running and open ports.


Enumerate the target using Nmap


I have discovered 4 open ports: port 21 for FTP, port 22 for SSH, port 80 for HTTP, and port 62337 running an unknown service.

 

 

Step 2 :- 


Let's check the web server running on port 80. However, it's just the default Apache page, nothing else. Then I tried brute-forcing, but found nothing.

 

check the web server running on port 80
 

Step 3 :- 


So, let's check port 62337 for TCP, and it turns out it's running an HTTP web server.

 

 

checking port 62337 for TCP


 

When I checked the source code of this page, I found a vulnerable web-based IDE framework running: Codiad 2.8.4.


vulnerable web-based IDE framework running: Codiad 2.8.4.



Step 4 :- 


Wow, I found 4 RCE exploits for this version.

 

 


found 4 RCE exploits for this version


  

I used exploit number 2. However, before using this exploit, you'll need a valid username and password. So, I decided to try to find the credentials anyway.

 

 

Step 5 :- 


I tried logging in anonymous user using FTP, and it worked. Then, I found a hidden directory and a suspicious file. Wow , I found the username in the file .



tried logging in anonymous user using FTP


But I didn't find the password. Let's try some common passwords. And yes, I found the password!

 

 

Step 6 :- 


Using the credentials, I executed the exploit .

 

Using the credentials, I executed the exploit

 

 

Following the instructions, I gained a shell.

 


Following the instructions, I gained a shell.


 

 Then I went to the /home/drac directory and found a user.txt file, but I was denied permission. User 'drac' can view the content, so I tried to log in as user 'drac'. I checked the .bash_history file and found the credentials for 'drac'.

 

tried to log in as user 'drac'.

 

 

Step 7 :-   


Using these credentials, I logged in as user 'drac' via SSH and obtained the user flag.

 

Using these credentials, I logged in as user 'drac'

 

  

 Step 8 :- 


Let's I tried to privilege escalation, Check 'sudo -l' find list all files with execute permission as root.

 

tried to privilege escalation, Check 'sudo -l'

 

 I see that ‘drac’ has the ability to execute the ‘/usr/sbin/service vsftpd restart’ command. 


Then I found a exploitation of this command. Before doing this ,we need to find the ‘/lib/systemd/system/vsftpd.service’ file and edit “ExecStartPre

 

find the ‘/lib/systemd/system/vsftpd.service’ file and edit “ExecStartPre”

 

 

I injected a reverse shell and saved the changes to the file, following the steps.

1. systemctl daemon-reload

2. sudo /usr/sbin/service vsftpd restart.

 


After doing this, voila, I got the root flag.

 

 

doing voila, I got the root flag.

 

 

Thank You For Reading This Writeup





0 Comments