TryHackMe Red vs Blue Writeup: Complete Guide to Offensive and Defensive Techniques
Problems :-
1. Find the flag1
2. Find the flag2
3. Find the flag3
Solutions :-
Step 1 :-
Enumeration the port, using nmap. [nmap -Pn -sV {target_ip}]
You can see that only two ports are open: port '22' and port '80'. Let's check the website.
In the website URL, I found a 'page' parameter. Let's check for common vulnerabilities, specifically Local File Inclusion (LFI). By modifying the URL, we can attempt to retrieve any file from the server. I tried changing the URL to [.php?page=/etc/passwd], but this didn't work. So, I used a PHP wrapper, and this time, it worked.
But as you can see, the output is in Base64. So, we need to decode it.
In the '/etc/passwd' file, you can see two users: 'red' and 'blue'. Let's check the bash history of the user 'blue'.
You can see that 'blue' was generating a wordlist. I replicated this by running the same command on my own machine, but first, I needed to understand the context of 'reminder' to figure out the base password that Hashcat was applying the rule to. So, I used the LFI vulnerability to view the '.reminder' for base password.
After running the same command, I generated a password list. I used this list to brute-force the SSH login, and I successfully found the password for the user 'blue'. However, it's important to note that if your connection gets closed, you'll need to brute-force again using the new password to log back in.
Step 2 :-
Using the password, I logged into 'blue' via SSH and found the flag1.
Step 3 :-
Let's find flag2. I discovered that flag2 is located in '/home/red', but I don't have permission to read it. So, I need to switch to the user 'red'. To achieve this, I transferred the 'pspy' script to the victim machine to monitor the running processes and identify the relevant 'PID'.
You can see an interesting process running, which is essentially a reverse shell to the domain 'redrules.thm' on port '9001'. So, I checked the '/etc/hosts' file and changed the IP address of the domain to my system's IP.
After doing this, I set up a listener using 'netcat' and successfully received the reverse shell as the user 'red'. This time, I was able to read flag2.
Step 4 :-
Let's find the final flag (flag3). I upload a 'linpeas' script to the victim machine and execute it.
You can see the SUID 'pkexec,' which is vulnerable in this version. I tried to exploit it. After some research, I found a C exploit on GitHub, but the victim machine didn’t have 'gcc' installed, so I couldn’t compile the code. Then I found a Python script on GitHub that automates the exploitation process, though some modifications to the code were necessary.
Just change '/usr/bin/pkexec' to '/home/red/.git/pkexec' and upload the exploit to the victim machine.
Then I ran the code, and voila, I got a root shell. Finally, I found flag3.
0 Comments