-->

  • TryHackMe PyLon walkthrough

     

     


     

     

     

    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe PyLon walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
      

     

    Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong. Can you penetrate the defenses and become root?TryHackMe PyLon walkthrough


    In Task 1 first of all we will download the file provieded, and the name is pepper.jpg  ( JPG ) ( Yaa MaN we will download the photo of this doggie!!! )





    Are we going to use NMAP tool, maybe nops, we use a exiftool because we already steghide tool but doesn't have any clue. so, A command-line interface to Image::ExifTool, used for reading and writing meta information in a variety of file types.



    For More Info steghide, zsteg, exiftool, stegoveritas, sonic-visualiser -- CLICK HERE

     


    exiftool jpg

     

     


     

     

    https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)

     

    so, as you can see we have some clue (link) which we will use later.

     

     


     

     

    so as i told you, we must have a password for use steghide tool, (maybe i am saying right now hahahahh whats matter!!! )

     

    Let's move forward

     

     


     

    For take a password, we will use stegbrute tool.

     

    Crack Password

     

     
    sudo wget https://github.com/R4yGM/stegbrute/releases/download/0.1.1/stegbrute

    sudo chmod +x stegbrute

    sudo mv stegbrute /usr/local/bin/

     



    Yaa man!! tool successfully installed, as you can see...lets naacho!!!






    Cracking Time


    stegbrute -f jpg -w /home/hackerboy/Documents/rockyou.txt

    and the password is: pepper

     

     

     


     

     

    Now we will use steghide tool to extract a file and check what is the things that inside the file...

     

    steghide extract -sf jpg

     

    Oh! wrote extracted data to "lone"

     

     

     


     

    lets check whats inside the data...

     

    cat lone   🐈🐯🐱😸🐈🐯🐱😸

     

     
    This SSH key is unencrypted and will allow us to connect to the machine.





    Next, we will convert lone(ASCII Text) into tzip


    ls

    file lone (check a file type)

    base64 -d lone > lone.decoded

    sudo cp lone.decoded lone.tgz (for copy into new file)

    file lone.tgz

    sudo tar -xcf lone.tgz (for extract)


    Finally we got a lone_id, which we will use later with SSH






     

     

     

    Next step is port mapping, using nmap, rustscan, whatever, reveals the following TCP ports open


    sudo nmap -A -T4 -Pn -sV  $IP


     


     

     

     

    Now, we access SSH with using lone_id and port number 222 because its doesn't work with port 22

     

    ssh lone@10.10.60.44 -i lone_id -p222

     

     

     


     

     

    We are presented with this screen.

    This is where the CyberChefrecipe will probably come in to play.

    If you are good at guessing, it will be the same password as the stegfile, so let’s try that



    https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)



     

     

     
     
     
     



     

     

     


    Selecting 1 we are given 2 options


     

     


     

     

     


     

     

     We now have flag1 and a password, so let’s try those on port 22.



     


     

     

    ssh lone@10.10.106.221

     

     

     


     

     

     
    We also have a couple more interesting file’s / folders to look at, one being a file encrypted with gpg the other being a folder with the sources for the password manager and a .git folder.



     

     


     



     
    let's check history  



    git log 








    Nothing immediately obvious pops up in the pylon folder, so let’s see if there are any files in a previous commit that may help us.






     

    We can see some files have changed here and an interesting .db file appears.


    Running the pyLon_pwMan.py with python3, the program informs us that the database file exists and prompts us for the encryption key, now if you are a good guess, you will try the same encryption key as before.






    We can see some files have changed here and an interesting .db file appears.-Running the 

     

    pyLon_pwMan.py with python3

     

    The program informs us that the database file exists and prompts us for the encryption key, now if you are a good guess, you will try the same encryption key as before.






    select option 2






    and then 1







    we got a another password









    Decrypting the ‘note_from_pood.gpg’ file gives us the password to shift horizontally to another user, but first let’s see what lone can do with sudo.



    gpg -d note_from_pood.gpg


    and now we got another(another) password







    sudo -l



    Interesting we can run openvpn as root, but only using a specific config file, poodhas asked us to fix the config and has given us access to his account, so let’s switch to him





    su pood 

    and the password is -



     


      

     

    sudo -l

     




    Now we have user2 flag, and we can see that pood can edit the openvpn config file that lone was allowed to run, so what now?


     

     







    Reading the man page for openvpn we see that we can run a script on successful connection to a VPN server, so lets write a script to take control of the machine.



    man openvpn





    This one...








    There are many ways to do this, butthe usual trick of copying /bin/bash to /tmp and setting the binary SUID should do the job, I knock up a quick shell script.



    vi /tmp/up.sh


    For add a word type -i

    for exit and save escape and then :wq and enter. thats it.


     

    then, we give some permission


    chmod 777 /tmp/up.sh

     

    Don’t forget to make it executable, now we must edit the config file.


    sudoedit /opt/openvpn/client.ovpn



















    Add a couple of lines to the config and save, now exit out of the su shell and go back to lone, connect to the openvpn server and our script should run as root on successful connection.











    The connection was successful so let’s disconnect and check out /tmp/bash



    cd /tmp

     





    As expected, the binary was created, we can now escalate to root.

     

     








    Great another gpgencrypted file, I can see a lot of people tearing their hair out over this one, since we are only effectively root we cannot decrypt his message, so we will need a proper shell.

    gpg -d root.txt.gpg






    The way I dealt with that was to edit /etc/shadow, I copied a known hash into root’s position and then all we can su to root, in this case I just copy pasted pood’s hash as it is already known and easy to grab











    $6$ivWUkR1k$XnYAc7OJJ63P/lgYzNWLiFMydrOFP/qrARMNcjHX1H4sIGFEyVQKAOedWLDY2nHU8rxx7hABmr4JT3uM74Bm5.


    you can go this way too because pylon is in the sudo group





    su


    yn0ouE9JLR3h)`=I

     




    FINALLY, we got a flag (root flag)







    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)

     

    • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.