The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe PyLon walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong. Can you penetrate the defenses and become root?TryHackMe PyLon walkthrough

In Task 1 first of all we will download the file provieded, and the name is pepper.jpg  ( JPG ) ( Yaa MaN we will download the photo of this doggie!!! )

Are we going to use NMAP tool, maybe nops, we use a exiftool because we already steghide tool but doesn't have any clue. so, A command-line interface to Image::ExifTool, used for reading and writing meta information in a variety of file types.

For More Info steghide, zsteg, exiftool, stegoveritas, sonic-visualiser -- CLICK HERE

exiftool jpg

https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)

so, as you can see we have some clue (link) which we will use later.

so as i told you, we must have a password for use steghide tool, (maybe i am saying right now hahahahh whats matter!!! )

Let's move forward

For take a password, we will use stegbrute tool.

Crack Password

 
sudo wget https://github.com/R4yGM/stegbrute/releases/download/0.1.1/stegbrute

sudo chmod +x stegbrute

sudo mv stegbrute /usr/local/bin/

Yaa man!! tool successfully installed, as you can see...lets naacho!!!

Cracking Time

stegbrute -f jpg -w /home/hackerboy/Documents/rockyou.txt

and the password is: pepper

Now we will use steghide tool to extract a file and check what is the things that inside the file...

steghide extract -sf jpg

Oh! wrote extracted data to "lone"

lets check whats inside the data...

cat lone   🐈🐯🐱😸🐈🐯🐱😸

 
This SSH key is unencrypted and will allow us to connect to the machine.

Next, we will convert lone(ASCII Text) into tzip

ls

file lone (check a file type)

base64 -d lone > lone.decoded

sudo cp lone.decoded lone.tgz (for copy into new file)

file lone.tgz

sudo tar -xcf lone.tgz (for extract)

Finally we got a lone_id, which we will use later with SSH

Next step is port mapping, using nmap, rustscan, whatever, reveals the following TCP ports open

sudo nmap -A -T4 -Pn -sV  $IP

Now, we access SSH with using lone_id and port number 222 because its doesn't work with port 22

ssh lone@10.10.60.44 -i lone_id -p222

We are presented with this screen.

This is where the CyberChefrecipe will probably come in to play.

If you are good at guessing, it will be the same password as the stegfile, so let’s try that

https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)

Selecting 1 we are given 2 options


 

 We now have flag1 and a password, so let’s try those on port 22.

ssh lone@10.10.106.221

 
We also have a couple more interesting file’s / folders to look at, one being a file encrypted with gpg the other being a folder with the sources for the password manager and a .git folder.

git log 

Nothing immediately obvious pops up in the pylon folder, so let’s see if there are any files in a previous commit that may help us.

We can see some files have changed here and an interesting .db file appears.


Running the pyLon_pwMan.py with python3, the program informs us that the database file exists and prompts us for the encryption key, now if you are a good guess, you will try the same encryption key as before.

We can see some files have changed here and an interesting .db file appears.-Running the 

pyLon_pwMan.py with python3

The program informs us that the database file exists and prompts us for the encryption key, now if you are a good guess, you will try the same encryption key as before.

select option 2

and then 1

we got a another password

Decrypting the ‘note_from_pood.gpg’ file gives us the password to shift horizontally to another user, but first let’s see what lone can do with sudo.

gpg -d note_from_pood.gpg

and now we got another(another) password

sudo -l

Interesting we can run openvpn as root, but only using a specific config file, poodhas asked us to fix the config and has given us access to his account, so let’s switch to him

su pood 

and the password is -

sudo -l

Now we have user2 flag, and we can see that pood can edit the openvpn config file that lone was allowed to run, so what now?


 

Reading the man page for openvpn we see that we can run a script on successful connection to a VPN server, so lets write a script to take control of the machine.



man openvpn

This one...

There are many ways to do this, butthe usual trick of copying /bin/bash to /tmp and setting the binary SUID should do the job, I knock up a quick shell script.



vi /tmp/up.sh

For add a word type -i

for exit and save escape and then :wq and enter. thats it.

then, we give some permission

chmod 777 /tmp/up.sh

 

Don’t forget to make it executable, now we must edit the config file.

sudoedit /opt/openvpn/client.ovpn

Add a couple of lines to the config and save, now exit out of the su shell and go back to lone, connect to the openvpn server and our script should run as root on successful connection.

The connection was successful so let’s disconnect and check out /tmp/bash

cd /tmp

As expected, the binary was created, we can now escalate to root.

 

Great another gpgencrypted file, I can see a lot of people tearing their hair out over this one, since we are only effectively root we cannot decrypt his message, so we will need a proper shell.

gpg -d root.txt.gpg

The way I dealt with that was to edit /etc/shadow, I copied a known hash into root’s position and then all we can su to root, in this case I just copy pasted pood’s hash as it is already known and easy to grab

$6$ivWUkR1k$XnYAc7OJJ63P/lgYzNWLiFMydrOFP/qrARMNcjHX1H4sIGFEyVQKAOedWLDY2nHU8rxx7hABmr4JT3uM74Bm5.

you can go this way too because pylon is in the sudo group

su

yn0ouE9JLR3h)`=I

FINALLY, we got a flag (root flag)

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

TryHackMe CC Steganography 

Steganography is the art of concealing data within some other data. A common example of this is embedding hidden text in an image file.
This blog serves as an introduction to steganography and some of the tools you can use to embed and extract data within other data. TryHackMe CC Steganography

To complete this every task you will need the following tools available to you:

    steghide
    zsteg
    exiftool
    stegoveritas
    sonic-visualiser

Make sure you download the files needed to complete these tasks. You cannot answer some of the questions without them. Unzip spect.zip and you should have the files below.

Note: Basic linux knowledge required.


TryHackMe Website :- Cilck Here

Steghide

Steghide is one of the most famous steganography tools, and for good reason. It's a classic method, hiding a message inside an image, and steghide does it effectively and efficiently. A downside of steghide is that it only works on jpgs; however, that means that if you believe there is a hidden message inside a jpg, then steghide is a probable option.


One of the greatest benefits of stegohide, is that it can encrypt data with a passphrase. Meaning that if they don't have the password then they can't extract any data.



steghide can be installed with the command sudo apt install steghide


You can find the answers to questions 1-6 by reading the man page or by running steghide –help.

steghide includes 7 commands;

    embed
    extract
    info
    encinfo
    version
    license
    help




encinfo, version, license, and help do not require arguments and are informational. embed, extract and info are the functional commands within steghide. Each has their own     set of arguments. These arguments can be found in the documentation.

steghide command [ arguments ]

 

To find the hidden message in jpeg1.jpeg, we need to use steghide’s extract command with the -sf argument. We can optionally specify the -p argument to skip the passphrase prompt, and the -xf argument to specify an output filename (default: a.txt).


steghide extract -sf jpeg1.jpeg -p password123




1. What argument allows you to embed data(such as files) into other files?

Ans :- embed


2. What flag let's you set the file to embed?

Ans :- -ef

3. What flag allows you to set the "cover file"?(i.e  the jpg)

Ans :- -cf


4. How do you set the password to use for the cover file?

Ans :- -p


5. What argument allows you to extract data from files?

Ans :- extract


6. How do you select the file that you want to extract data from?

Ans :- -sf


7. Given the passphrase "password123", what is the hidden message in the included "jpeg1" file.

Ans :- pinguftw

zsteg

zsteg works much in the same way as steghide, except it is used for png and bmp files. You can find the answers to questions 1-4 by running zsteg -h.


zsteg can work with a single argument; the filename. You can iterate over all known extraction methods with the -a flag. You can also specify parameters to constrain zsteg. There are many ways you can run a file through zsteg, but just specifying the filename is a good place to start.



zsteg can be installed by using ruby with the command gem install zsteg


To find png1.png’s hidden message, and the payload used to encrypt it,  you do not need to use any arguments with zsteg.


zsteg png1.png



1. How do you specify that the least significant bit comes first

Ans :- --lsb

2. What about the most significant bit?

Ans :- --msb


3. How do you specify verbose mode?

Ans :- -v


4. How do you extract the data from a specific payload?

Ans :- -E


5. In the included file "png1" what is the hidden message?

Ans :- nootnoot$


6. What about the payload used to encrypt it.

Ans :- b1,bgr,lsb,xy

exiftool

exiftool is a great tool for working with metadata in image, audio, and video files. exiftool enables you to read, write, copy, and edit the metadata. It is interesting to note that exiftool can write to read-only files if the user has write permission in the directory.


For more information about exiftool, including a full list of options, please see the man page, github page or author’s website.



Exiftool can be installed with sudo apt install exiftool


Using exiftool to extract metadata from jpeg3.jpeg is as simple as running the command with the filename as an argument.


exiftool jpeg3.jpeg




1. In the included jpeg3 file, what is the document name

Ans :- Hello :)

stegoveritas

stegoveritas is a very diverse steganography tool that can extract all types of data from nearly every image, audio, or video file types. stegoveritas has default actions for most image types and will attempt to run on any file. It can extract metadata like exiftool, perform color corrections and adjustments, extract frames from animated gifs, and it also includes an option for steghide. For more actions (and to answer questions 1-3), run stegoveritas -h.



Stegoveritas can be installed by running these two commands:

• sudo apt-get install python3-pip
• pip3 install stegoveritas
• stegoveritas_install_deps

To find jpeg2.jpeg’s hidden message we run the file as an argument into stegoveritas with no options specified.



stegoveritas jpeg2.jpeg


You will see that stegoveritas found something with steghide and placed it a newly created directory, results. This file contains our hidden message.





1. How do you check the file for metadata?

Ans :- -meta

 
2. How do you check for steghide hidden information

Ans :- -steghide

3. What flag allows you to extract LSB data from the image?

Ans :- extractls

 
4 . In the included image jpeg2 what is the hidden message?

Ans :- kekekekek

Spectrograms

Spectrogram stegonography is the art of hiding hidden an image inside in an audio file's spectogram. Therefore when ever dealing with audio stego it is always worth analyzing the spectrogram of the audio. To do this task we will be using Sonic Visualizer.

Download :- Sonic Visualizer

Note: This introduction will be done using the included wav1 file.


When you open Sonic Visualizer you should see this screen:

From there click File->Open and then select the included wav1 file and you should see a screen similar to this:

 

From there click Layer->Add Spectrogram and you should see this:

And that's it!

1. What is the hidden text in the included wav2 file?

Ans :- google

Final Task

Good luck and have fun!

# Key 1

Deploy your target machine and let's dig in. I did a port scan with nmap against the target and found port 80, a webserver running.

 

Here's a preview of it

I grabed the image file shown about to my local machine with wget. I found out that the image document name looks interesting.

It specified a password. Maybe that would be the password needed for steghide to extract the hidden data that is existing in the image. Now to steghide.
 

1. What is key 1?

Ans :- superkeykey

# Key 2

I entered the key 1 in the input field and proceed to the next stage. Here's a quick look at it.

 

 
There is a exam2.wav audio file to download. I downloaded the .wav file and open it with sonic-visualiser and added the spectrogram layer.

Looks like a link to an imgur image. I downloaded the imgur image to my local machine to do further computations. Since this is a png image file I used zsteg to extract any hidden data.

2. What is key 2?

Ans :- fatality

# Key 3

Submitted the Key 2 and I was redirected to a new page where I should get the key 3

This is a qrcode. Here is a veiw of it

I got a screen shot of this and uploaded it to an online QR Decoder which worked.

Finally found the key 3 Hooray !!!.

3. What is key 3?

Ans :-  killshot
 

Disclaimer