The platform develops virtual
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe PyLon walkthrough
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong. Can you penetrate the defenses and become root?TryHackMe PyLon walkthrough
In Task 1 first of all we will download the file provieded, and the name is
pepper.jpg ( JPG ) ( Yaa MaN we will download the photo of this
doggie!!! )
Are we going to use NMAP tool, maybe nops, we use a
exiftool because we already steghide tool but doesn't have any clue. so,
A command-line interface to Image::ExifTool, used for reading and writing
meta information in a variety of file types.
For More Info steghide, zsteg, exiftool, stegoveritas, sonic-visualiser -- CLICK HERE
exiftool jpg
https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)
so, as you can see we have some clue (link) which we will use later.
so as i told you, we must have a password for use steghide tool, (maybe i am
saying right now hahahahh whats matter!!! )
Let's move forward
For take a password, we will use stegbrute tool.
Crack Password
sudo wget
https://github.com/R4yGM/stegbrute/releases/download/0.1.1/stegbrute
sudo
chmod +x stegbrute
sudo mv stegbrute /usr/local/bin/
Yaa man!! tool successfully installed, as you can see...lets naacho!!!
Cracking Time
stegbrute -f jpg -w /home/hackerboy/Documents/rockyou.txt
and the password is: pepper
Now we will use steghide tool to extract a file and check what is the things that inside the file...
steghide extract -sf jpg
Oh! wrote extracted data to "lone"
lets check whats inside the data...
cat lone 🐈🐯🐱😸🐈🐯🐱😸
This SSH key is unencrypted and will allow us to connect to the
machine.
Next, we will convert lone(ASCII Text) into tzip
ls
file lone (check a file type)
base64 -d lone > lone.decoded
sudo cp lone.decoded lone.tgz (for copy into new file)
file lone.tgz
sudo tar -xcf lone.tgz (for extract)
Finally we got a lone_id, which we will use later with SSH
Next step is port mapping, using nmap, rustscan, whatever, reveals the
following TCP ports open
sudo nmap -A -T4 -Pn -sV $IP
Now, we access SSH with using lone_id and port number 222 because its doesn't
work with port 22
ssh lone@10.10.60.44 -i lone_id -p222
We are presented with this screen.
This is where the
CyberChefrecipe will probably come in to play.
If you are good at
guessing, it will be the same password as the stegfile, so let’s try that
https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)
Selecting 1 we are given 2 options
We now have flag1 and a password, so let’s try those on port 22.
ssh lone@10.10.106.221
We also have a couple more interesting file’s / folders to look
at, one being a file encrypted with gpg the other being a folder with the
sources for the password manager and a .git folder.
git log
Nothing immediately obvious pops up in the pylon folder, so let’s
see if there are any files in a previous commit that may help us.
We can see some files have changed here and an interesting .db file
appears.
Running the pyLon_pwMan.py with
python3, the program informs us that the database file exists and prompts us
for the encryption key, now if you are a good guess, you will try the same
encryption key as before.
We can see some files have changed here and an interesting .db file appears.-Running the
pyLon_pwMan.py with python3
The program informs us that the database file exists and prompts us for the
encryption key, now if you are a good guess, you will try the same encryption
key as before.
select option 2
and then 1
we got a another password
Decrypting the ‘note_from_pood.gpg’ file gives us the
password to shift horizontally to another user, but first let’s see what lone
can do with sudo.
gpg -d note_from_pood.gpg
and now we got another(another) password
sudo -l
Interesting we can run openvpn as root, but only using a specific
config file, poodhas asked us to fix the config and has given us access to his
account, so let’s switch to him
su pood
and the password is -
sudo -l
Now we have user2 flag, and we can see that pood can edit
the openvpn config file that lone was allowed to run, so what now?
Reading the man page for openvpn we see that we can
run a script on successful connection to a VPN server, so lets write a script
to take control of the machine.
man openvpn
This one...
There are many ways to do this, butthe usual trick of
copying /bin/bash to /tmp and setting the binary SUID should do the job, I
knock up a quick shell script.
vi /tmp/up.sh
For add a word type -i
for exit and save escape and then :wq and enter. thats
it.
then, we give some permission
chmod 777 /tmp/up.sh
Don’t forget to make it executable, now we must edit the
config file.
sudoedit /opt/openvpn/client.ovpn
Add a couple of lines to the config and save,
now exit out of the su shell and go back to lone, connect to the openvpn
server and our script should run as root on successful connection.
The connection was successful so let’s disconnect and
check out /tmp/bash
cd /tmp
As expected, the binary was created, we can now escalate to root.
Great another gpgencrypted file, I can see a lot of
people tearing their hair out over this one, since we are only effectively
root we cannot decrypt his message, so we will need a proper shell.
gpg -d root.txt.gpg
The way I dealt with that was to edit /etc/shadow, I copied a known hash
into root’s position and then all we can su to root, in this case I just copy
pasted pood’s hash as it is already known and easy to grab
$6$ivWUkR1k$XnYAc7OJJ63P/lgYzNWLiFMydrOFP/qrARMNcjHX1H4sIGFEyVQKAOedWLDY2nHU8rxx7hABmr4JT3uM74Bm5.
you can go this way too because pylon is in the sudo group
su
yn0ouE9JLR3h)`=I
FINALLY, we got a flag (root flag)
Disclaimer
This was written for educational purpose and pentest only.
The author
will not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should
be familiar subjects to anyone using digital information and computers. We
believe that it is impossible to defend yourself from hackers without knowing
how hacking is done. The tutorials and videos provided on www.hackingtruth.in
is only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse
of the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any
illegal activity. We do not promote, encourage, support or excite any illegal
activity or hacking without written permission in general. We want to raise
security awareness and inform our readers on how to prevent themselves from
being a victim of hackers. If you plan to use the information for illegal
purposes, please leave this website now. We cannot be held responsible for any
misuse of the given information.
- Hacking Truth by
Kumar Atul Jaiswal
I hope you liked this post, then you
should not forget to share this post at all.
Thank you so much :-)