This is the official writeup for the biteme room on TryHackMe, it is the first challenge I created and also my first writeup, feedback is appreciated.

Let's start with an nmap scan to see what ports are open...

Ok so we have HTTP and SSH access. Let's start with HTTP... put the IP address into your browser and you will see the 'Apache2 Ubuntu Default Page'.

Scanning the source code it doesn't look like there are any clues here, so let's use gobuster to find any hidden files or directories.

Results show we get a 200 response for /console/, so let's open that URL in our browser.

Trying a few random passwords it looks like it takes a few seconds for the form response, so this will make brute force very slow. Perhaps there are other clues in the source code of the page.

I noticed a Javascript function "handleSubmit" which executes when the form has been submitted, it appears this function has been obfuscated.

A quick Google search for "javascript deobfuscator" and we find https://lelinhtinh.github.io/de4js/, let's paste in the eval code and see what it does.

Interesting... it set's a hidden field "clicked" to the value of "yes" and also leaves a note in the console to fred from someone called jason.

@fred I turned on php file syntax highlighting for you to review... jason

So php file syntax highlighting... another Google search reveals the PHP manual with the following note:

Many servers are configured to automatically highlight files with a phps extension. For example, example.phps when viewed will show the syntax highlighted source of the file.

So let's try something here, we know the page is called index.php so what happens if we try index.phps?

Boom.. we have the PHP source code for the page. Let's find the part that logs us in...

$hash = md5($_POST['pwd']);

if (substr($hash, -3) === '001') {
    ...
}

This creates an MD5 hash of the password and then checks the last 3 characters of that hash match the string "001". Ok so we need to figure out a password that would produce a correct hash.

We can write a script to figure this out. I am going to use an existing wordlist and hash each entry to check if the last 3 characters match "001". I will write this in PHP and use the rockyou wordlist as my input file.

<?php

$file = fopen('/usr/share/wordlists/rockyou.txt', 'r');

while (($line = fgets($file)) !== false) {
    $pass = trim($line);
    $hash = md5($pass);
    
    if (substr($hash, -3) === '001') {
        echo $pass . "\n";
        break;
    }
}

fclose($file);

Very quickly we find a suitable password... "violet" which has an MD5 hash of d1d813a48d99f0e102f7d0a1b9068001.

Using violet as the password we now get onto the next page, which asks for a 4 digit code.

Again, there appears to be some obfuscated Javascript so let's see what this one does...

This time it is just a note to fred and it sounds like jason forgot to put any brute force protection on, so let's brute force this form to get the 4 digit code.

For this I am going to use a tool called patator to cycle through the numbers 1000 - 9999.

patator http_fuzz \
url="http://10.x.x.x/console/mfa.php" \
method=POST \
body="code=RANGE0" \
0=int:1000-9999 \
header="Cookie: pwd=violet; hash=d1d813a48d99f0e102f7d0a1b9068001" \
-x ignore:fgrep="Incorrect code"

Looks like we found our MFA code (2425). Note: this code is random and will be different on your machine.

Finally we reach the admin dashboard which allows us to browse files on the server.

Using the file browser we can see 2 folders inside /home - fred and jason. Inside jason's home folder we can see a user.txt file so let's view this through the file viewer to get our user flag.

Now onto the root flag... this is presumably stored in /root which cannot be viewed through the file viewer. We will need to elevate privileges somehow. Probing more into jason's home directory it looks like there is a .ssh folder which contains his private and public SSH key.

Let's view the private key file (id_rsa) and save a copy of this locally.

Now we can use this private key to SSH into the server...

chmod 600 id_rsa
ssh -i id_rsa jason@10.x.x.x

Except it's not that easy because the private key is password protected! Time to brute force again, this time we are going to use a different tool, john the ripper to crack the password with the rockyou wordlist.

python ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/path/to/rockyou.txt id_rsa.hash

If you don't have the ssh2john.py script you can download it here.

Once you have the password cracked you can finally SSH onto the machine.

Running sudo -l on the machine shows that we can switch to the fred account without a password.

Let's do this and cd into his home folder...

sudo -u fred bash
cd /home/fred

In his folder we find a todo.txt file and a backup_db.php script.

Running sudo -l again, we can see that root is allowed to execute the backup_db.php script which contains the following:.

<?php

if (file_exists('backup.sh')) {
    system('bash backup.sh');
}

echo 'Done';

It's simply making a system call to execute a file called backup.sh. As we can execute the PHP script as root, let's create the backup.sh file in the same directory:

cat /root/root.txt

Finally execute the PHP script with sudo...

sudo /usr/bin/php /home/fred/backup_db.php

And we have our root flag!

Thank you for playing and I hope you enjoyed the room.