This is the official writeup for the biteme room on TryHackMe, it is the first challenge I created and also my first writeup, feedback is appreciated.
Let's start with an nmap scan to see what ports are open...
Ok so we have HTTP and SSH access. Let's start with HTTP... put the IP address into your browser and you will see the 'Apache2 Ubuntu Default Page'.
Scanning the source code it doesn't look like there are any clues here, so let's use gobuster to find any hidden files or directories.
Results show we get a 200 response for
/console/, so let's open that URL in our browser.
Interesting... it set's a hidden field "clicked" to the value of "yes" and also leaves a note in the console to fred from someone called jason.
So php file syntax highlighting... another Google search reveals the PHP manual with the following note:
So let's try something here, we know the page is called
index.php so what happens if we try
Boom.. we have the PHP source code for the page. Let's find the part that logs us in...
Looks like we have some custom functions here. Let's take a look at
functions.phps and see if that source code is also visible to see.
is_valid_user function uses bin2hex to compare the submitted username against a constant defined as
LOGIN_USER. Let's check
config.phps to see if we can extract that constant.
Now let's reverse this hex string using
hex2bin to get the correct value.
Now let's take a look at the
is_valid_pwd function. This creates an MD5 hash of the password and then checks the last 3 characters of that hash match the string "001". Ok so we need to figure out a password that would produce a correct hash.
We can write a script to figure this out. I am going to use an existing wordlist and hash each entry to check if the last 3 characters match "001". I will write this in PHP and use the rockyou wordlist as my input file.
Very quickly we find a suitable password...
violet which has an MD5 hash of
We can now get onto the next page, which asks for a 4 digit code.
This time it is just a note to fred and it sounds like jason forgot to put any brute force protection on, so let's brute force this form to get the 4 digit code.
For this I am going to use a tool called patator to cycle through the numbers 1000 - 9999.
Looks like we found our MFA code. Note: this code is random and will be different on your machine.
Finally we reach the admin dashboard which allows us to browse files on the server.
Using the file browser we can see 2 folders inside
/home - fred and jason. Inside jason's home folder we can see a
user.txt file so let's view this through the file viewer to get our user flag.
Now onto the root flag... this is presumably stored in
/root which cannot be viewed through the file viewer. We will need to elevate privileges somehow. Probing more into jason's home directory it looks like there is a
.ssh folder which contains his private and public SSH key.
Let's view the private key file (
id_rsa) and save a copy of this locally.
Now we can use this private key to SSH into the server...
Except it's not that easy because the private key is password protected! Time to brute force again, this time we are going to use a different tool, john the ripper to crack the password with the rockyou wordlist.
If you don't have the ssh2john.py script you can download it here.
Once you have the password cracked you can finally SSH onto the machine.
sudo -l to list the allowed sudo commands on the machine shows that we can switch to the fred account without a password.
Let's do this and then run the list command again...
Now we can see a different command that can be run as root:
It looks like fred has permissions to restart the fail2ban service as root. There must be something exploitable here.
Looking at the fail2ban config file we can see it is setup to monitor failed SSH attempts and then block the IP address for 2 minutes.
A quick Google search for fail2ban privilege escalation leads us to this article which talks about making sure
/etc/fail2ban/action.d is not writable. Ooops...
Let's take a look at the
action.d folder. You will notice that it is writable and the
iptables-multiport.conf file is owned by user fred, which means we can modify it. Fail2ban runs as root and executes the commands in the action file, so let's change this to view the root flag instead of blocking our IP when the ban is triggered (note: you could also put in a reverse shell here).
/etc/fail2ban/action.d/iptables-multiport.conf change the actionban line to:
Save this and then reload the fail2ban service as root using the command we saw in the sudo list.
Now we just have to trigger the ban. SSH onto the box without a key and enter any password incorrectly. Repeat this 3 times and we should trigger the ban, which will instead copy the root flag file into
Thank you for playing and I hope you enjoyed the room.