The first thing that I do is run nmap on the new server. The command that I need to run to enumerate the site is nmap -oA nmap/server IP_ADDRESS. The -oA outputs all formats to a folder with a name called server. I typically break these into two scans, the one above for a fast scan and then use the -sC -sV -p PORT_NUMBERS to get more specific information. That works for a big portion of the rooms in THM. If I need to scan all ports then the -p- flag will be added, but that takes a significant amount of time. I saw a quick program that Joe Helle has a program called Threader3000 that will make scanning addresses faster.

The next question that is asked is to find a secret page. So, let's go and visit the site to see what it looks like. We are greated with the following sentence, "Use your own codename as user-agent to access the site." I am guessing that I need to create my own custom user-agent with codename in it.

I couldn't figure this out at first and then I created a wordlist with all the letters from upper and lower case and then wrote them into a file. Then I used burp suite to send the user agents to the site.

import string

def letters_file_line(n):
	with open("letters.txt","w") as f:
		alphabetUpper=string.ascii_uppercase
		alphabetLower=string.ascii_lowercase
		lettersUpper=[alphabetUpper[i:i +n] + "\n" for i in range(0,len(alphabetUpper),n)]
		lettersLower=[alphabetLower[i:i +n] + "\n" for i in range(0,len(alphabetLower),n)]
		f.writelines(lettersUpper)
		f.writelines(lettersLower)

letters_file_line(1)

Use the code to create your text file and then use it in the intruder window in burp suite to get to the next step. You will see that the size of the request will be different from the others in the list.

Once you get that step the next questions in the room are related to brute forcing passwords and hiding items in plain sight.

To brute force the FTP password I will use hydra. hydra -l USERNAME -P PASSWORD_LIST IP_ADDRESS ftp. Give that some time to run and it will eventually find the password that I need.

Once I got the password it is now time to login to the ftp server and see what is there.

Now it's time to download all the files in the server to my computer. Once they are on the machine I used the cat command to view the contents of the To_agentJ.txt file.

That letter is telling me that there is some steganography going on. That is the practice of hiding items with in pictures in order to hide in plain sight. Luckily there are some tools in Kali to help in finding that. The one that I like to use is Binwalk, so I will binwalk the cutie.jpg and see what is there first. There is some stuff that is hidden with in, so I will use the -e flag to extract the items from the file.

When the files are extracted into the directory, I see that there is a zip file that is password protected. We now have to use John to try and brute force the password for this file. Since this is a zip file I need to convert it to a file that john can use, I used the command in the picture below. /usr/sbin/zip2john 8702.zip > 8702.hash

Once the file is converted john now knows how to work with the file. So the command that I used is john 8702.hash PASSWORD_LIST and then this will find the password.

Now I have the password to extract the information from the other file I downloaded, cute-alien.jpg. The program that I will use to extract this information is steghide extract -sf cute-alien.jpg. That will then extract the information with in the file and I can move onto the next step.

Using cat to view the information in the message.txt file, there is another message and this one needs to be decoded.

I now have all the information that I need to login to the server using ssh. Once on the machine the first thing I typically do is view the content of the home folder of this user. I can see that there is a user flag sitting there, so let's submit that. The next command that I want to run is sudo -l to see what this user can do and while doing that I notice something strange listed, (All, !root) /bin/bash. Using that information I went to google and looked around to see if there is something that can be used to elevate.

That brought up a page that talked about a certain CVE that can be used to elevate to root. Once you are the root user the root flag is located within the /root folder.

And that is the last flag that the room needs.  As with all other closing sentences, if you have any question, comments or suggestions please email feedback@markschindel.com.