TryHack3M Subscribe
Last updated
Last updated
TryHack3M Subscribe is a wonderful room prepared by the following creators: , , , and on site. It's a room that incorporates both "Red teaming" and "Blue teaming" aspects.
We'll start with an Nmap scan of all ports using the command:
Next, we'll scan the found ports, which are 22, 80, 8089, and 8000.
On ports 8000 and 8089, there is Splunk, which will be needed only in the second part of the room.
We'll start enumeration using Gobuster, as shown, the program found several interesting entries that we can check. An important aspect is to examine active js files on the server.
And there, we find detailed instructions under one of them on the condition under which an invite code will be returned to us.
As we can see, it uses the function window.location.hostname
to check where the package is heading. To receive the file inviteCode1337HM.php, we will need to add a new record to the /etc/hostsfile on our system. However, first, we will modify the code on the page to point to the file we need.
Here we add a new file location that is downloaded from the server. We'll change it to inviteCode1337HM.php.
Then, in the /etc/hosts file, we'll add a new record pointing to the server's IP address.
Then we'll try entering any code. It doesn't really matter because, with our host set up correctly, the server will return us an invite code.
In exchange for writing code on the website, we'll receive guest account credentials.
After entering the correct code, a page suspiciously resembling another well-known site will appear.
We have two options to choose from: either the free one or the VIP one. Of course, since we're not VIPs, we only have access to the free one.
As it turns out, we can obtain VIP status by changing "true" to "false" in Burp Suite.
Now we have access to the VIP subpage; however, there isn't much to see here. The buttons redirect us back to the initial page.
The real gem lies in the code of the page, specifically in one of the links. By entering this link, we gain access to the "AttackBox" simulation on tryhackme.com.
Now we can execute commands on the server B).
By intercepting packets with Burp Suite, we can easily use commands. It's important to note that to execute a command each time, we need VIP status, which is why Burp Suite is a convenient and practical solution.
We got RCE B)
Well, not exactly. There's a filter on the system that prevents us from executing most commands. The available commands are found in the code of the page.
We see that the machine allows the execution of the cat
command, which allows displaying the contents of the config.php
file.
During the attempt to open the page located in the found file, we received a 403 error, and in fact, we can't do anything else. At this stage, I had a really big problem - I had a secure admin token but no place to use it. I decided to start over - from enumeration. So, I ran Gobuster with the command below:
Fortunately, Gobuster didn't let me down and detected an interesting location: /login
That's it! That's what I was looking for! Now we have the opportunity to use our token.
But now another problem has appeared: we got a login panel with no hints in the form of a username or password. I tried popular combinations like admin: admin, but it didn't work. I decided to check if there was room for SQLi here, and sure enough, an error popped up after entering the well-known and beloved ' character.
First, we need to copy the packet intercepted by Burp Suite to a file. This can be done by right-clicking and then selecting save to file. This way, SQLmap will bypass the secure_token, which would need to be provided in the first place. The command is:
And now we leave SQLmap to do its thing. The option "--batch" allows bypassing all prompts displayed by SQLmap.
And voila, SQLmap dumped the database, giving us access to the admin panel.
Returning to the main page, we'll receive a message and a flag.
We'll start by logging in using the provided credentials on port 8000.
Username: admin Password: splunklab
Once logged in, select the option Search your data which will present us with a search field to filter our logs. To display all logs, change the time range All time from the dropdown menu on the left side of the search bar. Then, enter the command index=* to display all entries. As you can see, there are 10,530 of them.
We can only answer the next question once we gather sufficient information about the attack itself. On the left side, we can see predefined filters. By searching through them one by one, we will find the user agent tab, within which there is an entry containing sqlmap. Additionally, we also have the count of entries corresponding to this filter, which is the answer to the next question.
Clicking on the filter with sqlmap will present us with individual entries, clearly showing the source IP of the attacker.
To check the number of entries with this IP address, we will enter the query: index=* source_ip="83.45.212.17ā
We can answer this question by clicking on the first entry, and then clicking the arrow next to the URL. This will show us all the URIs to which the attacker sent requests. As we can see, one very suspicious entry was sent only once and contains the entire SQL injection query used by the hacker. After the 'from' clause, there is the table name.
A really pleasant room that emphasized various aspects of web exploiting. The additional module with Splunk was also an interesting addition.
Thanks for reading and see you soon!
