Link to the room : https://tryhackme.com/room/biteme
IP_ADDR: 10.10.103.195
nmap scan here
SubDirectory Enumeration here
/console => found an interesting subdir which redirects to:
/console/index.php Had a look into:
/console/index.phps => Got the php code and found /console/functions.phps and /console/config.phps
Found:
`jason_test_account` username
Password is md5sum and should have the last three characters as `001`
Found `violet` if md5 hashed has the last 3 digits as `001`
Logged into /console/index.php and found a 2f authentication page with 4 digit code.
Bruteforced the code using patator.
Got into the server to find out that there were 2 input which would display the directories and file content in the server. Got the rsa private key. Changed the permission to 777 and tried sshing into the server being the user as jason. The key was protected.
Used the script to convert the key into john key and cracked it using rockyou.txt .
SSHed into the server and tried sudo -l but was unsuccessful. Tried getting the exploitable suid/guid bits but none of them were exploitable. Got the name of other user from the /home/ directory and tried sudo -u fred bash and got the bash shell of other user.
Now tried sudo -l and found that the user could execute NOPASSWD: /bin/systemctl restart fail2ban. Looked on the internet for a fail2ban exploit and found that the /bin/fail2ban/action.d/ dir should be writable for the user to exploit and it was. I was in the right direction. Tried changing the iptables-multiport.conf, actionban to give a bash shell in the /tmp. File was created but couldnot be executed. So copied just the flag from /root/root.txt into /tmp directory with the read permissions for all the users.
BOX COMPLETED