Welcome to another writeup, this time we’ll be trying to hack a newly released room on TryHackMe called Poster created by stuxnet
! This is gonna be a really quick writeup (compared to my previous ones), since I’m supposed to make dinner in 1 hour 😂 so that’s the timne we have for this one, just an hour. Let’s try to hack this, shall we?
Let’s use once again, rustscan
to get a very-fast lay of the land.
A short explanation on that command:
--ulimit
is to avoid any kind of performance issues by setting the recommended value of 5000
.--
let us pass the next switches to nmap
instead of sending them to rustcan
, this way we can customize which type of scan we want to run.-sV
we pass this to nmap
so we can try to get the versions of the services running on each open port.-sC
we pass this to nmap
so it automatically tries the different scripts that are available within nmap.If instead we want to use plain nmap to get the version of the RDBMS running (first room question), we can do it like this (port number discovered by rustscan):
Now we need to leverage metasploit
to enumerate user credentials. Let’s fire up metasploit with the command msfconsole -q
(-q is optional, just starts msfconsole quietly):
Once we have the module we need identified, we select it by running use #
where #
is the actual number listed to the left of the module name.
Once selected we run show options
to see which required values we need to set
before the module can be executed. In this case it seems we just need to set RHOSTS
to the ip of the target machine. set RHOSTS {Target_IP}
, once that is set. We simply run
the script:
Once it runs we get a successful login back, with that we answer another room question.
Again, we run show options
and set the required values, remember that we found a set of credentials before, let’s set those too before running the module. In this case I’ve set PASSWORD
and RHOSTS
since USERNAME
was already set correctly:
With that we get another answer for the room’s questions. Let’s now move to the other one:
Again, we locate the right module, set its options and then run it:
With the results we can answer the room question.
For the next one we just simply run search postgre
and by just looking at the module names you’ll get the answer:
From the same search we get the next module name to answer the room’s question. Now we need to exploit this machine and get the flags.
Once we set all required options and the password we found, we can run the module:
We managed to get the initial access to the machine, if we look around we see where the user.txt
flag is located, but we lack permissions to read it:
Since we know there is a module that would allow us to read files from the system. Let’s use that to read the contents of the /etc/passwd
file:
Remember to set RHOSTS, PASSWORD before running the module.
Ok, the interesting part of that file is the mention to another file called credentials.txt
. Let’s use the same module to read that file, we need to set RFILE
to that file path we found:
Now we got dark’s credentials, and if we recall the results from rustscan we now there is a port 22 open. Let’s try to login there: dark:qwerty1234#!hackme
Even though we are logged in as another user now, we still don’t have access to that flag.
Let’s fire up a local HTTP python server where we have the linpeas.sh
file ready and let’s upload it to the remote machine using wget
:
If we start checking the results from linpeas, there are a couple of interesting things. However, there is one that seems particularly simple to check:
Let’s check that file:
It seems we got the password for Alison
account, which means we can get that user flag:
If we switch user to alison we get access to the first flag:
If we run sudo -l
for the current user we see that we can run all commands as sudo. Nice, we can get the root flag now:
That’s it, a very quick and entertaining room, we went a bit over the hour mark but we also produced another writeup that could help back a fellow hacker solve this room in the future. Totally worth it! I hope you enjoyed it!
Happy hacking!