TryHackMe: DX1: Liberty Island
Got hint from robots.txt then enumerate the path and found another hint to gain VNC password and then sniffing executable file using wireshark and got root permission.
Table of contents
Reconnaissance
Nmap scan resulting 4 open ports.
See that nmap result for port 80 showing that there is robots.txt, let's check the web first and read the robots.txt. After exploring the web with available link there is no useful information and then accessing the robots.txt and got another path named /datacubes and user named Alex.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/7255abefc0a27ad147791daa79011723010027ef-623x52.png)
Accessing /datacubes and i got redirect to /datacubes/0000.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/03d843907f652fdc9e1725c1b9604eb359fccae4-998x189.png)
Notice the path named /0000, usually on CTF we enumerate path like this because there is a chance another path named 0075, 0731, etc. We can create the word list from number 0000 to 9999 using seq command.
Then let's enumerate this using ffuf.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/6458fab524cefe2fec2fefea9177a9d99c53a0df-929x571.png)
See, we got another path! The interesting part is on 0451, it says the password using for logs in VNC is 'smashthestate' hmac'ed with a username and using md5 hashing algorithm.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/fd1cb7832a729e0eb25b4a69e7a5a43423b1a98b-964x159.png)
Logs in VNC
Since the note ended with the initials of the author's name, -JL, I searched for names in the list of bad actors that contained J and L. Then i found name jlebedev and decide to try it first.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/bd0089d2b30589417d6267a58473318413a4010a-209x195.png)
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/a47b2d4d23a23b37a143be3e8faa0282e5433e84-865x563.png)
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/e2cfd9e8e70a256f06460b2d91cb55eb773dddec-1160x624.png)
We got in! and there is our flag on file named user.txt, let's read it.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/e940a3556b28e969e33e295a4b6480b8f4264cfc-638x373.png)
Shell as ajacobson
Since the VNC viewer is so laggy let's connect it with our terminal. First we need to set up our netcat listener and then run payload below from VNC.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/57c18bdf8bc65f64c0fb7c52fe89430aa7bcb57d-675x176.png)
On the Desktop folder there is executable file named badactors-list, let's download it to our local machine.
Running the file and we got this pop up below.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/9014b1e39041b6a4e3e3337597824b3b8b13747c-285x441.png)
It's tried to connect UNATCO at port 23023, let's add this domain to our hosts then let's see the request using wireshark.
Select tun0 interface and filter it with tcp.port == 23023 && http, then re-run the file.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/8d26c11c9a1f02708f2641a87d2be6c9e6c8f472-752x588.png)
Following the request and found interesting things. There is header field called clearance-code and i think it's like token or key, and another interesting field is on body called directive and i think it's receiving a command, from the request, directive is receiving command cat /var/www/html/badactors.txt and the content are printed out below.
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/3b5acbd77a327dd6e4a6c7a1ac2aa0bfea718142-554x451.png)
Root flag
So i tried make a request with Clearance-Code with body directive and got this:
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/8d5fc4b27b57cbbe91c249da6156464dd47857af-906x69.png)
We are root!
![[Gambar tidak memiliki deskripsi]](https://cdn.sanity.io/images/7blsog1k/production/3332a1990cd026158f033b1089bcabf4cc55ef83-1057x269.png)