Skip to main content
  1. Writeups/
  2. TryHackMe/

Valley Writeup - TryHackMe

·3 mins·
Linux Web Easy
$sudo (0x7375646F)
Author
$sudo (0x7375646F)
Security Researcher | Penetration Tester | Exploit Enthusiast
Table of Contents
Link:https://tryhackme.com/r/room/valleype
DifficultyEasy
MachineLinux

This is an easy challenge of THM rated at 120 minute.

Enumeration
#

So I started the box I first scanned with NMAP.

NMAP
#

Untitled

Found two services running on most common default port.

On website this was the interface I was greeted with:

Untitled

Untitled

Untitled

So then I started enumerating the directory

Untitled

Found an unusual directory so I checked it!

Untitled

Hmm seems like a hint remove /dev123.... Lets check it out

Untitled

Woah! a login page with client side authentication lets see where it redirects to.

Untitled

Hmm a interesting note.

  • stop reusing credential hmm… remember those client side authenticated user and pass?
  • hm and it says change ftp port to normal

Scanning All Ports
#

Lets start scanning the all the possible port using Nmap. we can use -p- option to check all the possible port which is 0 to 65535

Untitled

Hmm~ This must be it the ftp server he mentioned in abnormal port.

Lets try to login with the creds that we got in JS file.

Untitled

:) Logged In!

Analaysing PCAP File
#

Lets download those files and see what it contains!

Untitled

So after digging up the PCAP file one by one I found another interesting creds.

Untitled

I am using this website called apacket.com which nicely shows the http connections and other connections in a good friendly UI.

So lets try to use that cred in SSH!

Untitled

Ok we logged in and we got our user flag. yay!!! Noice ~

Now Lets see what we got more in this machine lets try to enumerate so we can get a privilege access. I find there is a strange file named valleyAuthentication

Untitled

Lets pull that bad boy in our machine and analyse.

Scan it up !

Reversing The Binary
#

Untitled

Hmm UPX compressed elf binary huh! lets decompress it :D

Untitled

Ok now its ready to be analysed!

Untitled

Found some hash its a md5 hash (I know it cause the binary contained md5 string)

Lets decrypt it

Untitled

Untitled

So we now know username: valley password: liberty123

Privillege Escalation
#

Lets login into SSH!

Untitled
Logged in! I tried sudo -l but it didn’t have any permission so I started basic enumeration searching for cron Found it! Lets check crontab.

Untitled
Interesting file photosEncrypt hmm! Lets see what it got!

Untitled
oh a b64encode encryption wow :) (actually its a encoding scheme :nerdemoji: )

Lets try to modify the python package and inject our own code shall we :)

Untitled
We can find the base64.py package in that directory now lets modify it to get a root shell! Lets start listening for connection in port 1337 using our NCAT.

Untitled

Bomb has been planted

Lets wait :D!

Untitled

Well well well now that was easy ( jk )

THE END!

Untitled

HEHE
#

Untitled