NanoCherryCTF

Explore a double-sided site and escalate to root! - by dsneddon00

TryHackMe | Cyber Security TrainingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We start with a Nmap scan and find only two open ports. Port 22 with SSH and port 80 with a web server.

We adapt our /etc/hosts file to the room description and find an ice cream online shop.

The first interesting page we discover is the content.php page. Here, we can retrieve facts for a specific user.

The subsequent directory scan yielded no further useful findings.

Since the room description requires a specific hostname, additional subdomains may be present. We scan for additional subdomains / vhost and find nano.cherryontop.thm.

We don't discover anything conspicuous here for the time being,...

except for a login for the admin portal. Here, the question about the room description led me astray, as I was asked about molly's dashboard. I thought a certain user had to be related to molly. I used cewl, cupp and usernameanarchy to create word lists, but got no positive results. Let's continue for now.

This time the directory scan returns something interesting, command.php, which is probably located behind the login. The first thought was command injection, but we can only check that later.

Shell As notsus

According to the history of the room, there is already a backdoor that should be used as the start of the challenge. A user notsus exists, with which we can log in via ssh.

We use the credentials for login via SSH.

We get the hint that we can escalate via this user on bob-boba.

Shell As bob-boba

We upgrade the shell and enumerate the machine. We find a cronjob that downloads and executes a script from cherryontop.tld as bob-boba. Nice, if we can edit the /etc/hosts we can provide the script ourselves, which for example executes a reverse shell and allows us to connect as bob-boba.

We may write in /etc/hosts, we add for one with our IP for cherryontop.tld.

echo '10.8.211.1 cherryontop.tld' >> /etc/hosts

Then we set up the folder structure and a script that executes a nc mkfifo rever shell, which we have generated on revshells.com. Then we start the http server on port 8000 and a listener on 4445 to catch the reverse shell.

We get a connection back as bob-boba.

Here we find a message and chads third piece of his password.

From the /etc/passwd we can see that there are three other users, two of whom will probably have the remaining parts of chad's password.

As already described, we find the third part of the password here.

When enumerating the machine as user bob-boba, nothing else was found. I must have focused too much here and ignored the other findings from before. My focus was entirely on the lateral movement of bob-boba, which was not possible. It turns out that each user can be accessed individually. At least we now know the username of molly.

I should have noticed that bob-boba has the third password part, and the description explicitly states that the challenge can be solved independently.

Shell As molly-milk

We go back to the login page of nano.cherryontop.thm and see that we can enumerate usernames. As mentioned at the beginning, I was initially too focused on generating and checking users in the context of the username molly-milk. Using the xato username list or top-usernames-shortlist.txt from SecLists, however, we can enumerate a user, since if we enter a wrong username, we get that message "This user doesn't exist".

We can either use FuFF, hydra or any other fuzzer to enumerate the user by matching for the message "This user doesn't exist".

hydra -L /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -p asdf nano.cherryontop.thm http-post-form "/login.php:username=^USER^&password=^PASS^&submit=:F=This user doesn't exist"

We find the user puppet, now we just need to brute force the password. If the password is entered incorrectly, we receive the message "Bad password" to which we only have to match.

hydra -l puppet -P /usr/share/wordlists/rockyou.txt nano.cherryontop.thm http-post-form "/login.php:username=^USER^&password=^PASS^&submit=:Bad password"

With the credentials found puppet:<REDACTED>, we can log in to the dashboard and find the molly dashboard flag.

If we scroll down a little further, we find the password for molly.

Since we already know the username of molly through notsus/ bob-boba, we can log in to the machine via SSH as molly-milk. Here we find the first part of chad-cherrys password.

Shell As sam-sprinkles

At molly-milk, too, we can't find a way to extend our rights, so we go back and take a look at what we've found so far. We still have the content.php page on cherryontop.thm. Here we can see that facts can be viewed for a specific user and ID. The username is Base32 encoded. Using CyberChef we can see that it is the user guest. We can see four facts, but maybe there are more!

We create a list of 10000 IDs.

Next, we use FFuF to enumerate all possible IDs for the user guest.

ffuf -u "http://cherryontop.thm/content.php?facts=FUZZ&user=I52WK43U" -w ids.txt -mc all -fr "Error"

We find more valid IDs outside the selectable, but none of them give us a hint to extend our privileges. We may have to change the user. Since we have already escalated to molly-milk and bob-boba, we are left with chad-cherry and sam-sprinkles. We encode the username sam-sprinkles to Base32 and use it this time to query the 10000 IDs.

We find the same IDs again, but maybe they have a different entry this time.

ffuf -u "http://cherryontop.thm/content.php?facts=FUZZ&user=ONQW2LLTOBZGS3TLNRSXG===" -w ids.txt -mc all -fr "Error"

For the ID 43 we find the credentials for sam-sprinkles.

We use the found credentials of sam-sprinkles to login via SSH. Here we find the second password part of chad-cherry.

Shell As chad-cherry

We just have to merge the password parts of molly-milk+sam-sprinkles+bob-boba. This way, we can log in as chad-cherry via SSH. Here we find the flag of chad-cherry and a WAV file with the ominous name rootPassword.wav. There is also a note in Hello.txt that rootPassword.wav contains the root password.

Shell As root

We download the rootPassword.wav file for further analysis. This seems to be a stego challenge at the end.

When viewing the audio file in Audacity, we discover a pattern in the spectrogram view that resembles a digital signal. There may be another file, text or image embedded here.

After a search we find the following article which has a continuation of a series of techniques for audio steganography.

Audio Steganography : The art of hiding secrets within earshot (part 2 of 2)Medium

It could be SSTV to add other data to the audio file. We find a script to decode at the following link:

GitHub - colaclanth/sstv: SSTV DecoderGitHub

After we have set up the prerequisites, we can run the script and get an image out of the WAV file.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry]
└─$ git clone https://github.com/colaclanth/sstv.git
                                                                                                                                                                
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry]
└─$ cd sstv      

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv]
└─$ python -m venv sstv_venv 
                                                                                                                                                                
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv]
└─$ . ./sstv_venv/bin/activate 
                                                                                                                                                                
┌──(sstv_venv)─(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv]
└─$ python setup.py install

This shows us a picture of two cherries with a string underneath. Possibly the root password.

We use it to switch from user chad-cherry to root and are successful. We are able to switch to root and read the final flag in /root/root-flag.txt.