# NanoCherryCTF {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with a Nmap scan and find only two open ports. Port 22 with SSH and port 80 with a web server.

We adapt our `/etc/hosts` file to the room description and find an ice cream online shop.

The first interesting page we discover is the content.php page. Here, we can retrieve facts for a specific user.

The subsequent directory scan yielded no further useful findings.

Since the room description requires a specific hostname, additional subdomains may be present. We scan for additional subdomains / vhost and find `nano.cherryontop.thm`.

We don't discover anything conspicuous here for the time being,...

except for a login for the admin portal. \ Here, the question about the room description led me astray, as I was asked about molly's dashboard. I thought a certain user had to be related to molly. I used `cewl`, `cupp` and `usernameanarchy` to create word lists, but got no positive results. Let's continue for now.

This time the directory scan returns something interesting, command.php, which is probably located behind the login. The first thought was command injection, but we can only check that later.

## Shell As notsus According to the history of the room, there is already a backdoor that should be used as the start of the challenge. A user `notsus` exists, with which we can log in via ssh.

We use the credentials for login via SSH.

We get the hint that we can escalate via this user on `bob-boba`.

## Shell As bob-boba We upgrade the shell and enumerate the machine. We find a cronjob that downloads and executes a script from `cherryontop.tld` as `bob-boba`. Nice, if we can edit the `/etc/hosts` we can provide the script ourselves, which for example executes a reverse shell and allows us to connect as `bob-boba`.

We may write in `/etc/hosts`, we add for one with our IP for `cherryontop.tld`. ```bash echo '10.8.211.1 cherryontop.tld' >> /etc/hosts ```

Then we set up the folder structure and a script that executes a `nc mkfifo` rever shell, which we have generated on `revshells.com`. Then we start the `http server` on port `8000` and a `listener` on `4445` to catch the reverse shell.

We get a connection back as `bob-boba`.

Here we find a message and `chads` third piece of his password.

From the `/etc/passwd` we can see that there are three other users, two of whom will probably have the remaining parts of `chad`'s password.

As already described, we find the third part of the password here.

When enumerating the machine as user `bob-boba`, nothing else was found. I must have focused too much here and ignored the other findings from before. My focus was entirely on the lateral movement of `bob-boba`, which was not possible. It turns out that each user can be accessed individually. At least we now know the username of molly. I should have noticed that `bob-boba` has the third password part, and the description explicitly states that the challenge can be solved independently. ## Shell As molly-milk We go back to the login page of `nano.cherryontop.thm` and see that we can enumerate usernames. As mentioned at the beginning, I was initially too focused on generating and checking users in the context of the username `molly-milk`. Using the `xato username list` or `top-usernames-shortlist.txt` from `SecLists`, however, we can enumerate a user, since if we enter a wrong username, we get that message `"This user doesn't exist"`.

We can either use `FuFF`, `hydra` or any other fuzzer to enumerate the user by matching for the message `"This user doesn't exist"`. ```bash hydra -L /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -p asdf nano.cherryontop.thm http-post-form "/login.php:username=^USER^&password=^PASS^&submit=:F=This user doesn't exist" ```

We find the user puppet, now we just need to brute force the password. If the password is entered incorrectly, we receive the message `"Bad password"` to which we only have to match. ```bash hydra -l puppet -P /usr/share/wordlists/rockyou.txt nano.cherryontop.thm http-post-form "/login.php:username=^USER^&password=^PASS^&submit=:Bad password" ```

With the credentials found `puppet:`, we can log in to the dashboard and find the molly dashboard flag.

If we scroll down a little further, we find the password for `molly`.

Since we already know the username of molly through `notsus`/ `bob-boba`, we can log in to the machine via SSH as `molly-milk`. Here we find the first part of chad-cherrys password.

## Shell As sam-sprinkles At `molly-milk`, too, we can't find a way to extend our rights, so we go back and take a look at what we've found so far. We still have the `content.php` page on `cherryontop.thm`. Here we can see that facts can be viewed for a specific user and ID. The username is Base32 encoded. Using CyberChef we can see that it is the user `guest`. We can see four facts, but maybe there are more!

We create a list of 10000 IDs.

Next, we use FFuF to enumerate all possible IDs for the user `guest`. ```bash ffuf -u "http://cherryontop.thm/content.php?facts=FUZZ&user=I52WK43U" -w ids.txt -mc all -fr "Error" ```

We find more valid IDs outside the selectable, but none of them give us a hint to extend our privileges. We may have to change the user. Since we have already escalated to `molly-milk` and `bob-boba`, we are left with `chad-cherry` and `sam-sprinkles`. We encode the username `sam-sprinkles` to `Base32` and use it this time to query the 10000 IDs.

We find the same IDs again, but maybe they have a different entry this time. ```bash ffuf -u "http://cherryontop.thm/content.php?facts=FUZZ&user=ONQW2LLTOBZGS3TLNRSXG===" -w ids.txt -mc all -fr "Error" ```

For the ID `43` we find the credentials for `sam-sprinkles`.

We use the found credentials of `sam-sprinkles` to login via SSH. Here we find the second password part of `chad-cherry`.

## Shell As chad-cherry We just have to merge the password parts of `molly-milk`+`sam-sprinkles`+`bob-boba`. This way, we can log in as `chad-cherry` via SSH. Here we find the flag of `chad-cherry` and a WAV file with the ominous name `rootPassword.wav`. There is also a note in `Hello.txt` that `rootPassword.wav` contains the root password.

## Shell As root We download the `rootPassword.wav` file for further analysis. This seems to be a stego challenge at the end.

When viewing the audio file in Audacity, we discover a pattern in the spectrogram view that resembles a digital signal. There may be another file, text or image embedded here.

After a search we find the following article which has a continuation of a series of techniques for audio steganography. {% embed url="" %} It could be SSTV to add other data to the audio file. We find a script to decode at the following link: {% embed url="" %} After we have set up the prerequisites, we can run the script and get an image out of the WAV file. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry] └─$ git clone https://github.com/colaclanth/sstv.git ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry] └─$ cd sstv ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv] └─$ python -m venv sstv_venv ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv] └─$ . ./sstv_venv/bin/activate ┌──(sstv_venv)─(0xb0b㉿kali)-[~/Documents/tryhackme/nanocherry/sstv] └─$ python setup.py install ```

This shows us a picture of two cherries with a string underneath. Possibly the root password.

We use it to switch from user `chad-cherry` to `root` and are successful. We are able to switch to `root` and read the final flag in `/root/root-flag.txt`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/nanocherryctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.