Nov. 17, 2020

Post Cover Gif animation

Poster - THM Room

Welcome to another writeup, this time we’ll be trying to hack a newly released room on TryHackMe called Poster created by stuxnet! This is gonna be a really quick writeup (compared to my previous ones), since I’m supposed to make dinner in 1 hour 😂 so that’s the timne we have for this one, just an hour. Let’s try to hack this, shall we?

Getting initial access

Let’s use once again, rustscan to get a very-fast lay of the land.

A short explanation on that command:

If instead we want to use plain nmap to get the version of the RDBMS running (first room question), we can do it like this (port number discovered by rustscan):

Metasploiting away!

Now we need to leverage metasploit to enumerate user credentials. Let’s fire up metasploit with the command msfconsole -q (-q is optional, just starts msfconsole quietly):

Once we have the module we need identified, we select it by running use # where # is the actual number listed to the left of the module name.

Once selected we run show options to see which required values we need to set before the module can be executed. In this case it seems we just need to set RHOSTS to the ip of the target machine. set RHOSTS {Target_IP}, once that is set. We simply run the script:

Once it runs we get a successful login back, with that we answer another room question.

Again, we run show options and set the required values, remember that we found a set of credentials before, let’s set those too before running the module. In this case I’ve set PASSWORD and RHOSTS since USERNAME was already set correctly:

With that we get another answer for the room’s questions. Let’s now move to the other one:

Again, we locate the right module, set its options and then run it:

With the results we can answer the room question.

For the next one we just simply run search postgre and by just looking at the module names you’ll get the answer:

From the same search we get the next module name to answer the room’s question. Now we need to exploit this machine and get the flags.

Getting the user flag

Once we set all required options and the password we found, we can run the module:

We managed to get the initial access to the machine, if we look around we see where the user.txt flag is located, but we lack permissions to read it:

Since we know there is a module that would allow us to read files from the system. Let’s use that to read the contents of the /etc/passwd file:

Remember to set RHOSTS, PASSWORD before running the module.

Ok, the interesting part of that file is the mention to another file called credentials.txt. Let’s use the same module to read that file, we need to set RFILE to that file path we found:

Now we got dark’s credentials, and if we recall the results from rustscan we now there is a port 22 open. Let’s try to login there: dark:qwerty1234#!hackme

Even though we are logged in as another user now, we still don’t have access to that flag.

Let’s fire up a local HTTP python server where we have the file ready and let’s upload it to the remote machine using wget:

If we start checking the results from linpeas, there are a couple of interesting things. However, there is one that seems particularly simple to check:

Let’s check that file:

It seems we got the password for Alison account, which means we can get that user flag:

If we switch user to alison we get access to the first flag:

Getting the root flag

If we run sudo -l for the current user we see that we can run all commands as sudo. Nice, we can get the root flag now:

That’s it, a very quick and entertaining room, we went a bit over the hour mark but we also produced another writeup that could help back a fellow hacker solve this room in the future. Totally worth it! I hope you enjoyed it!

Happy hacking!

comments powered by Disqus