MyBox

Hi folks,

In this article, we are going to learn new topics & going to crack the difficulty level box.

Deploy the machine

Deploy

After connecting vpn, check connectivity.

Connectibvity

Enumeration

As, we always know, the first step is to scan the open ports using nmap.

Here, we can see the port 22,111,2049 & 8082.

Enumeration

As port 8082 is open, we will check with web-server

Web-server

Here, we dont get any information. So we will check with the page-source

We got flag1

Page-source(Flag-1)

Since, there are no other information to proceed, we will decode the flag1 using “cyberchef”

By decoding it, we got the username & password.

Cyberchef

Since, port 22 is open. We will try to login with ssh with the credentials we got.

We got user shell

User-shell(toby)

We got 1 file & 1 directory in user login. We will check it one-by-one

In the examples.desktop file, we dont find any useful information.

So, lets check directory

files in toby user

In FunnyThing directory we got a jpeg file.

folder of toby user

Lets download it to our kali machine using python

python

Open the thm machine ip in browser along with the port

File

Download the file & check it as password using stegseek tool

It shows there is no password for the file. So, we will extract the content of jpeg file using steghide tool

We can see the extracted fils is saves as secret1.txt

Stegnography tool

We will find the content of extracted file.

we got flag2.

Flag-2

Again we will decode it using “cyberchef”

We got another username & password

Cyberchef

We will login again with ssh with the credentials we got from flag2

We got user shell

Another user shll(arun)

We will check the directories of user “arun”

Here, we can see a folder called sudoers.

Dirctorief of arun

We will check it

#cat /etc/sudoers

We got pwfeedback exploit, which is buffer overflow

sudoes

Search it in google.

We got github for this exploit

pwfeedback exploit

We will clone it in our kali

git-clone

We got an exploit.c from the downloaded git

We will download it to user arun, by using python

python

By using “wget” command we can get the file from kali to user arun

After downloading, compile the file using gcc

#gcc -o exploit exploit.c

We got root access

Downloading exploit

As we didn’t find anything in root directory, we will check outside it

root shell

We will check all the hidden files

Here, we can see .Finish file

hidden files

We will check the content of the file

We got Flag3

Flag-3

I believe you guys have learned new things from this article. I will see you in next article.

Happy Learning!!!!