Another day, another quick tryhackme CTF walkthrough. You hear me, quick walkthrough, the shortest tryhackme CTF walkthrough. I guess this box is initially hard but somehow the creator of the box, user darkstar reduces the difficulty. To be honest, you can solve this challenge without the need for a walkthrough. I’m able to solve this within 3 mins excluding SSH brute-forcing time. You are welcome to refer to this walkthrough if you are stuck.
Task 1: Capture the flag
You capture the flag, you win. That is the rule.
Task 1-1: Capture user flag
Launch your Nmap scanner with the following command.
$ nmap -Pn -p- -A -v <Machine IP>
There are three open ports available on the machine which is Port 21 (FTP), Port 22 (SSH) and Port 80 (HTTP). Both FTP and SSH required username and password. Guess port 80 is the only way in.
Oh yea, my favorite game, Minecraft. I used to create a lot of stuff inside that server, haha. Oops, I got it too far away, let’s come back to the task :). Alright, nothing is interesting in the main page, how about the source code?
We have something in the page source code. It is a message for Zach. There are 3 major points made me wanted to brute-force the SSH login.
- Username steve (SSH username obtained)
- FTP not working (We can ignore FTP, which left with SSH only)
- Weak FTP password. (Somehow, FTP login credential connected to SSH)
That’s it, let’s fire up our hydra using the following command.
$ hydra -l steve -p rockyou.txt ssh://<Machine IP>
After 8 or 9 mins, we are able to obtain steve’s login credential. Time to capture steve’s flag.
Task 1-2: Capture the root flag
You don’t need any privilege escalation for this task, the root flag is inside notch’s directory.
Easy huh. By referring to sp00ky’s write up, we can gain root privilege using the cronjob on the backup.sh. Check that out!
That’s it, what a short walkthrough. This is all about the weak credential and miss-configuration. Until next time 🙂