October 16, 2023

TryHackMe - Valley Writeup

"Can you find your way into the Valley?"

Before completing this machine, I recommend you get familiar with:-

  • Basic web application testing
  • Privilege escalation
  • Nmap and network services

Nmap

Starting off with the Nmap scan, we see 3 open ports:-

  • 22 - ssh
  • 80 - http
  • 37370 - running FTP

Getting the first flag

When we visit the machine's IP, we see a pretty old looking website which has a bunch of images on it, as well as a pricing page.

The first thing that came to mind was enumerating the directories.

Using ffuf, we discover:-

  • /gallery
  • /static
  • /pricing

It's always a good step to re-enumerate any directories you find, so I ran ffuf on /static again..

As you can see, we get all the images stored in /static, however, "00" is not present in the /gallery webpage, as the first image is "1".

Checking /static/00, we find this odd note, that also reveals a hidden directory.

The hidden webpage is a login portal for the site's developers, after digging around some more, I found hard-coded credentials in an attached JavaScript file.

Using those credentials, we get redirected to another helpful note on the site.

"Stop reusing credentials".. hmm.

Initial access is gained by using the same credentials over an FTP connection.

From there, we can use "mget" to download all the PCAP files.

After checking each PCAP file with Wireshark, we stumble upon credentials passed in a POST request.

Now, using those credentials, we can connect to the machine via SSH, and get the first flag.

Getting the root flag

Checking sudo privs yields nothing, but there is an interesting executable file in "/home".

By setting up a simple HTTP server using Python on the machine, we can use "wget" to download the executable.

If you've ever done any reverse engineering or cryptography CTFs before, you know that checking files with "strings" can sometimes be useful.

So, I used "strings" to make a new file, and then checked for any mentions of "user" or "password", and I saw what looks like a hash.

You can use CrackStation to crack this MD5 hash, which will give us the password for the other user on the machine, "valley".

After switching to the user "valley", using find we can see which files are owned by the "valleyAdmin" group.

The base64.py file is owned by "valleyAdmin", and it's used in the cronjob that runs every 1 minute.

So, all we've got to do is modify the base64.py file to escalate our privileges.

And just like that, we're root (because we have the effective user-id of root).

Copy link

Get in touch

Email
LinkedIn
Disclaimer

© Karam Chatra

Karam Chatra
Blog
/
Resume