DEV Community

Cover image for AoC 2 [2020] TryHackMe CTF 🐱‍💻Day 13 & 14
Wiz Lee
Wiz Lee

Posted on

AoC 2 [2020] TryHackMe CTF 🐱‍💻Day 13 & 14

Table Of Contents


Day 1️⃣3️⃣ - Linux Enumeration, Discovering and Priv Escalation

👣Steps

  • Initial access
    • The first few questions only need to follow the info provided in the questions
    • After running nmap {machine IP}, out of the 3 open ports telnet is the old, deprecated service that stands out.
    • To get the password, just run telnet {machine IP} {telnet port number}. The username and password are shown in the login welcome messages.
  • Enumeration
    • Run the 3 commands recommended by the questions to learn more about the machine
      • cat /etc/*release
      • uname -a
      • cat /etc/issue
    • The answer for the first question is shown in the output of the first command above
    • Running cat cookies_and_milk.txt will show the answer for the question of Who got here first?
  • Privilege Escalation via DirtyC0w 🐮
    • The question provided a link that contains more info about this exploit.
    • That link contains this page where it has a lot of proof of concepts (POCs) for this exploit.
      • However, non of them is the one that this question intend us to use.
    • Ended up using grep.app to search code online to find the original code.
      • The search string used is struct Userinfo user;
    • All the top search results are the correct original dirtyc0w C source code
    • Choose the C file in exploitdb even though it's filename is not correct because exploitdb is a known repo to me
    • The answer to the question on how to compile the code is found in line 17.
    • The subsequent question is what is the new user that is created when ran using the original source
      • The answer can be found by reading the original source
      • The answer is in line 131
    • Lastly, to obtained the flag ⛳
      • first create a file named dirty.c, then copy all the content of 40839.c into in
        • This can be done in various ways, what I did were the following:
          • touch dirty.c
          • nano dirty.c
          • Paste all the content by right click / shirt-insert / any other paste shortcut of your terminal
          • Ctrl+o to save to file
          • Followed by Ctrl+x to exit the Nano text editor
      • run gcc -pthread dirty.c -o dirty -lcrypt to compile the exploit
      • run the exploit -> ./dirty
        • enter any new password for firefart user
      • Either background the current process, or open another telnet connection
      • su firefart to attempt to switch user to firefart
        • enter your new password
      • read the message left by prepertrator as mentioned in the question
        • cat message_from_the_grinch.txt
        • inside it explains what it means to "leave behind the coal"
          • perform the action explained
        • finally run tree | md5sum as explain in the text file and the question
        • flag obtained == profit 💰

Day 1️⃣4️⃣ - OSINT (Open Source Intelligence)

🧠 Info

👣Steps

  • Task #1
    • To begin, search for reddit IGuidetheClaus2020 in DuckDuckGo
    • Go to the first result, clicked on the comment tab and the URL is the answer for the first question
    • For the second question, the answer is in the overview tab
    • Google'd IGuidetheClaus2020 creator robert will reveals IGuidetheClaus2020's creator last name
    • Along side IGuidetheClaus2020's creator, among the search results is IGuidetheClaus2020 twitter account. This is the answer for the fourth question
  • Task #2
    • In a few of the retweets, IGuideClaus2020 mentioned a TV show.
    • Two of the tweets mentioned about parade, with the first one explicitly giving hint about going to a parade
      • Performing a visual search of the image will reveal in which city the parade is held.
    • The question about where exactly the parade image is taken is the most technical so far
      • First, find an image metadata viewer AKA EXIF viewer. Search for online exif data viewer and use the first result. For me it is https://onlineexifviewer.com/
      • Using this we can avoid the need to download and install a software
      • Using the 2 URLs of the 2 images of the parade, we found that they don't contain any EXIF data.
      • However, another post shared a high quality photo of one of the parade image.
      • Using that URL in https://onlineexifviewer.com/ reveals the exact GPS location coordinate.
      • Round down the precision to 6 decimal will yields the answer.
      • In the same EXIF data, there's a flag in the copyright field
    • The question about has Rudolph been pawned and what password of his appeared in a breach is a more open ended question
      • There is hints in the task#2 description where it mentioned questions #6 -11 can be solved by using info on his twitter account
      • Steps to answer this question is as follows
        • Follow the steps in this site to use Scylla
        • However, found out that the tools are outdated and don't work on the current Twitter
        • Visit the twitter user page and noticed the email is listed in the user description
        • Use haveibeenpwn to search and it only mentioned about the password is being breached in LiveJournal
        • Search online for more data breached site and came across breach directory
        • Here it shows two sha1 which hints of what are the password
          • live************: 7ae929950f2d937538eee064371ceb612ed9c59e
          • spyg***: 6e3f262dccc80924be40aa96554ce5df182e939a
        • Then, use a site called md5decrypt to search for the decryted password. Usually the sha1 of common password are easily searchable without the need to crack 🦀 them ourself
          • Another alternative is where it manages to find decrypt the first sha1 while md5decrypt fails.
          • Try it for yourself and get the excitement of figuring out a password!
    • For the question of what is the street number of the hotel Rudolph is staying
      • Originally can't figure out where to start.
      • However, after some pondering and failed online search got a relization that this question probably is asking about Rudolph when he is in Parade as those twitter post will still be consider new during the time this CTF is on-going
      • Check the EXIF data of the parade high-res photo using https://onlineexifviewer.com/ screenshot of EXIF data of parade image
      • Opening the GPS coordinate using google map, and search for the closest hotel.
      • The street number of the hotel address is the answer to the final question

Top comments (0)