AoC 2 [2020] TryHackMe CTF 🐱‍💻Day 13 & 14

Table Of Contents

• Day 1️⃣3️⃣
  • 👣Steps
• Day 1️⃣4️⃣
  • 🧠Info
  • 👣Steps

Day 1️⃣3️⃣ - Linux Enumeration, Discovering and Priv Escalation

👣Steps

• Initial access
  • The first few questions only need to follow the info provided in the questions
  • After running nmap {machine IP}, out of the 3 open ports telnet is the old, deprecated service that stands out.
  • To get the password, just run telnet {machine IP} {telnet port number}. The username and password are shown in the login welcome messages.
• Enumeration
  • Run the 3 commands recommended by the questions to learn more about the machine
    • cat /etc/*release
    • uname -a
    • cat /etc/issue
  • The answer for the first question is shown in the output of the first command above
  • Running cat cookies_and_milk.txt will show the answer for the question of Who got here first?
• Privilege Escalation via DirtyC0w 🐮
  • The question provided a link that contains more info about this exploit.
  • That link contains this page where it has a lot of proof of concepts (POCs) for this exploit.
    • However, non of them is the one that this question intend us to use.
  • Ended up using grep.app to search code online to find the original code.
    • The search string used is struct Userinfo user;
  • All the top search results are the correct original dirtyc0w C source code
  • Choose the C file in exploitdb even though it's filename is not correct because exploitdb is a known repo to me
  • The answer to the question on how to compile the code is found in line 17.
  • The subsequent question is what is the new user that is created when ran using the original source
    • The answer can be found by reading the original source
    • The answer is in line 131
  • Lastly, to obtained the flag ⛳
    • first create a file named dirty.c, then copy all the content of 40839.c into in
      • This can be done in various ways, what I did were the following:
        • touch dirty.c
        • nano dirty.c
        • Paste all the content by right click / shirt-insert / any other paste shortcut of your terminal
        • Ctrl+o to save to file
        • Followed by Ctrl+x to exit the Nano text editor
    • run gcc -pthread dirty.c -o dirty -lcrypt to compile the exploit
    • run the exploit -> ./dirty
      • enter any new password for firefart user
    • Either background the current process, or open another telnet connection
    • su firefart to attempt to switch user to firefart
      • enter your new password
    • read the message left by prepertrator as mentioned in the question
      • cat message_from_the_grinch.txt
      • inside it explains what it means to "leave behind the coal"
        • perform the action explained
      • finally run tree | md5sum as explain in the text file and the question
      • flag obtained == profit 💰

Day 1️⃣4️⃣ - OSINT (Open Source Intelligence)

🧠 Info

• Tips & tricks
  • Use search engine query as a precusory scan through the internet
  • The use of special symbols such as quotes, negative sign etc goes a long way reveal just the results that we wanted
  • Directly search the site itself rather than using search engine might reveals desirable results
    • Example, reddit & twitter
  • Uses different search engines or niche search engine for a specific search type
    • For example, use SymbolHound to search for query that contains special characters.
  • Use image searches to search for visually similar images
    • Google image search
    • https://yandex.com/images/
    • https://tineye.com/
    • https://www.bing.com/visualsearch?FORM=ILPVIS
  • Use breached data
    • https://haveibeenpwned.com/
    • http://scylla.so/
    • https://dehashed.com/
• Tools to search for user accounts across social media platforms.
  • https://namechk.com/
  • https://whatsmyname.app/
  • https://namecheckup.com/
  • Github source
    • https://github.com/WebBreacher/WhatsMyName
    • https://github.com/sherlock-project/sherlock

👣Steps

• Task #1
  • To begin, search for reddit IGuidetheClaus2020 in DuckDuckGo
  • Go to the first result, clicked on the comment tab and the URL is the answer for the first question
  • For the second question, the answer is in the overview tab
  • Google'd IGuidetheClaus2020 creator robert will reveals IGuidetheClaus2020's creator last name
  • Along side IGuidetheClaus2020's creator, among the search results is IGuidetheClaus2020 twitter account. This is the answer for the fourth question
• Task #2
  • In a few of the retweets, IGuideClaus2020 mentioned a TV show.
  • Two of the tweets mentioned about parade, with the first one explicitly giving hint about going to a parade
    • Performing a visual search of the image will reveal in which city the parade is held.
  • The question about where exactly the parade image is taken is the most technical so far
    • First, find an image metadata viewer AKA EXIF viewer. Search for online exif data viewer and use the first result. For me it is https://onlineexifviewer.com/
    • Using this we can avoid the need to download and install a software
    • Using the 2 URLs of the 2 images of the parade, we found that they don't contain any EXIF data.
    • However, another post shared a high quality photo of one of the parade image.
    • Using that URL in https://onlineexifviewer.com/ reveals the exact GPS location coordinate.
    • Round down the precision to 6 decimal will yields the answer.
    • In the same EXIF data, there's a flag in the copyright field
  • The question about has Rudolph been pawned and what password of his appeared in a breach is a more open ended question
    • There is hints in the task#2 description where it mentioned questions #6 -11 can be solved by using info on his twitter account
    • Steps to answer this question is as follows
      • Follow the steps in this site to use Scylla
      • However, found out that the tools are outdated and don't work on the current Twitter
      • Visit the twitter user page and noticed the email is listed in the user description
      • Use haveibeenpwn to search and it only mentioned about the password is being breached in LiveJournal
      • Search online for more data breached site and came across breach directory
      • Here it shows two sha1 which hints of what are the password
        • live************: 7ae929950f2d937538eee064371ceb612ed9c59e
        • spyg***: 6e3f262dccc80924be40aa96554ce5df182e939a
      • Then, use a site called md5decrypt to search for the decryted password. Usually the sha1 of common password are easily searchable without the need to crack 🦀 them ourself
        • Another alternative is where it manages to find decrypt the first sha1 while md5decrypt fails.
        • Try it for yourself and get the excitement of figuring out a password!
  • For the question of what is the street number of the hotel Rudolph is staying
    • Originally can't figure out where to start.
    • However, after some pondering and failed online search got a relization that this question probably is asking about Rudolph when he is in Parade as those twitter post will still be consider new during the time this CTF is on-going
    • Check the EXIF data of the parade high-res photo using https://onlineexifviewer.com/
    • Opening the GPS coordinate using google map, and search for the closest hotel.
    • The street number of the hotel address is the answer to the final question