Closed LSD00 closed 3 weeks ago
Thx for helping me!
I thought I'd help you with https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Theseus.md. I managed to find two more flags, perhaps I did something wrong, but the fact is
After getting the shell, you need to scan the subnet, example from my machine.
$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.71.XXX.X netmask 255.255.255.255.0 broadcast 10.71.23X.XX
then scan the subnet with Nmap using the command
$ nmap -sn 10.71.23X.X/24 Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-03 17:24 UTC WARNING: Running Nmap setuid, as you are doing, is a major security risk. Nmap scan report for ip-10-71-2XX-X.eu-west-1.compute.internal (10.71.2XX.X) Host is up (-0.20s latency). MAC Address: FE:44:02:E4:B4:BA (Unknown) Nmap scan report for Athens.lxd (10.71.23X.XX) Host is up (0.000018s latency). MAC Address: 00:16:3E:9E:36:DA (Xensource) Nmap scan report for Labyrinth.lxd (10.71.23X.XXX) Host is up (0.000013s latency). MAC Address: 00:16:3E:65:94:47 (Xensource) Nmap scan report for Minos.lxd (10.71.23X.X) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 5.63 seconds
so we get login and password from ssh Labyrinth.lxd, further privilege escalation I did to be honest with CVE-2021-4034 to root, and there are two users in the system, so we get two more flags, further I failed, I am bad at binary explotation :D
So Athens flag, is missing now?
Well yes, it didn't work for me, it's probably related to the binary files on labyrinth, and all exploitation should go through them maybe
after login to ssh ariadne@Labyrinth.lxd
you see the file called
ariadne
so that is an image file if you use
$ file ariadne
you will see ariadne: data
soo now it was broken some where
use this command to see where it was broken
head ariadne | xxd
YOU SEE
00000000: 0000 0000 0000 0000 0000 0001 0101 0048 ...............H 00000010: 0048 0000 ffdb 0043 0003 0202 0302 0203 .H.....C........ 00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................ 00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................ 00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................ 00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C... 00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................ 00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ...............
It is a little bit unusual when a file starts with zeros. No signature at all. It looks like someone intentionally deleted the leading 10 bytes.
If we examine closely the file signatures at:
https://en.wikipedia.org/wiki/List_of_file_signatures
we can observe that the jpg signature could be a match:
THIS IS THE BROKEN CODE ACORDING TO WIKI
FF D8 FF E0 00 10 4A 46 49 46 00 01
We are going to replace the first 10 bytes in the file ariadne with FF D8 FF E0 00 10 4A 46 49 46. I've used THIS COMMND
echo -ne '\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46' | dd of=ariadne bs=1 count=10 conv=notrunc
now it will replace
for to conform again type this command :
xxd ariadne
YOU SEE
00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H 00000010: 0048 0000 ffdb 0043 0003 0202 0302 0203 .H.....C........ 00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................ 00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................ 00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................ 00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C... 00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................ 00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000090: 1414 1414 1414 1414 1414 1414 1414 ffc2 ................ 000000a0: 0011 0801 c201 6803 0111 0002 1101 0311 ......h......... 000000b0: 01ff c400 1c00 0002 0203 0101 0000 0000 ................ 000000c0: 0000 0000 0000 0203 0104 0005 0607 08ff ................
NOW COPY THIS ALL CODE AND PSTE IN CYBER CHEIF YOU WILL SEE SOME CREDIENTIS IN CYBER CHEIF
NOW SIMPLEY LOGIN TO SHH
ssh shore@Athens.lxd
AND ENTER THE PASSOWRD
DONE YOU WILL GET THE FLAG (THANK YOU :))
THM{bb2af471e0aea04e982c2e5d0a6fa404} Athens flag
Thx so much for helping me!
I thought I'd help you with https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Theseus.md. I managed to find two more flags, perhaps I did something wrong, but the fact is
After getting the shell, you need to scan the subnet, example from my machine.
then scan the subnet with Nmap using the command
so we get login and password from ssh Labyrinth.lxd, further privilege escalation I did to be honest with CVE-2021-4034 to root, and there are two users in the system, so we get two more flags, further I failed, I am bad at binary explotation :D