search

jesusgavancho / TryHackMe_and_HackTheBox

MIT License
54 stars 17 forks source link

Help with Theseus.md #1

Closed LSD00 closed 3 weeks ago

LSD00 commented 5 months ago

I thought I'd help you with https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Theseus.md. I managed to find two more flags, perhaps I did something wrong, but the fact is

After getting the shell, you need to scan the subnet, example from my machine. 

$ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.71.XXX.X netmask 255.255.255.255.0 broadcast 10.71.23X.XX

then scan the subnet with Nmap using the command 

$ nmap -sn 10.71.23X.X/24 

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-03 17:24 UTC
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

Nmap scan report for ip-10-71-2XX-X.eu-west-1.compute.internal (10.71.2XX.X)
Host is up (-0.20s latency).
MAC Address: FE:44:02:E4:B4:BA (Unknown)
Nmap scan report for Athens.lxd (10.71.23X.XX)
Host is up (0.000018s latency).
MAC Address: 00:16:3E:9E:36:DA (Xensource)
Nmap scan report for Labyrinth.lxd (10.71.23X.XXX)
Host is up (0.000013s latency).
MAC Address: 00:16:3E:65:94:47 (Xensource)
Nmap scan report for Minos.lxd (10.71.23X.X)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.63 seconds

so we get login and password from ssh Labyrinth.lxd, further privilege escalation I did to be honest with CVE-2021-4034 to root, and there are two users in the system, so we get two more flags, further I failed, I am bad at binary explotation :D

jesusgavancho commented 4 months ago

Thx for helping me!

jesusgavancho commented 4 months ago

I thought I'd help you with https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Theseus.md. I managed to find two more flags, perhaps I did something wrong, but the fact is

After getting the shell, you need to scan the subnet, example from my machine.

$ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.71.XXX.X netmask 255.255.255.255.0 broadcast 10.71.23X.XX

then scan the subnet with Nmap using the command

$ nmap -sn 10.71.23X.X/24 

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-03 17:24 UTC
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

Nmap scan report for ip-10-71-2XX-X.eu-west-1.compute.internal (10.71.2XX.X)
Host is up (-0.20s latency).
MAC Address: FE:44:02:E4:B4:BA (Unknown)
Nmap scan report for Athens.lxd (10.71.23X.XX)
Host is up (0.000018s latency).
MAC Address: 00:16:3E:9E:36:DA (Xensource)
Nmap scan report for Labyrinth.lxd (10.71.23X.XXX)
Host is up (0.000013s latency).
MAC Address: 00:16:3E:65:94:47 (Xensource)
Nmap scan report for Minos.lxd (10.71.23X.X)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.63 seconds

so we get login and password from ssh Labyrinth.lxd, further privilege escalation I did to be honest with CVE-2021-4034 to root, and there are two users in the system, so we get two more flags, further I failed, I am bad at binary explotation :D

So Athens flag, is missing now?

LSD00 commented 4 months ago

Well yes, it didn't work for me, it's probably related to the binary files on labyrinth, and all exploitation should go through them maybe

Dhanush2468 commented 3 weeks ago

after login to ssh ariadne@Labyrinth.lxd

you see the file called

ariadne

so that is an image file if you use

$ file ariadne

you will see ariadne: data

soo now it was broken some where

use this command to see where it was broken

head ariadne | xxd

YOU SEE

00000000: 0000 0000 0000 0000 0000 0001 0101 0048 ...............H 00000010: 0048 0000 ffdb 0043 0003 0202 0302 0203 .H.....C........ 00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................ 00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................ 00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................ 00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C... 00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................ 00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ...............

It is a little bit unusual when a file starts with zeros. No signature at all. It looks like someone intentionally deleted the leading 10 bytes.

If we examine closely the file signatures at:

https://en.wikipedia.org/wiki/List_of_file_signatures

we can observe that the jpg signature could be a match:

THIS IS THE BROKEN CODE ACORDING TO WIKI

FF D8 FF E0 00 10 4A 46 49 46 00 01

We are going to replace the first 10 bytes in the file ariadne with FF D8 FF E0 00 10 4A 46 49 46. I've used THIS COMMND

echo -ne '\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46' | dd of=ariadne bs=1 count=10 conv=notrunc

now it will replace

for to conform again type this command :

xxd ariadne

YOU SEE

00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H 00000010: 0048 0000 ffdb 0043 0003 0202 0302 0203 .H.....C........ 00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................ 00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................ 00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................ 00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C... 00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................ 00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000090: 1414 1414 1414 1414 1414 1414 1414 ffc2 ................ 000000a0: 0011 0801 c201 6803 0111 0002 1101 0311 ......h......... 000000b0: 01ff c400 1c00 0002 0203 0101 0000 0000 ................ 000000c0: 0000 0000 0000 0203 0104 0005 0607 08ff ................

NOW COPY THIS ALL CODE AND PSTE IN CYBER CHEIF YOU WILL SEE SOME CREDIENTIS IN CYBER CHEIF

NOW SIMPLEY LOGIN TO SHH

ssh shore@Athens.lxd

AND ENTER THE PASSOWRD

DONE YOU WILL GET THE FLAG (THANK YOU :))

THM{bb2af471e0aea04e982c2e5d0a6fa404} Athens flag

jesusgavancho commented 3 weeks ago

Thx so much for helping me!