WriteUp - Dodge - TryHackMe [THM] - Medium - RED Team

Discovery >>

nmap >>

And there we can found some subdomains >

So we can add it to /etc/hosts and inspect >

DNS:dodge.thm , DNS:blog.dodge.thm, DNS:touch-me-not.dodge.thm, DNS:ball.dodge.thm

There is this page >

DNS:dev.dodge.thm >

There is phpinfo page , but nothing special...

DNS:www.dodge.thm >

We can found this >

But nothing so interesting...

Last one is DNS:netops-dev.dodge.thm >

That looks blank , but title is set to "Firewall - Uploads Logs. So we can look on source code, maybe there is something special >

And there are two scripts, cf.js there is nothing special, but in firewall.js there I found this >

So we found new entry point https://netops-dev.dodge.thm/firewall10110.php

So we can try some commands >

First what I try was "sudo ufw status" but no luck "Invalid command" get back... So we can try to allow port ftp maybe there is something spice.

And success, so let's look on FTP >

We need switch to passive mode. It look like home direcory. We can look if there is id_rsa >

And success we can download id_rsa_backup and authorized_keys.

In authorized_keys we can found username >

So let's try SSH >

We are in ! USER flag is DONE !

By user challanger we don't have many options to get root access. After little research we can found those users >

Maybe one of this users have way to get root access >

-- Pivoting --

After research we can found this in .bash_history >

So we can try to find this files and look on it >

Let's look on crypt message >

And we can found password of cobra user >

-- ROOT PATH --

So we can try sudo -l command >

And that is easy :-) , GTFOBins >>

https://gtfobins.github.io/gtfobins/apt/

Let's try >

So we are ROOT and completely PWNed this machine !

Happy hacking and see you next time ! ;-)