TryHackMe Super-Spam Writeup
In this post, We will solve the room Super-Spam from TryHackMe.
Let’s do a scan with Nmap.
Here we can see, 4 ports are open. The services running on those port that are useful are ssh, ftp, vnc. Let’s see if there is something on port 80. Visit the ip we got from the room.
Ok. we found a website. Now let’s go to ftp port. In that scan result, we have seen that anonymous login is allowed. We should see what’s in that service we might need.
$ftp 10.10.17.217 4019
We can see there is a .cap and IDS_logs folder and a text file. What do we have in .cap?
We have another text file. and a packet capture of a network. What’s in IDS_logs?
It’s a log folder. Ok, let’s get both text files and .cap file.
$get .quicknote.txt
$get note.txt
$get SamsNetwork.cap
What’s in .quicknote.txt?
note.txt …..
Let’s see our Last hope.
It has a three way handshake. We can use aircrack-ng to crack the key.
$aircrack-ng SamsNetwork.cap -w ……/rockyou.txt
Ok, then. We found a key from ftp. Let’s search the website for something. There is a blog. Wait, there is login page. Nice job hiding it.
After searching the blog page and blogs, we got some usernames. See if can log into the site.
We are in but there is no hope here. But this is a concrete5 cms, right? See if we can find any exploits or vulnerabilities.
We got one in CVE Details. And it’s a high score. After reading through the reference, there is strong possibility of reverse shell execution. Doing what was in the hackerone report, we found a reverse shell. We are in.
Let’s see what do we have here?
Five folders are here like the usernames in the blog. Let’s see what’s in them?
Found something in lucy_loser folder. What’s in that weired big name folder?We can’t see in that machine what’s about those pics. We have to download them. We should open python server as we know the machine has python3.
$python3 -m http.server
Now we can download from there with wget.
$wget — recursive — no-parent http://ip/folder
— recursive is used if we have more than one file.
— no-parent is used if you don’t want to download the parent folder.
We got all the pics. And the pics are also weird. Whatever! After look into the pics sometime, we have one interesting pic. And we have a password from that pic.
After that lucy_loser folder, we have another two interesting folders. Let’s see. Attention! We have something we are looking for.
We have got user flag. Now we have to look for root flag. We have no permission to see donalddump. But we got a password from a pic in a weird big name folder. As there is a ssh in the machine, maybe we can connect to ssh with that key.
$ssh donalddumb@ip -p 4012
After giving the password we are in as donalddumb. Still we can’t get into the folder. We can try to change permission of the folder.
$chmod 777 donalddumb
We’re in. There are many things in here including glory of Super-spam and a passwd file. We need it to see with vncviwer. The vnc port 5901. If you google for port 5901, you will find how to interact with it.
$vncviewer -passwd passwd ip::5901
We’re in as root user. Now We can find root flag. Now, Let’s end this with a question. How do you get that root flag from that machine?
Now is the time of the questions of the super-spam room.
1. What CMS and version is being used?(format: wordpress x.x.x)
Answer: If you have wappalyzer installed, you can get it easily.
2. What is the user flag?
Answer: Where did we find it?
3. What type of encryption did super-spam use to send his encrypted messages?
Answer: Remember that one pic from a weird big name folder?
4. What key information was embedded in one of super-spam’s encrypted messages?
Answer: Again that one pic.
5. What is the root flag?
Answer: vnc, port 5901 is something new we learned today!!!
