TryHackMe — TEAM

5 min readMar 21, 2021

Hello all this is my first ctf writeup to publish.
The name of the box is Team and it’s beginner friedly ctf rated easy.
Please allow 3–5 minutes for the box to boot
Created by: dalemazza

Link to the room: https://tryhackme.com/room/teamcw

Enumeration

We start by scanning networks from the ip obtained using nmap to find open ports,services,versions etc.

nmap -v -sC -sV -p- -O -T4 -On nmap.txt [ip]

Results from nmap showed 3 open ports

First we tried to login ftp port but anonymous login was disabled so went on to check http port 80.

Http page revealed just an apache default page. We also did a directory scan on this page using gobuster but unfortunately gobuster didn’t reveal much information. From the web source page i found an interesting comment which was mentioning to add domain to /etc/hosts.

I then added it to the /etc/hosts file

After adding it to hosts file went to check the webpage and found another webpage which seems to be blog website.

Now i ran two gobuster scan to get full path to the directory. Gobuster is a Directory/file & DNS busting tool written in Go Gobuster is a tool used to brute-force URI’s including directories and files as well as DNS subdomains.

From the above screenshot we got a many directories. From robots.txt We got a username named dale. It could be useful to login ssh. Then we checked the /scripts/script.txt. After browsing to the page. The page was mentioning of ftp credentials but the creds wasn’t there to get the creds changed the directory to script.old as it mentioned.

We saved the script.old

When we checked the script it gave the proper ftp creds to login. Let’s now login ftp using this credentials.

There was another .txt file let’s grab it using get command to our local directory.

The .txt file was mentioning about a .dev webpage and also about ssh id_rsa config file. Let’s first add .dev.team.thm to the /etc/hosts and navigate it in the webpage.

On visiting the website, it was evident that the website is still in development. Clicking on the only link on the website, we see that it is a PHP script, probably using the include function.

Testing the variable ‘page’, we see that it is vulnerable to LFI.

Now from the .txt file we got from ftp it mentioned about ssh config files so i thought to check all ssh files and it seems that dale ssh private key was actually visible we got it using injecting a simple lfi command.

../../../../etc/ssh/sshd_config

To get the ssh private key in a proper way i did curl,grep and cut to just specifically get the id_rsa key.

curl http://dev.team.thm/script.php?page=../../../../etc/ssh/sshd_config | grep -A 100 ‘AllowUsers dale gyles’ cut -c “2-”

And we saved the id_rsa key then changed the permission to chmod 600 to execute the ssh key. And finally we logged in using dale private key.

After getting in the machine, we see that there is another user ‘gyles’ in the machine. As Gyles was instructing dale, it is safe to assume that the user Gyles has more privileges than our current user. On, running sudo -l as the user dale, we see that we can run a script ‘admin_checks’ as user gyles with elevated privileges and NOPASSWD. Reading the script ‘admin_check’, it asks for the users name and date, and then passes the ‘date variable’ to the ‘date command’ to be executed. This was very easy to exploit, just pass ‘/bin/bash’ as date, and we have a shell.

Now we are logged in as the gyles’ user. Looking at the user’s home directory we see that the author left the .bash_history meaning we can trace what the author did while he was creating the box. Looking through the file we see a file in /opt/admin_stuff . We then navigated to that directory.