TryHackMe Avengers Blog Writeup
Avengers Blog (https://tryhackme.com/room/avengers) is a new room by TryHackMe. The room is all about Cookie stealing, SQL Command Injection, where the task is to enumerate the machine, bypass the login page through SQL injection and spawn the root access by command injection.
Let us get started.
[Task 2] Cookies
The task 2 is to find the flag1 from the cookie value. As we know from the NMAP scan there is a website running on the port 80, let us browse the website and find the flag.
To find the cookie as per the task, I just used inspect element of the Firefox browser and I found the flag#1.
[Task 3] HTTP Headers
So Flag#1 is down, let us move forward. The second task is to find the flag #2 from HTTP response headers. You can complete this task as well using inspect elements, the header information is always found in the Network tab of the inspector. If the content is black, reload the page while inspect elements is open.
[Task 4] Enumeration and FTP
# root @ nav1n in ~/thm/avengers [22:04:43] $ nmap -sS -sU -T4 -A -v 10.10.65.30 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-12 22:05 +03 Scanning 10.10.65.30 [1000 ports] Discovered open port 21/tcp on 10.10.65.30 Discovered open port 22/tcp on 10.10.65.30 Discovered open port 80/tcp on 10.10.65.30 Nmap scan report for 10.10.65.30 Host is up (0.20s latency). Not shown: 1976 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c5:ba:85:9e:13:88:4d:c6:6c:99:0a:06:ac:7b:66:df (RSA) | 256 15:e8:9d:19:e6:18:4b:8b:16:34:65:7c:9a:c5:fe:9d (ECDSA) |_ 256 be:d6:1b:74:70:9a:77:2a:b9:30:5f:d6:9b:c0:f1:88 (ED25519) 80/tcp open http Node.js Express framework |_http-favicon: Unknown favicon MD5: E084507EB6547A72F9CEC12E0A9B7A36 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Avengers! Assemble!
In the task#2, we shall use namp to scan the target machine and gather information about the open ports and services running. To find the flag, we need to access the FTP first, let is do it. We have been provided with credentials, groot:iamgroot
# root @ nav1n in ~/thm/avengers [22:45:44] $ ftp 10.10.65.30 Connected to 10.10.65.30. 220 (vsFTPd 3.0.3) Name (10.10.65.30:root): groot 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 Oct 04 2019 files 226 Directory send OK. ftp> cd files ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 33 Oct 04 2019 flag3.txt 226 Directory send OK. ftp> get flag3.txt local: flag3.txt remote: flag3.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for flag3.txt (33 bytes). 226 Transfer complete. 33 bytes received in 0.00 secs (77.8419 kB/s) ftp> ^Z  + 2578 suspended ftp 10.10.65.30 # root @ nav1n in ~/thm/avengers [22:47:18] C:148 $ cat flag3.txt 8f*********2e
[Task 5] GoBuster
With 3 flags in our bucket, lets move on to the task #5 – GoBuster.
$ gobuster dir -u http://10.10.65.30 -w /usr/share/wordlists/rockyou.txt
The portal page is vulnerable to SQLi, I logged in tot the portal using simple SQLi command “
' or 1=1--” After login we can see the portal has a utility, using it we can be directly interact with Jarvis.
We can see the flag here:
While reading the flag, we have a message “The cat command is disallowed!”. So let us use TAC command instead CAT.
The TAC Command:
The TAC is part of the Linux or Unix systems. The TAC command is also known as reverse version of the CAT command that prints each line of a file starting from the bottom line until the top line. So if you have 10000 lines in a text file, the CAT command lists 1st line till 10000 line where the TAC lists the results from 10000..9999…9998…9997 until 1.