TryHackMe Avengers Blog Writeup

Avengers Blog (https://tryhackme.com/room/avengers) is a new room by TryHackMe. The room is all about Cookie stealing, SQL Command Injection, where the task is to enumerate the machine, bypass the login page through SQL injection and spawn the root access by command injection.

TryHackMe Avengers Blog Writeup

Let us get started.

[Task 2] Cookies

The task 2 is to find the flag1 from the cookie value. As we know from the NMAP scan there is a website running on the port 80, let us browse the website and find the flag.

The Website:

To find the cookie as per the task, I just used inspect element of the Firefox browser and I found the flag#1.

[Task 3] HTTP Headers

So Flag#1 is down, let us move forward. The second task is to find the flag #2 from HTTP response headers. You can complete this task as well using inspect elements, the header information is always found in the Network tab of the inspector. If the content is black, reload the page while inspect elements is open.

[Task 4] Enumeration and FTP

# root @ nav1n in ~/thm/avengers [22:04:43] 
$ nmap -sS -sU -T4 -A -v 10.10.65.30                                                                                                                                                                                   
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-12 22:05 +03
Scanning 10.10.65.30 [1000 ports]
Discovered open port 21/tcp on 10.10.65.30
Discovered open port 22/tcp on 10.10.65.30
Discovered open port 80/tcp on 10.10.65.30
Nmap scan report for 10.10.65.30
Host is up (0.20s latency).
Not shown: 1976 closed ports
PORT      STATE         SERVICE     VERSION
21/tcp    open          ftp         vsftpd 3.0.3
22/tcp    open          ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c5:ba:85:9e:13:88:4d:c6:6c:99:0a:06:ac:7b:66:df (RSA)
|   256 15:e8:9d:19:e6:18:4b:8b:16:34:65:7c:9a:c5:fe:9d (ECDSA)
|_  256 be:d6:1b:74:70:9a:77:2a:b9:30:5f:d6:9b:c0:f1:88 (ED25519)
80/tcp    open          http        Node.js Express framework
|_http-favicon: Unknown favicon MD5: E084507EB6547A72F9CEC12E0A9B7A36
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Avengers! Assemble!

In the task#2, we shall use namp to scan the target machine and gather information about the open ports and services running. To find the flag, we need to access the FTP first, let is do it. We have been provided with credentials, groot:iamgroot


# root @ nav1n in ~/thm/avengers [22:45:44] 
$ ftp 10.10.65.30
Connected to 10.10.65.30.
220 (vsFTPd 3.0.3)
Name (10.10.65.30:root): groot
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Oct 04  2019 files
226 Directory send OK.
ftp> cd files
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              33 Oct 04  2019 flag3.txt
226 Directory send OK.
ftp> get flag3.txt
local: flag3.txt remote: flag3.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag3.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (77.8419 kB/s)
ftp> ^Z
[2]  + 2578 suspended  ftp 10.10.65.30

# root @ nav1n in ~/thm/avengers [22:47:18] C:148
$ cat flag3.txt 
8f*********2e

[Task 5] GoBuster

With 3 flags in our bucket, lets move on to the task #5 – GoBuster.

$ gobuster dir -u http://10.10.65.30 -w /usr/share/wordlists/rockyou.txt

/portal:

The portal page is vulnerable to SQLi, I logged in tot the portal using simple SQLi command “' or 1=1--” After login we can see the portal has a utility, using it we can be directly interact with Jarvis.

We can see the flag here:

While reading the flag, we have a message “The cat command is disallowed!”. So let us use TAC command instead CAT.

The TAC Command:

The TAC is part of the Linux or Unix systems. The TAC command is also known as reverse version of the CAT command that prints each line of a file starting from the bottom line until the top line. So if you have 10000 lines in a text file, the CAT command lists 1st line till 10000 line where the TAC lists the results from 10000..9999…9998…9997 until 1.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.