Post

THM: Red

Posted Updated
Preview Image
By Diogo Lages
3 min read
THM: Red

Walkthrough

CTF Platform: TryHackMe

Level: Easy

Tools Used:

  • Nmap
  • Hydra
  • CyberChef
  • Pspy
  • Netcat
  • Python Exploit Script

Resources Used::

  • Tryhackme
  • CyberChef
  • GitHub (for exploit code)
  • TryHackMe documentation

Steps for the CTF

1. Scanning for Ports

The first step in any CTF is reconnaissance. I started by scanning the target machine for open ports using nmap, a popular port scanning tool.

1

nmap <TARGET_IP>

Note: Replace <TARGET_IP> with the actual IP address provided on the TryHackMe platform.

The scan revealed two open ports:

  • SSH on port 22
  • HTTP on port 80

I also performed a full port scan using the -p- flag to ensure no other ports were open. However, only these two were accessible.

Since I didn’t have any credentials for SSH, I focused on the HTTP service running on port 80.

2. Checking the Web

When accessing the web server through the browser, I noticed something unusual in the URL:

1

http://<TARGET_IP>?page=home.html

The page parameter seemed to be loading home.html. This raised suspicions about potential vulnerabilities like Local File Inclusion (LFI). LFI allows attackers to manipulate the page parameter to access sensitive files on the server.

Exploiting LFI

I attempted to exploit the LFI vulnerability by modifying the page parameter to include /etc/passwd. Unfortunately, this didn’t work directly. After trying several payloads, I used a PHP wrapper to bypass restrictions:

1

php://filter/convert.base64-encode/resource=/etc/passwd

This successfully returned the file but encoded in Base64. Using CyberChef, I decoded the file and discovered two users: blue and red.

Further Enumeration

I tried accessing other sensitive files such as:

  • /etc/shadow
  • /home/blue/.ssh/id_rsa
  • /home/red/.ssh/id_rsa

However, none of these attempts yielded useful results. Eventually, I stumbled upon /home/blue/.bash_history, which contained valuable information.

3. Getting Access

In the .bash_history file, I found a command that indicated blue was generating a wordlist using hashcat. The command referenced a “reminder” file, which likely contained the base password.

Recreating the Wordlist

Using the same hashcat command from the .bash_history, I recreated the wordlist on my local machine. To retrieve the contents of the “reminder” file, I again exploited the LFI vulnerability.

Once I had the wordlist, I used Hydra, a brute-forcing tool, to crack the SSH password for the blue user. Hydra can be configured with a graphical interface or via the command line.

1

hydra -l blue -P wordlist.txt ssh://<TARGET_IP>

After some time, Hydra successfully cracked the password. I then logged into the machine via SSH:

1

ssh blue@<TARGET_IP>

Inside, I found the first flag!

4. Privilege Escalation

With initial access as blue, I moved on to escalate privileges. I uploaded Pspy, a tool for monitoring processes on Linux systems, to identify any suspicious activity.

Monitoring Processes

Using Pspy, I discovered a recurring command that attempted to establish a reverse shell to redrules.thm on port 9001. To intercept this connection, I added an entry to my /etc/hosts file:

1

<TARGET_IP> redrules.thm

Then, I set up a netcat listener on port 9001:

1

nc -lvnp 9001

After waiting patiently, I intercepted the reverse shell and gained access as the red user. This gave me the second flag.

5. Rooting the Machine

Finally, it was time to escalate privileges to root. I began by stabilizing my shell to ensure better functionality:

1
2

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Investigating SUID Binaries

During enumeration, I discovered a custom version of pkexec located in /home/red/.git/. This binary had a known vulnerability that could be exploited to gain root access.

Exploiting the Vulnerability

I downloaded an exploit script written in Python and modified it to target the custom pkexec binary. Specifically, I updated the path to /home/red/.git/pkexec.

Running the exploit granted me a root shell:

1

./exploit.py

From there, I retrieved the final flag!

Conclusion

This CTF taught me valuable lessons about:

  • Identifying and exploiting Local File Inclusion (LFI) vulnerabilities
  • Brute-forcing credentials using tools like Hydra
  • Monitoring processes with Pspy
  • Leveraging known exploits for privilege escalation

If you have any questions or need further clarification, feel free to leave a comment. Happy hacking! 🔥

Tips for Solvers

  • Always start with thorough reconnaissance using tools like nmap.
  • Pay attention to unusual parameters in URLs—they might indicate vulnerabilities.
  • Use enumeration tools like Pspy to uncover hidden processes or scripts.
  • Research known exploits for outdated binaries or services.
  • Practice patience and persistence—CTFs often require multiple attempts to succeed.
CTF, Red Team
CTF Red Team
This post is licensed under CC BY 4.0 by the author.