In this blog post, I'll share my experience tackling the "Year of the Rabbit" challenge on TryHackMe. This Capture The Flag (CTF) exercise focuses on exploiting web application vulnerabilities and leveraging misconfigurations to gain root access.
The primary vulnerabilities exploited in this challenge include:
Directory Traversal: Improper validation of user input allowed access to sensitive files outside the intended directories.
Weak Credentials: The use of easily guessable passwords permitted unauthorized access to services.
Sudo Misconfiguration: Incorrect sudo permissions enabled privilege escalation to the root user.
These vulnerabilities highlight the importance of validating user inputs, enforcing strong password policies, and correctly configuring user permissions to prevent unauthorized access.
I began by deploying the target machine and identifying its IP address. Using Nmap, I scanned for open ports and services. The scan revealed the following open ports:
Port 22 (SSH): OpenSSH 7.6p1
Port 80 (HTTP): Apache httpd 2.4.29
With HTTP service running on port 80, I navigated to the web server in my browser and discovered a simple webpage with a "Rabbithole" theme.
Inspecting the page's source code, I found a comment hinting at a potential directory traversal vulnerability. To explore this, I used Burp Suite to intercept requests and attempted to access the /etc/passwd file by modifying the URL parameters:
http://<target_ip>/?file=../../../../etc/passwd
This attempt was successful, confirming the directory traversal vulnerability.
I used Gobuster to discover hidden directories and files:
gobuster dir -u http://<target_ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
The scan revealed a /secret directory. Accessing http://<target_ip>/secret, I found a file named passwords.txt containing a list of potential passwords.
With the list of passwords from passwords.txt, I used Hydra to perform a brute-force attack on the SSH service:
hydra -l rabbit -P passwords.txt ssh://<target_ip>
After a short while, Hydra successfully found the correct password for the user rabbit.
Using the obtained credentials, I connected to the machine via SSH. Upon logging in, I navigated to the home directory and found a file named user.txt containing the user flag.
Privilege Escalation
To escalate privileges, I checked which commands rabbit could run with sudo. The output indicated that rabbit could execute /usr/bin/vi as root without a password. Knowing that vi can be used to spawn a shell, I executed:
sudo /usr/bin/vi
Within vi, I entered command mode and spawned a root shell:
:set shell=/bin/sh
:shell
This provided me with a root shell. Navigating to the /root directory, I found the root.txt file containing the root flag.