TryHackMe - Probe
This is a write-up of the Probe room on TryHackme. I will run through my attack methodology, trying to keep it spoiler-free and simply mentioning where an answer was found. All answers will be in their own segment following the write-up.
Scenario
Sometimes all you know against a target is an IP address. Can you complete the challenge and conduct an in-depth probe on the target?
Attack
Port and Service Scanning
I begin by starting the target machine, and then running a scan on it with nmap:
$ nmap -sV -p- <TARGET IP>
The results of this scan reveal:
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 22/tcp | open | ssh | OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) |
| 80/tcp | open | http | lighttpd 1.4.55 |
| 443/tcp | open | ssl/http | Apache httpd 2.4.41 |
| 1338/tcp | open | ftp | vsftpd 2.0.8 or later |
| 1443/tcp | open | ssl/http | Apache httpd 2.4.41 ((Ubuntu)) |
| 1883/tcp | open | mosquitto version 1.6.9 | |
| 8000/tcp | open | http | Apache httpd 2.4.41 ((Ubuntu)) |
| 9007/tcp | open | http | Apache httpd 2.4.41 |
Also:
Service Info: Host: ip-10-10-248-20.eu-west-1.compute.internal; OS: Linux; CPE: cpe:/o:linux:linux_kernel
From this scan we can answer questions 1, 2 and 12.
Walking Through Web Sites
As there are multiple web services running, I next looked to see what could be found by accessing the target with a web browser
- over port 80:
http://<TARGET IP>- 403 Forbidden
http://<TARGET IP>:8000- Blank page
- orver port 443:
https://<TARGET IP>- “Warning: Potential Security Risk Ahead”
- Click Advanced to reveal the Error code:
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT - Click View Certificate to answer questions 3 and 4.
- Click Advanced to reveal the Error code:
- “Warning: Potential Security Risk Ahead”
https://<TARGET IP>:1443- Again I received the warning about the self-signed certificate. Clicking Advanced > Continue will reveal a page showing all information about the php version.
- This information will answer question 5
- Again I received the warning about the self-signed certificate. Clicking Advanced > Continue will reveal a page showing all information about the php version.
https://<TARGET IP>:9007- This also issues a certificate error, but this one has the Error code:
SSL_ERROR_BAD_CERT_DOMAIN- This certificate doesn’t reveal anything pertinent to the tasks at hand.
- Continue to the site, view an auto-generated blog page. I used Burp Suite to catch my request and the response, which reveals the answer to questions 8 and 9
- This also issues a certificate error, but this one has the Error code:
FTP Testing
Next, I pivoted to the FTP service on port 1338 and attempted Anonymous login:
$ ftp <TARGET IP> -P 1338
Anonymous login was not permitted, however, the answer to question 6 was revealed.
Enumerating Web Directories
Next I used feroxbuster to enumerate web server’s directories. I ran this against all the relevent ports, but only yielded results from the following:
$ feroxbuster -u http://<TARGET IP>:8000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt- This scan returned
http://<TARGET IP>:8000/phpmyadmin/which is the answer to question 7. - Also, checked the page at
/contactuswhich reveals the answer to question 13.
- This scan returned
$ feroxbuster -u https://<TARGET IP>:9007 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/WebTechnologyPaths-Trickest-Wordlists/wordpress.txt -k- Lots of
/wp-contentbut nothing sticks out.
- Lots of
SQLi Testing
I tried sending a login request with username “test” and password “test” to http://<TARGET IP>:8000/phpmyadmin and it returns an error indicating that it is using MySQL. I also found /phpmyadmin/doc/html/index.html on this port which has a section called “A word about users.” This section confirms the use of MySQL. I attempted to inject a single quote (') and no password, but there is an error that the password field is empty. I tried this simple payload again, and added the password “test” but the error did not change. This suggests that there is some type of input validation in place to prevent SQLi.
I decided to also run sqlmap against the target, as I am no expert in SQLi, and this is a pretty handy tool.
First I entered username “test” and password “test,” then caught the POST request with Burp Suite and copied it to a file called “request.”
Then I ran the following:
$ sqlmap -r request http://<TARGET IP>:8000/phpmyadmin
This confirmed the page is most likely not vulnerable to SQLi.
Wordpress Enumeration
At this point I pivoted to the Wordpress site on port 9007. I decided to check for anything interesting using:
$ wpscan --url https://10.10.125.31:9007 -e --disable-tls-checks
This revealed the answer to question 10.
Vulnerability Scanning
Question 11 mentions vulnerability scanning and OSVDB-3092. Kali comes with nikto installed. So, let’s do that:
$ nikto -host https://<TARGET IP>:9007
After quite some time, the scan finishes, and amongst the results it shows OSVB-3092: /license.txt which is the answer to question 11.
Conclusion
This was a fun exercise. I find that many CTFs are more focused on simply finding flags or getting root. This room, on the other hand was not focused on “pwning” the box. Even with some of the questions being hints in and of themselves, this felt like a more realistic engagement.
Answers
- Question 1:
- What is the version of Apache server?
- 2.4.41
- What is the version of Apache server?
- Question 2:
- What is the port number of the FTP service?
- 1338
- What is the port number of the FTP service?
- Question 3:
- What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
- dev.probe.thm
- What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
- Question 4:
- What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
- probe@probe.thm
- What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
- Question 5:
- What is the value of the PHP Extension Build on the server?
- API20190902,NTS
- What is the value of the PHP Extension Build on the server?
- Question 6:
- What is the banner for the FTP service?
- THM{WELCOME_101113}
- What is the banner for the FTP service?
- Question 7:
- What software is used for managing the database on the server?
- phpmyadmin
- What software is used for managing the database on the server?
- Question 8:
- What is the Content Management System (CMS) hosted on the server?
- wordpress
- What is the Content Management System (CMS) hosted on the server?
- Question 9:
- What is the version number of the CMS hosted on the server?
- 6.2.2
- What is the version number of the CMS hosted on the server?
- Question 10:
- What is the username for the admin panel of the CMS?
- joomla
- What is the username for the admin panel of the CMS?
- Question 11:
- During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?
- license.txt
- During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?
- Question 12:
- What is the name of the software being used on the standard HTTP port?
- lighttpd
- What is the name of the software being used on the standard HTTP port?
- Question 13:
- What is the flag value associated with the web page hosted on port 8000?
- THM{CONTACT_US_1100}
- What is the flag value associated with the web page hosted on port 8000?