In this video walk-through, we have covered various security concepts such as extracting NTLM hashes and testing WIFI through Wireshark network captures. We also covered RCE in a blog page.
Good Morning! Our intel tells us that he has returned. Super-spam, the evil alien villain from the planet Alpha Solaris IV from the outer reaches of the Andromeda Galaxy. He is a most wanted notorious cosmos hacker who has made it his lifetime mission to attack every Linux server possible on his journey to a Linux-free galaxy. As an avid Windows proponent, Super-spam has now arrived on Earth and has managed to hack into OUR Linux machine in pursuit of his ultimate goal. We must regain control of our server before it’s too late! Find a way to hack back in to discover his next evil plan for total Windows domination! Beware, super-spam’s evil powers are to confuse and deter his victims.
Initial Scans and FTP Fun
I started with an Nmap scan, which showed me a few open ports, including an FTP server that allowed anonymous access. I logged in and found a couple of note files and a directory full of network capture files. One of the notes mentioned an “evil plan” and something about a “Linux free galaxy,” which was a fun little clue.
Web Server and Wireshark
The website was running on Concrete5 CMS, and I found a known vulnerability that would let me upload a PHP file if I could get authenticated.
To get credentials, I started digging through the network capture files with Wireshark. In one of the files, I found an NTLM hash from an SMB session. I used Hashcat to crack it, but the password I got wasn’t useful for this challenge.
In another capture file, I found some Wi-Fi traffic. I used Aircrack-ng to crack the Wi-Fi password and got “sandiego.”
Getting a Foothold and the User Flag
I then went back to the Concrete5 website and found a blog post by a user named “donald dump.” I tried the credentials “donald dump” and “sandiego,” and they worked! I was in.
I went to the settings, allowed PHP file uploads, and then uploaded a PHP reverse shell. I set up a Netcat listener, clicked the link to my uploaded file, and got my first shell. From there, I was able to find the user.txt file and grab the first flag.
XOR Encryption and VNC
I found some encrypted files and a note that said they were encrypted with XOR and that the same key was used eight times. I also found a Python script that would XOR two images together. By XORing two of the encrypted images, I was able to get a new password.
I used this new password to SSH into the machine as “donald dump.” In his home directory, I found a VNC password file. I downloaded a VNC password decrypter, and it gave me the password “vnc_privilege.”
Root Flag and Final Secrets 🚩
I used a VNC viewer to connect to the machine and found that I was logged in as root. The root flag wasn’t in the usual place, so I generated some SSH keys, added my public key to the authorized_keys file, and then downloaded the private key to my machine.
I logged in as root via SSH and still couldn’t find the flag. I found a file with some base64 encoded strings, and after decoding them with CyberChef, I finally had the root flag.
Technical Commands Used
Here are the technical commands I used in the terminal during the demonstration:
ssh-keygen
ftp
ls
get note
cd
ls -la
exit
clear
cat quick note
wireshark
aircrack-ng
ifconfig
nc -lvnp
ls
cd
cat
python http server
python
ssh
chmod
ps aox
vncpasswd
gcc
python3 -m http.server
TryHackMe Super Spam Answers
What CMS and version is being used? (format: wordpress x.x.x)
