Chronicle

https://tryhackme.com/room/chronicle

User Flag

Let's start with a nmap scan.

We there are just three open ports (22, 80, 8081). Let's head to port 80.

Nothing interesting at first sight. Let's use dirsearch and see if there's something hidden.

We see there's an /old/ folder. Let's check it.

Apparently there's a new app and everything has been moved there. But before moving on to port 8081 we used dirsearch again to see if we missed something.

There's a .git folder. That means we can download it and search for older commits and see if we find something useful.

Using gitdumper.sh from GitTools we can download .git on our computer.

With extractor.sh we can extract the commits in a way we can easily read them.

Checking the commits we find there's an app.py file that give us the user and password of a given username.

In one of the commits we find an API key.

In the statics files we find something interesting. We can use the API key we found to see if we can get some credentials.

Let's head to port 8081 and let's see if we find a login panel.

With Burp Suit let's intercept the request and change the API key.

We tried those credentials to try ssh into the machine but it didn't work. Next step is trying to fuzz usernames and see if we get something juicy. We'll use turbo intruder and the names.txt SecList file.

After a few minutes we find a username and a password.

Let's ssh into the machine with the found credentials and grab the flag.

Root Flag

We see there's another user folder in /home/. Let's take a look at it.

Interesting. There's a .mozilla folder. Let's see if the user has saved credentials.

The credentials are encrypted. We can use a tool called "firefox decrypt" to get the password in clear text. We downloaded the .mozilla folder to our machine and used the tool:

We got a password. Let's change users.

We see there's a binary in the mailing directory. After a while trying to see how it works and see fi we could get a rev shell out of it we saw it broke so it's probably vulnerable to buffer overflow.

I don't know much about BOs so I just googled about it and copy pasted the following code:

Let's run in and grab the root flag.

PreviousSweettooth Inc.NextSuper-Spam

Last updated

Was this helpful?