Cold VVars

https://tryhackme.com/room/coldvvars

Note: If you see the victim IP is not the same is because I had to restart the machine.

User Flag

Let's start with enumeration as always.

We see there are a few open ports. Let's enumerate the smb.

We tried to access the SECURED folder but we don't have any permissions, so let's move to the http ports.

Let's start with port 8080.

A simple apache2 default page. We can try to use gobuster and see if we find something interesting.

The /dev folder looked promising but we can't access so let's move to port 8082.

After looking around we found a login portal.

The HINT says "The PATH may sometimes make a cross". We guess it's all about XPATH injection. We can try the following list to see if we get anything:

Trying that list was a failure but after a while we saw if we changed the single quote for double quotes we got what we wanted.

Now we can try to access the SECURED smb folder with one of those credentials.

Bingo. Let's grab the note and see what's inside.

Nothing apparently useful. We can check the /dev folder we discovered earlier and see if it's hosted there.

Nice. Now we can upload a rev shell and execute from the website.

Don't forget to start a listener.

And we're in. Change to the ArthurMorgan user using the found credentials.

Let's grab the flag.

Root Flag

Now we have to go after the root flag. Before using any automated tool we can check the open ports.

Nothing.

By the name of the room we can check "env" next:

We see there's an open port. What if we try to connect to it?

Press 4

We can try to escalate privileges using the GTFOBins steps for Vim

Nice, we're now Marston. Let's upgrade the sell and keep looking.

Using ps aux we can see there's a tmux session running.

We can use the last command to attach to the last session.

With the tmux session open now we can move between windows (Crtl + b) and grab the flag from the root one.