Super-Spam

https://tryhackme.com/room/superspamr

User Flag

We start with an nmap scan.

We see there are a few open ports. Let's head to port 80 and see if wappalyzer can tell us what cms they're using for the website.

We got the CMS and the version. Next step is login to the ftp service and see if we find something interesting.

We see there are two folders (one of them hidden) and a note. Let's dowload everything to our machine so we can take a better look.

Let's read the notes we found.

Well, apparently the website has been hacked by super-spam and they let us a clue on how they did it. Let's open the SamsNetwork.cap file to find out how Super-spam got in.

The file looks like the one generated when we get a handshake in Wifi hacking. So we can try to crack the password with aircrack.

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b d2:f8:8c:31:9f:17 SamsNetwork.cap

After a few minutes we get the password

We got a password but we need a username. Let's take a look around the website and see if we find any username we can use.

Blog posts show us different users. We can write down the users and fuzz the login page.

We took a wild guess and found Donald Dump is the user to go. But we could've just used hydra or burp suite to fuzz the username.

We got it and apparently there's a problem since it show us a TimeoutException.

It doesn't matter. Go to the http://IP://concrete5/index.php and you'll see you have admin rights on the website.

We can try to get a rev shell editing one of the pages and adding our malicious php file.

We got an error saying the extension is not valid. After a quick search on google I found the following blog post explaining us how we can change the allowed file types:

LogoThe PlatformEdgescan

Go to System & Settings > Allowed File types and add the php extension.

Let's try to upload again the shell.

Nice. It worked. The website give us a link, now we just have to start a listener and click on the lick to get inside.

We are in. Taking a look around the machine we find a flag inside the /personal/work folder.

Root Flag

To get root access we have to keep enumerating the machine. We found a note containing the next evil plan but it doesn't look like it has anything useful inside so we have to move on.

Inside the Lucy Loser folder we found a hidden folder containing encrypted messages, a script and a note.

Let's read the note.

Let's take a look at the script.

We can download everything to our machine.

Let's take a look at the pictures.

The d.png is the clearest one. We can see a password.

Now we can use the password to login as Donald Dump.

We find the user flag again inside the home folder (We had to change the perms on the folder to get inside).

There's an interesting file called passwd

After a while trying to decrypt/decode the password with no luck and trying to use the password to login as root or other users we remembered we had another open port with the VNC service.

LogoPage not found - HackTricksbook.hacktricks.xyz

Let's download the passwd file to our machine.

Now let's see if we can login to the service. 

vncviewer -passwd passwd 10.10.58.158::5901

It worked. Let's grab the flag.

Sadly, the flag is encoded and we can't copy and paste it from this shell. We saw there's a .ssh in the root folder so we can generate a ssh key, add it to the authorized_keys folder and download the private key to our machine to log in as root using ssh.

Let's see if it works.

We're in as root. Grab the encoded flag and decode it using cyberchef.

PreviousChronicleNextEmpline

Last updated

Was this helpful?