#3.TryHackMe Series writeups: Valley

Hello guys 👋 I’m back with another walkthrough, this time tackling on Valley Lab from TryHackMe.

This lab involves deep enumeration, FTP interaction, network packet analysis, binary analysis, hash cracking, and python library hijacking, all of which leads to privilege escalation!

So lets start ..!!!

Here first we need to enumerate the box. We will use nmap to scan how many open ports are there.

Command: nmap -sV -sC <IP>

After executing the command, we can see the open ports and services running. Here we can see SSH and HTTP ports.

Let’s try to access the http website running on it.

After viewing the page, there was nothing interesting to check for. So, let’s check for the for different endpoints for the website. For that, we will be using directory bruteforcing tool i.e. “dirsearch”.

Command: dirsearch -u http://<IP> -r -w /usr/share/wordlists/dirb/common.txt

We can see a lot of directories; let’s choose “/pricing” which has a note.txt file within. By looking at the file, we discovered that the developer of the website left notes randomly on the website.

We can see another directory i.e. “/static/00”, here the developer left the notes.

Here, we can see the endpoint /dev124xxxxx3, let’s access it.

Oops!! we got the login page but how to login😨?

Let’s check the login source page. Oh, the password and username are hardcoded here.

We can also see that there was .txt notes in the directory. The developer advises changing the ftp port in the notes.

As it was warning us not to reuse the credentials, let’s try to access ftp with a port and login by the discovered credentials.
If we look here .pcapng files can be found. Let’s copy the files to the local machine.

This files can be opened using the packet sniffing tool “wireshark”. After analyzing the files we got the credentials.

Well, we checked ftp , http ports.

Let’s try to access SSH port using the credentials.

Command: ssh valleyDev@<IP>

Hurray!! we got our first flag.

Now, it’s time to escalate our privileges….

We can as usual check the user’s permissions. But this time, it’s not as simple as we anticipated.
After searching through all of the directories, we discovered a file belonging to user valley called “valleyAuthenticator” in the /home directory.

Therefore, it is now evident that we should increase our privileges. Before we access “root,” we must first access the “valley” user.

After checking the file type, we got to know it an ELF executable file. Let’s copy the file to local machine.

Command: scp valleyDev@<IP>:/home/valleyAuthenticator .

Let’s check what’s present in the file.

Command: strings valleyAuthenticator > strings.txt

We located the string that resembles a hash. We can use crackstation for cracking the hash for the time being while we can also try to crack the hash using a hash cracker like hashcat or john.

It seems like a password. Let’s try to login using the password.

Command: ssh valley@<IP>

Observe that we are currently members of the valleyAdmin group as well. Let’s check what qualifies for that category:

Looking at cronjob, may have the solution. It has photosEncrypt.py file which we can analyze.

After analyzing, we got to know it is using base64 library of python. Also, previously we discovered the files for valleyAdmin.

We can insert a Python reverse shell to establish a connection with our attacker IP because the b64encode method is always executed.

Set the listener to the IP address of our attacker and wait for a connection.

BOOM !!! 💥💥 we got the flag.

I appreciate you taking the time to read. For other such writeups do visit the TryHackMe Series writeups.

If you found it useful, please click the button 👏and share it with others who have similar interests! + Feedback is always appreciated!!😊