Vulnhub-Walkthrough: Thoth-Tech: 1
Hii everyone!!! Like promised in my last ctf walkthrough, i have tried something different by challenging myself with a different machine. Today, we are gonna look at how to take down the Toth machine. Lesssgoo🔥🔥🔥…enjoy!
Download Link: https://download.vulnhub.com/thothtech/Thoth-Tech.ova
Machine creator: Pwnlab.me
Write-up Author: Nitunga Baptiste Billy
Difficulty: Easy…with a little twist
Step1: Enumeration
We start it off with a network scan to identify the ip address of our vulnerable machine in our internal network using netdiscover.
netdiscover -r 192.168.4.0/24
In my case, the ip address is: 192.168.4.33
We continue the enumeration with a nmap scan to see what port(s) are/is open using the following command:
nmap -sC -sV 192.168.4.33
We have 3 open ports. I decided to go with the ftp server first. Since there is a note.txt for us as shown on the image above.
ftp 192.168.4.33username: anonymous
password:
After logging in, I downloaded the note.txt file using:
get note.txtWhich downloads the file on our attacker machine. We then, cat out the file.
Seems like a hint telling us a possible username: pwnlab and that the password is very weak. If the password is weak, it is probably in the rockyou list.
Step 2: Foothold
I decided to use hydra to bruteforce into ssh.
hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.4.33
That was quick and easy.
Step 4: Gaining Access
Let’s ssh into the machine using the credentials(pwnlab babygirl1)
After getting the user.txt, Let’s see if we can escalate our privilegies
Step 5: Privilege Escalation
Let’s see if we are in the sudoers list.
sudo -l
Bingo! We can run the find binay as root with no password required.
There is a great website on different binaries’ payloads called gtfobins.
I copy the payload and paste it into the machine.
We have a rootshell. Last step is to get the root flag in the root directory
That’s it.
Conclusion
This machine wasn’t too hard, but it did make me think a bit to figure out what the hint in note.txt was all about. Luckily, I didn’t start with port 80 enumeration, or I would’ve struggled a lot more. Thanks for checking out the walkthrough! Maybe the next machine will be more challenging for us. CIAO!!
