Tweety CTF – Try Hack Me

Hello guys! It’s been a while since my last post but i’m studying right now for my eCPPT(Professional Penetration Tester), had a few ups and downs with it and i had to look up for additional learning resources so i can understand some topics better.

Enumeration and gaining access

So… Tweety CTF was designed by me, and i considered to rank it as hard on Try Hack Me platform. Let’s start with a full range TCP port scan as follows:

Trying to access SMB was no luck, so let’s see what else we can do.

My next move was to check the web server and check if i can find anything squishy. I ran gobuster and the admin folder popped up, but when i accessed it it looked like it was hacked.

I’ve downloaded the image, and ran steghide and binwalk with no luck. Then i used exiftool to check it out, and something interesting popped up:

As the description said… the only hint was in title. Analyzing the image and the title, i concluded that it was suited to search twitter(the blue bird, the name of the challenge) for that user name and i came across this:

Access the link and download the pcapng file, then use wireshark to open the file. I started looking for a connection to the open ports on the target system. After a while i found a connection with clear text credentials on port 2121:

Connecting to the ftp server on port 2121 i retrieve a file named help.txt, and i just found a new user of the system, called zach.

I bruteforce the new found user with hydra and cracked his password:

Access the SMB with the found user and password and explore it’s shares:

I connect with the kevin user and the password he mentioned in the files to ssh.

I got user access to the system, now i can get the user flag. The user flag is located in a hidden directory.

Privilege Escalation

After enumerating the system i find nothing… but doing a folder listing of / i found a folder named backup which had the following bash script:

With that information and the fact that there was a cron job running every 5 minutes i created a sym link to the root directory.

Linking the root folder to the tmp directory from kevin’s home directory i was able to read the root flag.