VulnNet:Endgame — TryHackMe Writeup
This box is rated as medium difficulty in TryHackMe. I feel VulnNet Series is one of the best room series on TryHackMe.
Introduction
“ VulnNet series is back with a new challenge.
It’s the final challenge in this series, compromise the system. Enumeration is the key.
Deploy the vulnerable machine by clicking the “Start Machine” button. Access the system at http://10.10.216.175 and http://vulnnet.thm domain. Answer the task questions to complete the challenge.
Icon created by Freepik — Flaticon”
Initial Scan
I started with the normal nmap scan and got the following results
Now we can add the “vulnnrt.thm” in the /etc/hosts file and visit the webpage
I ran gobuster against the server and got the following results but there was nothing in those directories.
After this, I started subdomain enumeration with ffuf and got the following results.
Note : I filtered the size because I was getting errors for that size
I added all the subdomains and visited every domain one-by-one.
- api.vulnnet.thm
2. admin1.vulnnet.thm
3. blog.vulnnet.thm
4. shop.vulnnet.thm
After a lot of enumeration i found that the when we select posts it makes an api call to “api.vulnnet.thm”
Visiting the api link
I tried sql injection using sqlmap and found some creds
+-----+---------------------+--------------------+
| id | password | username |
+-----+---------------------+--------------------+
[09:07:01] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 396 | D8Gbl8mnxg | lspikinsaz |
| 397 | kLLxorKfd | profeb0 |
| 398 | cdXAJAR | sberrymanb1 |
| 399 | 0hdeFiZBRJ | ajefferiesb2 |
| 400 | 6rl6qXSJDrr | hkibblewhiteb3 |
| 401 | DuYMuI | dtremayneb4 |
| 402 | fwbk0Vgo | bflewinb5 |
| 403 | 92Fb3vBF5k75 | kmolineuxb6 |
| 404 | zzh9wheBjX | fjosefsb7 |
| 405 | sAGTlyBrb5r | tmiskellyb8 |
| 406 | 3uUPdL | nallrightb9 |
| 407 | fp2LW0x | hlevermoreba |
| 408 | IKhg7D | celgerbb |
| 409 | Tjyu2Ch2 | frustedbc |
| 410 | NgKgdeKRVEK | imeneghibd |
| 411 | wGWMg3d | vgouninbe |
| 412 | ruTxBc2n85 | cbartoschbf |
| 413 | ZydELwZFV2 | lcordonbg |
| 414 | ROfVmvZSYS | dappsbh |
| 415 | B4SBGt5yAD | zduchanbi |
| 416 | zhE95JJX9l | jfraybj |
| 417 | nXSVHhVW9S | mlanchesterbk |
| 418 | NCeU070 | cgylesbl |
| 419 | WzkvfoedkXJx | cbonnifacebm |
| 420 | ktPBpK1 | btoppasbn |
| 421 | 8fCXE6BF9gj | mdurrettbo |
| 422 | cSAjOy | skilroybp |
| 423 | HLUHZ9oQ | uvonderemptenbq |
| 424 | gTc7TiSsd2 | dvinsenbr |
| 425 | 7yQ0b1B | ltiltbs |
| 426 | SXD1eC6ysa | dsimcoebt |
| 427 | bgb084kq | wfrailbu |
| 428 | NsJFz4DLpI | lmityukovbv |
| 429 | 7JVPatN | vkellarbw |
| 430 | yuTnSPEvIoJ4 | rkingstonbx |
| 431 | L3ttm8 | rbakewellby |
| 432 | vyae6t | dbousteadbz |
| 433 | iA4AD4UlcLF1 | vstaddenc0 |
| 434 | VlyIAh | rwhacketc1 |
| 435 | IpsnIEbIaT | tnoorc2 |
| 436 | UPU9rZu8q | dduffync3 |
| 437 | xuUXUFXoc | dstichelc4 |
| 438 | yTuqouj9ZK | kcleverlyc5 |
| 439 | QDneobZ1DH | sreinertc6 |
| 440 | OdrnoHtrP | mcottinghamc7 |
| 441 | c3KvR6 | ljansemac8 |
| 442 | GMbFP9 | acodac9 |
| 443 | zIZ11OPuj | rhuggardca |
| 444 | XCX2GVx | gkeechcb |
| 445 | nJQgYR2uOyZq | syurincc |
| 446 | AQlFlPvf | agaulecd |
| 447 | zj6vR6Bf | wboijce |
| 448 | eL5uJnLD2 | kphifercf |
| 449 | 7HEMdTc07 | abenglecg |
| 450 | VbzVZoYn | emarkingch |
| 451 | wln8WN3PJ | nmuldowneyci |
| 452 | 3AcKBTHRN | jbygrovecj |
| 453 | 32ZXql9Uw8 | bduxburyck |
| 454 | 2pnBsk6i | fthewcl |
| 455 | JxcEXKAN | kmeececm |
| 456 | rkyCMLwOIt | bholligancn |
| 457 | KlxQ4Vxl | bferonetco |
| 458 | OFc5f2 | jcraycp |
| 459 | SsLMTxbw | hethertoncq |
| 460 | nUpdnCZW1cqr | cclayecr |
| 461 | 0I7ldSNbm | tmcbreartycs |
| 462 | gqQeawiZ | oderuggieroct |
| 463 | djQBjW3pk | rdoerscu |
| 464 | G9FarmKd | karbucklecv |
| 465 | lXCoFI | bbuckbycw |
| 466 | WAMRuFTTI3 | ldixseecx |
| 467 | diVq6PDeEpz | jmahedycy |
| 468 | bV6cXPOFfLg | gdamrellcz |
| 469 | dCrF5fv | sgarrettd0 |
| 470 | Q4gYmlM | plaurenceaud1 |
| 471 | SnvFrSB6AB | kmcgeacheyd2 |
| 472 | qiehVyQ | mhopewelld3 |
| 473 | At9A4aCJos | chottond4 |
| 474 | 8T9v08352re | hsellandd5 |
| 475 | y8chyGC9js | syegorkovd6 |
| 476 | ghMz6e68c1Z | adavisond7 |
| 477 | 00S7q8S1f8W | amewisd8 |
| 478 | 2rruluVz0SwY | lorpind9 |
| 479 | hXaVYfHUZoz | jbilovskyda |
| 480 | j7GAP4v | jhalforddb |
| 481 | 0MM46yTEVBL2 | wcolisbedc |
| 482 | QUDViFUxO | cgreastydd |
| 483 | YGcBpM | ajackde |
| 484 | 2js9AM | cmcgarritydf |
| 485 | oJ38KUXgm | tjostdg |
| 486 | KP9DmIk | lguidendh |
| 487 | qNYURfhw | mbletsodi |
| 488 | jDmbnZJi | wsneesbydj |
| 489 | t8xlAuAvH8Yj | glerouxdk |
| 490 | TTin1up | yhaythornthwaitedl |
| 491 | 0ftVkbqP | nzmitrovichdm |
| 492 | Kwcozh | jgodballdn |
| 493 | TWnwDTB | jkiddeydo |
| 494 | IxQgXLrw | acaghandp |
| 495 | AxuOsAA0lqrc | rattestonedq |
| 496 | GCpyVf | mmichallatdr |
| 497 | YnPCjKg | rgaitoneds |
| 498 | NOYhOlnC | krobbekedt |
| 499 | pjSBcAVD | nknollerdu |
| 500 | 5RigTGe | wshemeltdv |
| 501 | jwKMTMu | rpeperelldw |
| 502 | 4qfwbKNed3I | lbescobydx |
| 503 | qSX9N1Kf8XJ | jparishdy |
| 504 | AoIrka | jminghidz |
| 505 | Ft4xVROXXCd5 | nforthe0 |
| 506 | x3WIaoX99yb | tklemensiewicze1 |
| 507 | hXcrFv | epotterye2 |
| 508 | 6ZtJhp4col | lbrugmanne3 |
| 509 | bqItfg4wf | adencse4 |
| 510 | 5W4lM81DPo | cfloreze5 |
| 511 | IT6p5HT | amatanine6 |
| 512 | 0Q6T9jvAZB | fchalkere7 |
| 513 | M7lvtAz6oRNS | rytere8 |
| 514 | MpO7FgPoz | cstillee9 |
| 515 | 8rIuhW0VZ | cbashamea |
| 516 | OS15i4 | flyeseb |
| 517 | Usl7mH2H | gtieryec |
| 518 | WDAliOAKFj7f | sborgheseed |
| 519 | iwpk0YC | hmctrustyee |
| 520 | lN8d6g1 | wvigeref |
| 521 | nuwPbeTIgX8F | nbockeneg |
| 522 | LvBDyc9JRPV | ffranzmaneh |
| 523 | ncpiXJX | drippingaleei |
| 524 | vQUTz2xEyWx4 | achambersej |
| 525 | wQcbURC | fsuarezek |
| 526 | irTEDl2k | kaspoleel |
| 527 | H6WyTMdy | mmursellem |
| 528 | pukixtg | szecchinellien |
| 529 | Or6dtgSGmd | cnewlineo |
| 530 | VhkvlZO | cmccrowep |
| 531 | slncO0kvmb | shavershameq |
| 532 | svJ4749mzdJ | jtumeltyer |
| 533 | weR5eukJOX6C | cmathivates |
| 534 | rp8sqUpw | btarzeyet |
| 535 | 8T7UFX | fstedmaneu |
| 536 | SkuuzEsAZ | mgaitoneev |
| 537 | RIs9MA | zscotlandew |
| 538 | ttKwcGDELB | dfurbyex |
| 539 | PVVOkQqHVdU | sdallowey |
| 540 | Szh74h | lmccormackez |
| 541 | wMkLVr0 | arenneyf0 |
| 542 | 4Bux8MCHXS | lbodegaf1 |
| 543 | ZXIOChbv | rsantostefanof2 |
| 544 | PcJPLBJf | mvaissieref3 |
| 545 | kgjhKzMWYakS | csolwayf4 |
| 546 | p69xguJZe | pwaddingtonf5 |
| 547 | ntswwsY | kchaffeyf6 |
| 548 | lh0Llscj | zgooblef7 |
| 549 | uqzWk2PYLJR7 | pwassf8 |
| 550 | eIZQxLh | bmcclenaghanf9 |
| 551 | IDp96W1RUb | bhaddintonfa |
| 552 | Z7MGodFb | rblesingfb |
| 553 | caw1QQ1 | mblownefc |
| 554 | QpPSspEWus | lwhitlandfd |
| 555 | u6ZBlHvmId | lgoftonfe |
| 556 | BvZ0JJNVWCX | vdubbleff |
| 557 | Ih1thIl | dfrenschfg |
| 558 | jmjhYpmgg | gofarrisfh |
| 559 | LFXCNqt5hN | kpipkinfi |
| 560 | tofKHos | sshilstonfj |
| 561 | fCMRSGm4BzNQ | lstanistreetfk |
| 562 | zFdwNg16yCdB | ktomasellifl |
| 563 | qJhjNz0sK7Z | fmarkhamfm |
| 564 | wmd4CD60 | bledingtonfn |
| 565 | mZjvZC | yzettoifo |
| 566 | 7MeBiB7 | coganfp |
| 567 | VCV8FqINn | sdibollfq |
| 568 | OsZxivx | blampkinfr |
| 569 | HVBEN4 | mfachefs |
| 570 | m9R8setEC | kburelft |
| 571 | q1SivtRlbetm | bgrimsdithfu |
| 572 | fRnopRDUrds | ctolemanfv |
| 573 | eZ3TzXtdD | awhiteheadfw |
| 574 | Uh2kDLMNFeej | mchislettfx |
| 575 | Ln6WDY | lreichardtfy |
| 576 | kGBl9CgCPcGF | bjossfz |
| 577 | TuK60tJ | hprevostg0 |
| 578 | mwTGls | rpritchettg1 |
| 579 | Ym2cHtkuW | dantonssong2 |
| 580 | axZcgE9T | gmantrupg3 |
| 581 | 6LFtl39ggEtI | dsimioneg4 |
| 582 | 79hJw4u | lmiddleg5 |
| 583 | UdPazP | amcquorkelg6 |
| 584 | hFdDjfcdwCja | mellwandg7 |
| 585 | w9Copz4 | ddunbobing8 |
| 586 | K67Hs5 | cszabog9 |
| 587 | molOCywSVk | cdorbonga |
| 588 | wWQpqk | fridgwellgb |
| 589 | Ipmq9QvTymr | ksiregc |
| 590 | 7v4eltt3Kuw | hwhardleygd |
| 591 | ctvNF49tuT | hpoppletonge |
| 592 | hFgxHo5Xp | aghidoligf |
| 593 | g4St9w | fstilinggg |
| 594 | DTSos9KOFhIO | ebodechongh |
| 595 | 0lj1adMG | rbennellickgi |
| 596 | kNEDmUrVp | gnaldergj |
| 597 | 8kt6CKNTc | preygk |
| 598 | Khmoz3bGQiwo | cjigglegl |
| 599 | 2UrQCd16gtqN | aburgisgm |
| 600 | yQrAEzZxK | nluddygn |
| 601 | TeFpfcTSt4K | lcluttengo |
| 602 | Q8vHxue1 | laseefgp |
| 603 | 8sNg5H | wdovergq |
| 604 | BB2ymU | bjackesgr |
| 605 | CTCPBoG | sphebeygs |
| 606 | KoM1f3mmxlC | hhushergt |
| 607 | H9fzdE | dmowatgu |
| 608 | OQ4Axwb | vgoodhandgv |
| 609 | zo9YGPcnoFY | vcocktongw |
| 610 | wNfgrMLd92 | afrackiewiczgx |
| 611 | L70zF2 | wmccorkellgy |
| 612 | vjlPxrlrB1 | mbaldersongz |
| 613 | 1fDBrk | jdovingtonh0 |
| 614 | NVQobq | tlunneyh1 |
| 615 | 4IHZylSa6uSk | lwaulkerh2 |
| 616 | 6mqTbfJcyB | nceccolih3 |
| 617 | BtdoQGpOg | aworsnuph4 |
| 618 | HA5wRx2Xkt | pwheelhouseh5 |
| 619 | rsQIXNF4p56t | ashearsh6 |
| 620 | DD87MyB | bhendriksh7 |
| 621 | EqEt2NXw37Q | tgrovierh8 |
| 622 | oN9I8Sf | kspanswickh9 |
| 623 | HkZs0YLv | krattrayha |
| 624 | LTSB3oaxy9 | anorcockhb |
| 625 | 2lOIMadSDW2 | kneathc |
| 626 | 2YDcmeZaKwig | ajaggarhd |
| 627 | 7pA32uFwx8eh | krossbrookehe |
| 628 | yoWnriWXeTc | lpavelhf |
| 629 | OglY7vT0Pyn | agaitskillhg |
| 630 | GBCtL62Xa | bmylechreesthh |
| 631 | JdHOJPdpZV | hsimenothi |
| 632 | PT8RllCQ | bbrunihj |
| 633 | bJR3DOVL | sroysonhk |
| 634 | yoJwhOI | bmarrinerhl |
| 635 | tfncTGLw | ataillanthm |
| 636 | dBcYuQwU | acassamhn |
| 637 | s6QjWpLo | kfruchonho |
| 638 | LTbmsk6T | kdenyakinhp |
| 639 | xrbjFjA8p | mhundyhq |
| 640 | gaMmTSLHkMZE | zcatchesidehr |
| 641 | VH3FsbYfk | anorcrosshs |
| 642 | YY6hmavoD | kklavesht |
| 643 | kElKt4 | bloghanhu |
| 644 | 4eHrdt5Z | ekayzerhv |
| 645 | 2QZrPJ2 | jovenhw |
| 646 | t0xmZtLTXa | gboayshx |
| 647 | 09jD21OoQ | asuermeiershy |
| 648 | OBJZD6f | msambidgehz |
| 649 | Cc4QOkuSvrF | bhuertai0 |
| 650 | kSKBUj8 | oboatmani1 |
| 651 | BIkqvmX | rtamblingi2 |
+-----+---------------------+--------------------+I tried the other database and filter out columns and got this
This is an argon2 hash. I tried using John to crack the hash but the wordlist doesn’t seems to have the password. Then I used the list from above gathered passwords to crack. First I cleaned the file
This is probably not the best way to do it but it worked for me.
Now I tried finding a login page, there is only one subdomain left that I didn’t enumerate and that was “admin.vulnnet.thm”. I tried running gobuster and found the following
I went to the “typo3” page and got the login panel, Phewww.
I tried logging in and upload a file but php file was blocked
I tried php file bypass but didn’t work for me. Then I found out you can allow file types as I had admin rights on the CMS.
Go to Settings -> Configure Installation-Wide Options -> Type Filedeny -> and remove the php line.
And now I can upload php files.
Finally after clicking the view file button I got the revshell
Now I ran linpeas to see the PE vectors.
I found the .mozilla directory by looking at hints in discord and transfer it to my VM.
I tried firefox decrypter but it doen’t worked so I changed the profile.ini file with this to see if it contains any password
We got the system password and now i logged in to ssh
Now for privesc I again ran linpeas and saw the capabilities
I googled and found a link for privesc
I ran the same steps as mentioned and got the shell
Finally get the root flag from the root’s home directory
This was all about the Endgame room. I really enjoyed the room and it had a hell lot of enumeration which took me a lot of time to solve this. The techniques for privesc to system and root was something I didn’t expected but with that I learned something new.
Hope you guys also learned something from the box.
Happy Hacking !!!
