*Nerdherd (THM)

TryHackMeNerdherd Write-Up

topics: Web application security, Linux Privilege Escalation

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

new tools:

this room involves a technique that ive not yet learned (or is on the OSCP exam) so i'll have to revist

Enumeration

initial nmap scan .././autonmap.sh $ip Basic

w

w

FTP

ftp $ip

w

explore .jokesonyou and youfoundme.png

w

SMB

smbclient -L //$ip/ -N

w

have two unique shares but no printers were found

want to guess that because the room is themed around the "Chuck" TV show that one of the usernames will be of the titular character.

enum4linux $ip

w we see a user chuck is confirmed to have an account. from the scan we also see users nobody (local SMB account) and ftpuser (noted as local UNIX account) as well as some password information

w

reset chucks or nobody password?

might have to create a custom wordlist or just bruteforce in general.

Waste (1337)

w

www we also get a popup stating that the "hacker" left us something, hinting at a clue in the source code

w

w

this info was found from the "jokesonyou" directory so could be another rabbit hole

youtube page for song surfin bird

w

Enumeration Results

Service

Result

FTP

found rabbit hole & file directing us to port 1337

SMB

found unique shares, 3 usernames, need creds

Waste (1337)

pop up with link to song Surfin Bird with message "maybe what you need is here"

w

Local Privilege Escalation

Root Privilege Escalation

sudo -l

w

w

Last updated