This is my walkthrough on how I did the CherryBlossom box on tryhackme.com. It was an amazing box and fair play to the creator for this one, a very smart guy known only as MuirlandOracle.
This box consists of multiple layers of stegonography which eventually leads you to a journal/diary from which you find information that leads you to a shell on the box, then lateral movement to another user and finally rooting the box. It was painstaking work and not for the fainthearted 🙂 enjoy the read.
Warning: most filenames have been either changed in the screenshots or blurred to encourage you to go find these things yourself 😉
L3t’s G3t A $h3ll
First things first we need to do nmap scan of the box.
Nmap shows us that we have ports 22 SSH, 139 and 445 for Samba open, lets start enumerating the samba services using enum4linux.
enum4linux -a <ipaddress>
Cool we found an open share, now lets flick over to another tool for further enumeration on smb called smbmap, this will try to list shares and its contents if reable.
smbmap -H <ipaddress>
Great, we found within that share a .txt file so lets use smbmap to download it.
smbmap -H <ipaddress> --download '<sharename>/<filename>'
Okay so lets take a look in to this file and see what it is and see if we have anything juicy within.
By the looks of it, it just seems to be base64 so lets decode it and see what we get from it.
cat <file> | base64 -d > decoded.b64
Now we have something that looks like a PNG file so lets take a look.
hmmm just a picture of cherry blossom so lets do a little more digging in to the picture and see whats going on, for this im going to start using a toolkit called stego-toolkit and it can be found here.
Not going to give a full walkthrough on how this tool works as there is quite a few online but you can run either check_png.sh <filename> or check_jpg.sh <filename> and it will run a series of checks against your file. Here I used check_png.sh decoded.b64.
The thing that raised my suspicions about this picture having something to hide was the file was 2.5MB large and another tool called zsteg kept finding “Secret” stuff within. Dont believe everything you see from one tool make sure to use 2 or 3 different ones.
Lets try and use another tool within this toolkit to extract anything from the picture, here we use stegpy <filename>.
Great, so we have extracted a zip file so lets take a look at this now (name of file was changed)
Hmm thats odd this zip is telling us its another picture. lets try and unzip it.
This time we get an error about the files header signature, so lets take a closer look at the hex and see whats going on, for this I used an awesome online tool called HexEd.it – Great little tool.
Okay we have a .ctz (cherrytree filename) within a zip file that is using JPEG magic byte numbers, this sounds confusing and it is, but basically magic byte numbers OR file signatures, are a unique set of numbers that identifies what type of file something is. For a list of singature numbers go here – File Signatures.
lets change these JPEG signatures to be that of a ZIP file, ill let you hunt out the signatures for that 😉 .
Now lets export this and try and unzip it again and see if it works.
Okay great, we get asked for a password to extract this new mystery .ctz file.
Lets use another tool in stego-toolkit called fcrackzip that is a password attacker for ZIP files and lets see if we can get a password for our zipped file.
fcrackzip -v -b -D -u -p rockyou.txt extracted-zip-sigchange.zip
Amazing we have a password so now lets unzip this password protected file, and see what comes out.
Great we have ourselves a .ctz file which is a CherryTree file that has been zipped and password protected (I renamed the file to diary.ctz).
So with it being a 7-zip file we can use JTR (JohnTheRipper) to convert this for us in to a hash for a bit of a hash cracking session 😀 like we havent done enough at this stage!
Thats a little small to see but I’m running 7z2john against our diary.ctz and its throwing us an error and saying we’re missing a module, lets see if we can find this module and install it. *Skipping 15 mins of searching here for module*.
Okay great so running that again with our new module installed, we get a great big dirty SHA256 hash that we will store in a file called “hash” original I know. Time to crack the hash, we are going to use john for this and the rockyou.txt wordlist.
Password retrieved lets see if we can now open this password protected cherrytree file using CherryTree.
Cool so we have a diary with a few entries, I wont spoil anything here for anyone, but I’ll let you read through it. In one of the entries we find the journal flag.
The important part here is that we get a few potential usernames including person’s girlfriend. He later talks in his diary about how his got a list of unique passwords he created and how he has chosen one and his girlfriend has chosen one so that’s 2 passwords from the list that is now used. Password lists were in the diary as well as an attached file. I wont tell you which one I used.
With that information lets see if we can hydra our way in to his girlfriends account as we see her username and we dont know the other persons name yet as they refer to themselves with their intial. We see this by looking at the diary entries.
hydra -l **** -P supersecret-wordlist.txt ssh://10.10.217.72 -V -f -e ns
Hydra is a great tool for bruteforcing a range of logins and more! Here we are using it with the girlfriend as the username, a password list, -V for verbosity and see every login attempt, -f to stop the attack upon first successful login, -e ns to try the username and blank password as a password.
Lets try and SSH in and see what we get.
Great we have our intial shell on the target machine 😀 BUT not user as no user flag yet 😦 more digging…
Now our next step is going to be a lateral move across to the boyfriend who is the owner of the diary and a user on the box.
Lets upload our favourite tool Linpeas using a another tool I have grown to love and has replaced the good old “python SimpleHTTPServer” module called updog. Kick that off and see what we find. updog is amazing! I highly suggest go checking it out!
With that running we can now do a wget of our linpeas script on the ssh shell we have.
After some very deep looking we find an interesting file in our linpeas results.
Lets go take a look at that and see what we find.
Great we found some hashes including the boyfriends hash, lets see if we can crack one of them as we already have the password to the other girlfriends account.
Using hashcat we can start cracking our hash using the following:
hashcat -m 1800 hash.txt <passwordlist> -o found.txt -O
-m specifies the hash type we are cracking
-o is the outfile name to put a password if cracked
-O is to optimize the cracking
If you find it taking a while to crack try to remember something from the diary.
Eventually, password cracks and now we can try loggin in via SSH to this user.
That failed, maybe its because SSH login is not permitted for this user so lets go back to the girlfriends shell and try switching user.
simple “su <username” seemed to work just fine, and we get user flag.
L3t’s G3t R00t
Okay now lets copy the Linpeas script over to this user and run it as him and see if he has anything cool to find.
After some more digging we find we should try “sudo -l” and see what we can run as root user. This is one of the first things you should try when you get access, its always nice to find easy wins.
Thats strange, we should’nt be getting the password echo’ed back to us this is a function called pwfeedback thats enabled in the /etc/sudoers config, more about it her CVE-2019-18634. Basically a stack buffer overflow in this version.
After some Google-fu we find an exploit.
Git clone the file down, and then compile the code with gcc by running the following
gcc exploit.c -o exploit
Updog this exploit now to the box and run it.
Hope you enjoyed it as much as I did, very frustrating but fun and rewarding and learnt loads! thanks again MuirlandOracle for the box it was truly a great experience!