Grep writeup | TryHackme
This grep challenge will tests your reconnaissance and OSINT skills
Start this room by hitting the “deploy” button on the right!Once you have deployed machine you have assigned a Vulnerable machine IP.
Below image shows some nmap flags that we are going to used in the nmap scan.
The nmap result shows that there are three ports open.
Nmap command use:
sudo nmap -n -A -Pn --min-parallelism 100 -T5 -p- ip
Firstly ,we go to port 80 and we saw there default apache pages ,we have also done directory busting but didn't find anything.
Now when we come to port 443 ,we saw there certification error then we click one the view certificate.
This room tests our OSINT skills ,So we have found a hint SearchME grep.thm.
Then we add our tryhackme deploy machine ip in etc/hosts correspondence to grep.thm ,because grep.thm is private page in a network.
pinging the grep.thm to ensure that it is correctly configure.
Now we enter https://grep.thm in our browser the below website comes in our browser.
Then we try to register ourself.
When we click on Register button it is giving us error Invalid or expired API key.
Then we go to github and search for SearcME!.
Now we come to api directory file register.php ,we saw there one key is remove.
On the fix remove key we get the api key which is remove.
1 What is the API key that allows a user to register on the website?
Ans: ffe60ecaa8bba2f12b43d1a4b15b8f39.
Now we again try to register and intercept register request in burp, and change the api key to the api key we have found.
So when we forward request we saw successfully register message.
We login to our account and gets the first flag.
2 What is the first flag?
Ans: THM{4e****************************bb}.
Now if we look at api directory we have found on github we saw there is also a file name upload.php ,and it allows three extension correspond to there hexadecimal value.
Then we navigate to upload.php, we have find a upload page.
Then we used a php reverse shell ,so it will give us shell access in our machine
REVERSE SHELL LINK:
We have change ip and port on the php reverseshell .
And then we change file name.
In the github code we have notice that extension which are allowed in upload.php correspondence to hexadecimal value ,so now we used jpg extension ,and we also edit hexdecimal value of jpg.php to correspondance hexadecimal value.
Now will change value to correspond hexadecimal value.
Uploading file.
Click Upload ,then successfully upload message will come.
Then we will navigate to upload folder and click the file which we have uploaded ,while listing on the port which we have enter in our php reverseshell.
Note: If you don’t get reverse shell change <?php postion to after comment in the reverses_shell which have downloaded from github because when your changing value from hexaeditor it is make changes on first line's , so that why you are not getting reverse shell
Now we have get a reverse shell.While searching on machine ,we saw a file name users.sql which have admin email.
3 What is the email of the “admin” user?
Ans :admin@searchme2023cms.grep.thm.
Now when we navigate to leakchecker folder ,we have saw there is two file one of them is email checker.
4 What is the host name of the web application that allows a user to check an email for a possible password leak?
Ans: leakchecker.grep.thm
Then we add a subdomain of leakchecker.grep.thm with same ip as grep.thm.
Now we navigate to our subdomian of leakchecker.grep.thm ,and enter admin email we will get a leakpassword.
5 What is the password of the “admin” user?
Ans: a**************!.
We are done! Great job everyone.
