Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Member-only story

TryHackMe writeup: Atlas

Aleksey
InfoSec Write-ups
Published in
15 min readMay 6, 2022

--

“MurilandOracle” (2021) published a TryHackMe tutorial room discussing a simple ThinVNC vulnerability, a bit of exploit development and testing, and the PrintNightmare vulnerability. In my never-ending quest to “break the rules,” this room took about a week longer for me to complete than MurilandOracle intended. Nonetheless, doing the room was a fun experience. This article will detail how I completed the room.

Base image: Cunningham and Goodwin (2015)

Procedure

Before I start, I edited the /etc/hosts file on my AttackBox and added the following line:

<target ip> atlas.thm

I did this because I know that I will not finish the room in one sitting and that the IP address of a TryHackMe boot2root machine will change for each new session. It would be better to record a pseudo-domain name as opposed to a dynamic IP address, so that every time I boot up the target VM, I can just edit the /etc/hosts file with the new target IP address.

I then clicked on the green-coloured “start machine” button that is on the top-right corner of the first task and proceeded to probe the machine.

Reconnaissance

To “get the ball rolling,” I started with an nmap (n.d.) scan of the target machine:

┌──(dna@deniers)-[~/atlas]
└─$ sudo nmap -sT -A -v -Pn -p- -O -sC -oX tcp_scan.1.xml atlas.thm    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 (https://nmap.org) at [redacted] EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at [redacted]

The room notes that the target machine is running Windows, so the -Pn flag will need to be used to ignore the fact that Windows does not respond to ICMP requests and proceed to launch a port scan regardless. The -oX tcp_scan.1.xml flag instructs nmap to store its results in a XML format.

I have taken the liberty of converting the raw XML output into a readable HTML format with the xsltproc utility:

┌──(dna@deniers)-[~/atlas]
└─$ xsltproc tcp_scan.1.xml -o tcp_scan.html

Fig. 1 shows an excerpt of the xsltproc output — specifically the open ports on the target system:

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published just now

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Aleksey
Aleksey
Follow

Written by Aleksey

436 Followers
147 Following

computer science thot

Follow

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech