Open in app

Sign in

Write

Sign in

Uranium CTF [TryHackMe]

Vinayak Agrawal
5 min readAug 31, 2021
Uranium CTF

Room Link:- https://tryhackme.com/room/uranium
My profile:- https://tryhackme.com/p/DrAnonymous95

Hello everyone, this blog is a writeup of TryHackMe room “Uranium CTF”.
It’s a hard level machine created by hakanbey01. In this room you will learn about a particular phishing method.

Reconnaissance

Nmap

So from the result of Nmap we can see three ports 22, 25, 80 are open which are standard ssh, smtp and http ports.

In the description of the room a twitter account is given.
hakanbey (given account)

Let’s check the given twitter account.

So we discover a domain name “uranium.thm”. So we will add this domain in our /etc/hosts. We get to know that hakanbey will open the mail content on terminal if file name is ‘application’.

Foothold

Let’s create a reverse shell with file name “application”.

So now SMTP is running, we will send mail using sendEmail, a command line based SMTP email delivery program and will start a netcat listener.

sendEmail -t hakanbey@uranium.thm -f cheems@mail.com -s <Mac>-u “Hemlo” -m “Surprise for you” -o tls=no -a application

and you will get shell on your netcat listener

Now First flag can be found in home directory

Privilege Escalation

kral4

We found a file named chat_with_kral4, on executing the file it asks for password which clearly we don’t know right now. It looks like chat system, to interact with kral4 .

On Further enumerating the machine I found a pcap file in /var/log. So I will download it in my local machine and then analyze the same with Wireshark.

So open the pcap file, follow the TCP stream and then we can find the password of chat_with_kral4. Also this is the answer to question 1.

Ok. Let’s have a chit-chat with kral4. We got the password of hakanbey user.

Ok now you can log in with SSH too. Let’s check the sudo rights

We can see user hakanbey is allowed to use /bin/bash but it belongs to kral4, so first lets escalate our privilege to kral4.

We find our 2nd flag at /home/kral4.

Escalating to Root

We can find mail for kral4 in /var/mail directory

So here, root is sending mail to kral4. We will get SUID nano to home folder if we fix the attack on index.html . So first we will copy nano to user kral4 home folder.

In the /var/www/html directory we find index.html and web flag but we do not have permission to read or write files.

Let’s check for SUID binaries

We can see a interesting SUID binary /bin/dd. Let’s check for this on GTFOBINS.

Amazing, now lets change the index.html

We got a new mail for kral4 from root user

The mail says that authorization has been given and SUID privilege has been given to nano binary. So now we can edit sudoers files and add hakanbey user there.

SUID privilege to nano binary

Now we can escalate to root user using sudo su from hakanbey account.

Now we can read our root flag and web flag.

Web Flag

Root Flag

Thanks for reading. Happy Hacking.

My socials
LinkedIn:- https://www.linkedin.com/in/vinayak-agrawal-2aa5a61ab/
Twitter:- https://twitter.com/Dr_Anonymous95

Uranium Ctf
Uranium Ctf Writeup
Tryhackme Uranium Ctf
Walkthrough Uranium Ctf
Tryhackme Writeup

--

--

Vinayak Agrawal

Written by Vinayak Agrawal

95 Followers

CyberSecurity Enthusiast | eJPT | CEH Practical | CTF Player | https://linktr.ee/VinayakAgrawal

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams