Unlocking Secrets: A Comprehensive Guide to the Dreaming Room
Written on
Chapter 1: Introduction to the Dreaming Walkthrough
In this walkthrough, we will explore the TryHackMe Dreaming room, uncovering the mysteries woven within its challenges.
We begin by executing an nmap and nikto scan on the target system. The results indicate that both the HTTP and SSH ports are accessible. Notably, there is a directory named 'app.'
What is the Lucien Flag?
Navigating to the website, we click on "pluck-4.7.13," which directs us to another page. By selecting 'admin,' we access a login interface where we can see that the pluck version is 4.7.13. Entering "password" as the password allows us to log in successfully.
Next, we conduct a Google search for potential exploits targeting pluck 4.7.13. We discover an applicable exploit, which we save as exploit.py and execute as follows. Upon navigating to the webshell directory, we gain access to a shell.
At this point, we find ourselves unable to read the flags. However, examining the /etc/passwd file reveals that 'lucien' is a user. We then investigate the files associated with this user and come across 'test.py,' which contains lucien's password.
Afterward, we log in as lucien via SSH using the discovered password, enabling us to read the flag.
What is the Death Flag?
We next check the sudo privileges assigned to lucien. Opening a new command line, we initiate netcat. From the webshell, we execute a command that establishes a connection back as the user www-data.
We switch to user lucien and inspect lucien’s bash history, where we encounter a mysql command alongside a password. Executing this command allows us to access the database's details, where we identify a table labeled 'dreams.'
Referring back to the bash history, we find a command concerning getDreams.py. Running this command displays the contents of the dreams table. We also check the details of the file located at /opt/getDreams.py, where we find a crucial command.
Reviewing the mysql history reveals several commands relating to data insertion into the table. Using the earlier mysql connection, we can insert a new row of data into the table. Executing the command again reveals the password for the death user.
We then switch to user death with the newly discovered password, enabling us to read the death flag.
What is the Morpheus Flag?
To locate the Morpheus flag, we navigate to Morpheus's home directory and open the restore.py file. Searching for 'shutil' within the program leads us to read and edit the file.
We add a new line of code: "os.system('chmod 777 /home/morpheus/morpheus_flag.txt')" and save our changes. This adjustment grants us access to read the Morpheus flag.
In conclusion, we have successfully navigated through the challenges of the Dreaming room. Until next time, happy hacking!