Try Hack Me: Valley

Ryan Yager
4 min readMay 28, 2023

--

Today we are going to look at valley, there is a lot of different things going on here so lets start off with a rustscan:

What is running on 37370:

Going to the website we see this:

Looking at the gallery we find the following:

Lets look at the 2 and see if there is anything we can find, we can make a quick wordlist of just numbers using bash scripting:

Now that we saved everything into num.txt lets use ffuf to see if we can find other files:

Alright 00 is new, lets take a look at that:

We see a dev.js. If you were doing your proper enumeration before you would have also seen this and it would not work. However, now it does and we can see that a username and password are left in the file:

Lets try to login to FTP with those creds:

Alright, so this next part may seem very time consuming, however it is not. We first need to get all the files back to us and start to look at everything. One thing to realize is that we are looking for insecure connections, such as HTTP, or FTP, not SSH or HTTPS. Lets mget everything and then look at siemHTTP2.pcapng with wireshark:

Now that we are looking at HTTP, the x-www-form-urlencoded is probably our best bet to find a username and password:

Sure enough we do. Lets login through SSH with that user:

We have an executable file, start up a python web server we can download the file:

Notice, I already have the file that is why it is saving it as .1

Now we can strings the file:

For a quick win I always like to look up user or password:

Now that we have a hash we can use crackstation, for some reason John did not like that hash when put into a file, however crackstation did not seem to mind:

Now that we have a password we can try and ssh in as the other user on the machine:

Notice we also have this valleyAdmin group that we belong to now. Lets see if anything falls under that group:

That is strange, why do we have base64…

Looking at cronjobs and we may have found our answer

Now we know we can mess with base64, so lets add in something to become root and wait for the cronjob to run it:

And after a minute we get the following:

This box had a lot of different steps in it and it was a lot of fun to exploit. Hopefully you learned something along the way. Until next time have a good one.

--

--