My Name Is Moana Of Motunui

[Emelia Lute]

Motunui is a hard rated TryHackme room by JakeDoesSec. This writeup contains analyzing network capture file using wireshark, bruteforcing login using wfuzz, using cisco packet tracer to read running configuration of switch to obtain a login credential for a user on the box and denial of service attack to get root shell on the box.

Here we get another hostname and a base url for the api service, api.motunui.thm:3000/v2/ and different routes that we can use. So, I have added this file to /etc/hosts and started playing with different endpoints.

This file talks about credentials reusing by user moana and a new network design on packet tracer. Since cisco packet tracer files have extension pkt, lets search for the files that have extension .pkt.

And we get a file which is world readable. I downloaded this file to analyse on cisco packet tracer. I have cisco packet tracer already installed on my box as I had recently finished studying Computer Networks, but you can download the packet tracer from here. You may have to sign up to get the download link.

We can edit this file and when the program restarts /usr/bin/node /var/www/api.motunui.thm/server.js command is executed. But even though we can change the content of the file, we do not have permission to reload the systemd daemon, which means we can not get code execution as root until we can find a way to reload the daemon.

We can not edit this file but the webserver is already running as root and the file which is being executed while the service restarts is /var/www/tls-html/server.js, which can be edited by user www-data. But the problem here is the process is running as root and we can not kill this process like we did with the previous one.