[{"data":1,"prerenderedAt":696},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-year-of-the-rabbit-writeup":3,"surround-\u002F2025\u002Ftryhackme-year-of-the-rabbit-writeup":687},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":680,"_id":681,"_source":682,"_file":683,"_stem":684,"_extension":685,"_original_dir":686},"\u002F2025\u002Ftryhackme-year-of-the-rabbit-writeup","2025",false,"","TryHackMe - Year of the Rabbit","This article provides a detailed walkthrough for the 'Year of the Rabbit' room on TryHackMe. We'll start by uncovering hidden web pages and using BurpSuite to intercept traffic, leading us to credentials hidden within an image. From there, we'll gain initial access via FTP and finally escalate our privileges to root by exploiting a specific sudo vulnerability.","2025-09-03T15:56:06.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"3 min read",2.935,176100,587,{"type":20,"children":21,"toc":673},"root",[22,28,44,51,55,85,89,94,98,114,118,132,136,149,153,166,170,212,225,229,234,295,308,312,317,322,326,347,353,366,370,383,387,416,441,453,457,478,482,486,499,503,516,520,531,537,542,546,567,571,601,621,656,660,664,669],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fyearoftherabbit",[40],"nofollow",[42],{"type":33,"value":43},"10.10.132.203",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,67,69,75,77,83],{"type":33,"value":59},"As you can see, our ",{"type":23,"tag":61,"props":62,"children":64},"code",{"className":63},[],[65],{"type":33,"value":66},"ssh",{"type":33,"value":68},", ",{"type":23,"tag":61,"props":70,"children":72},{"className":71},[],[73],{"type":33,"value":74},"ftp",{"type":33,"value":76}," and ",{"type":23,"tag":61,"props":78,"children":80},{"className":79},[],[81],{"type":33,"value":82},"http",{"type":33,"value":84}," services are active. Now, let's check our web server.",{"type":23,"tag":24,"props":86,"children":88},{"src":87},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":90,"children":91},{},[92],{"type":33,"value":93},"We have the default Apache page. Let's run a directory scan on this site.",{"type":23,"tag":24,"props":95,"children":97},{"src":96},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":99,"children":100},{},[101,103,112],{"type":33,"value":102},"As a result of our scan, we find the ",{"type":23,"tag":61,"props":104,"children":109},{"className":105,"id":107,"style":108},[106],"example-info","just-like-this","color: #4DFFBE",[110],{"type":33,"value":111},"\u002Fassets",{"type":33,"value":113}," directory.",{"type":23,"tag":24,"props":115,"children":117},{"src":116},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":119,"children":120},{},[121,123,130],{"type":33,"value":122},"We have two files here. When we check the ",{"type":23,"tag":61,"props":124,"children":127},{"className":125,"id":107,"style":126},[106],"color: #efb11d",[128],{"type":33,"value":129},"style.css",{"type":33,"value":131}," file, it gives us a hidden page.",{"type":23,"tag":24,"props":133,"children":135},{"src":134},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F6.jpg",[],{"type":23,"tag":29,"props":137,"children":138},{},[139,141,147],{"type":33,"value":140},"Let's check this ",{"type":23,"tag":61,"props":142,"children":144},{"className":143,"id":107,"style":108},[106],[145],{"type":33,"value":146},"\u002Fsup3r_s3cret_fl4g.php",{"type":33,"value":148},"  page.",{"type":23,"tag":24,"props":150,"children":152},{"src":151},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":154,"children":155},{},[156,158,164],{"type":33,"value":157},"Here, it advises us to disable ",{"type":23,"tag":61,"props":159,"children":161},{"className":160,"id":107,"style":126},[106],[162],{"type":33,"value":163},"javascript",{"type":33,"value":165},". Let's do that.",{"type":23,"tag":24,"props":167,"children":169},{"src":168},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F8.jpg",[],{"type":23,"tag":171,"props":172,"children":173},"ol",{},[174,188,200],{"type":23,"tag":175,"props":176,"children":177},"li",{},[178,180,186],{"type":33,"value":179},"First, let's open a new tab in our browser and type ",{"type":23,"tag":61,"props":181,"children":183},{"className":182},[],[184],{"type":33,"value":185},"about:config",{"type":33,"value":187},".",{"type":23,"tag":175,"props":189,"children":190},{},[191,193,199],{"type":33,"value":192},"In the search bar, type ",{"type":23,"tag":61,"props":194,"children":196},{"className":195},[],[197],{"type":33,"value":198},"javascript.enabled",{"type":33,"value":187},{"type":23,"tag":175,"props":201,"children":202},{},[203,205,211],{"type":33,"value":204},"Double-click on the resulting option and set it to ",{"type":23,"tag":61,"props":206,"children":208},{"className":207},[],[209],{"type":33,"value":210},"false",{"type":33,"value":187},{"type":23,"tag":29,"props":213,"children":214},{},[215,217,223],{"type":33,"value":216},"Our page opens, but we can't get anything from it. The video from our regular ",{"type":23,"tag":61,"props":218,"children":220},{"className":219},[],[221],{"type":33,"value":222},"assets",{"type":33,"value":224}," directory is also here.",{"type":23,"tag":24,"props":226,"children":228},{"src":227},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":230,"children":231},{},[232],{"type":33,"value":233},"Let's open BurpSuite and try to capture the outgoing requests. Since it told us to disable JavaScript, we might be able to get something from the requests.",{"type":23,"tag":171,"props":235,"children":236},{},[237,257,286],{"type":23,"tag":175,"props":238,"children":239},{},[240,242,248,250,256],{"type":33,"value":241},"Let's open our browser with the BurpSuite proxy configured and go to the ",{"type":23,"tag":61,"props":243,"children":245},{"className":244},[],[246],{"type":33,"value":247},"Proxy",{"type":33,"value":249}," tab. Then, turn on ",{"type":23,"tag":61,"props":251,"children":253},{"className":252},[],[254],{"type":33,"value":255},"Intercept",{"type":33,"value":187},{"type":23,"tag":175,"props":258,"children":259},{},[260,262,268,272],{"type":33,"value":261},"Now, let's make a request to this URL from our browser: ",{"type":23,"tag":61,"props":263,"children":265},{"className":264},[],[266],{"type":33,"value":267},"10.10.132.203\u002Fsup3r_s3cr3t_fl4g.php",{"type":23,"tag":24,"props":269,"children":271},{"src":270},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F10.jpg",[],{"type":23,"tag":273,"props":274,"children":275},"ul",{},[276,281],{"type":23,"tag":175,"props":277,"children":278},{},[279],{"type":33,"value":280},"Our request was captured, but after examining it, we couldn't get anything from it.",{"type":23,"tag":175,"props":282,"children":283},{},[284],{"type":33,"value":285},"Now, let's forward the request and let the page load.",{"type":23,"tag":175,"props":287,"children":288},{},[289,291],{"type":33,"value":290},"Something unusual happened, and BurpSuite captured another request. This time, the request contains hidden directories.",{"type":23,"tag":24,"props":292,"children":294},{"src":293},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":296,"children":297},{},[298,300,306],{"type":33,"value":299},"From this hidden request, we understand that we have a hidden directory. Let's check this ",{"type":23,"tag":61,"props":301,"children":303},{"className":302,"id":107,"style":108},[106],[304],{"type":33,"value":305},"\u002FWExYY2Cv-qU",{"type":33,"value":307}," directory and see what we find.",{"type":23,"tag":24,"props":309,"children":311},{"src":310},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F12.jpg",[],{"type":23,"tag":29,"props":313,"children":314},{},[315],{"type":33,"value":316},"We get an image from here. Let's examine this image and see if there is anything hidden inside.",{"type":23,"tag":318,"props":319,"children":321},"copy",{"code":320},"strings image.png",[],{"type":23,"tag":24,"props":323,"children":325},{"src":324},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":327,"children":328},{},[329,331,337,339,345],{"type":33,"value":330},"And we get an FTP username ",{"type":23,"tag":61,"props":332,"children":334},{"className":333,"id":107,"style":108},[106],[335],{"type":33,"value":336},"ftpuser",{"type":33,"value":338}," and a password list. Now, let's create a ",{"type":23,"tag":61,"props":340,"children":342},{"className":341,"id":107,"style":108},[106],[343],{"type":33,"value":344},"passwd.txt",{"type":33,"value":346}," file and add the passwords to this file.",{"type":23,"tag":45,"props":348,"children":350},{"id":349},"initial-access",[351],{"type":33,"value":352},"Initial Access",{"type":23,"tag":29,"props":354,"children":355},{},[356,358,364],{"type":33,"value":357},"Now, let's use ",{"type":23,"tag":61,"props":359,"children":361},{"className":360},[],[362],{"type":33,"value":363},"hydra",{"type":33,"value":365}," to check this information for the FTP server. (Note: The machine's IP changed at this point due to an issue on my end. 10.10.132.203 => 10.10.127.2)",{"type":23,"tag":24,"props":367,"children":369},{"src":368},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":371,"children":372},{},[373,375,381],{"type":33,"value":374},"From here, we get the pair ",{"type":23,"tag":61,"props":376,"children":378},{"className":377,"id":107,"style":108},[106],[379],{"type":33,"value":380},"ftpuser:5iez1wGXKfPKQ",{"type":33,"value":382},". Now, let's log in to FTP with this information.",{"type":23,"tag":24,"props":384,"children":386},{"src":385},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F15.jpg",[],{"type":23,"tag":29,"props":388,"children":389},{},[390,392,398,400,406,408,414],{"type":33,"value":391},"When we look at the shared files here, we find the ",{"type":23,"tag":61,"props":393,"children":395},{"className":394},[],[396],{"type":33,"value":397},"Eli's_Creds.txt",{"type":33,"value":399}," file and a string hashed with ",{"type":23,"tag":61,"props":401,"children":403},{"className":402},[],[404],{"type":33,"value":405},"BrainF*ck",{"type":33,"value":407}," inside. Now, let's copy this hash and crack it on ",{"type":23,"tag":36,"props":409,"children":412},{"href":410,"rel":411},"https:\u002F\u002Fwww.dcode.fr\u002Fbrainfuck-language",[40],[413],{"type":33,"value":410},{"type":33,"value":415},". As a result, we get:",{"type":23,"tag":273,"props":417,"children":418},{},[419,430],{"type":23,"tag":175,"props":420,"children":421},{},[422,424],{"type":33,"value":423},"User: ",{"type":23,"tag":61,"props":425,"children":427},{"className":426,"id":107,"style":108},[106],[428],{"type":33,"value":429},"eli",{"type":23,"tag":175,"props":431,"children":432},{},[433,435],{"type":33,"value":434},"Password: ",{"type":23,"tag":61,"props":436,"children":438},{"className":437,"id":107,"style":108},[106],[439],{"type":33,"value":440},"DSpDiM1wAEwid",{"type":23,"tag":29,"props":442,"children":443},{},[444,446,451],{"type":33,"value":445},"Now, let's log in via ",{"type":23,"tag":61,"props":447,"children":449},{"className":448},[],[450],{"type":33,"value":66},{"type":33,"value":452}," with this information.",{"type":23,"tag":24,"props":454,"children":456},{"src":455},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F16.jpg",[],{"type":23,"tag":29,"props":458,"children":459},{},[460,462,468,470,476],{"type":33,"value":461},"From here, we learn about the user ",{"type":23,"tag":61,"props":463,"children":465},{"className":464},[],[466],{"type":33,"value":467},"gwendoline",{"type":33,"value":469}," and that a secret message was left for them by the administrator. So, let's do a simple scan with ",{"type":23,"tag":61,"props":471,"children":473},{"className":472},[],[474],{"type":33,"value":475},"find",{"type":33,"value":477}," to find the secret hiding places. (You can also run linpeas.sh, etc.)",{"type":23,"tag":24,"props":479,"children":481},{"src":480},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F17.jpg",[],{"type":23,"tag":24,"props":483,"children":485},{"src":484},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":487,"children":488},{},[489,491,497],{"type":33,"value":490},"And yes, when we check, we get the ",{"type":23,"tag":61,"props":492,"children":494},{"className":493,"id":107,"style":108},[106],[495],{"type":33,"value":496},"\u002Fusr\u002Fgames\u002Fs3cr3t",{"type":33,"value":498}," directory and a hidden file in this directory. Now, let's check this file.",{"type":23,"tag":24,"props":500,"children":502},{"src":501},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":504,"children":505},{},[506,508,514],{"type":33,"value":507},"And from here, we get the pair ",{"type":23,"tag":61,"props":509,"children":511},{"className":510,"id":107,"style":108},[106],[512],{"type":33,"value":513},"gwendoline:MniVCQVhQHUNI",{"type":33,"value":515},". Now, let's try to log in via SSH with this information.",{"type":23,"tag":24,"props":517,"children":519},{"src":518},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":521,"children":522},{},[523,525,530],{"type":33,"value":524},"And we've logged in as ",{"type":23,"tag":61,"props":526,"children":528},{"className":527},[],[529],{"type":33,"value":467},{"type":33,"value":187},{"type":23,"tag":45,"props":532,"children":534},{"id":533},"privilege-escalation",[535],{"type":33,"value":536},"Privilege Escalation",{"type":23,"tag":29,"props":538,"children":539},{},[540],{"type":33,"value":541},"Now, let's manually check a few things to escalate our privileges.",{"type":23,"tag":24,"props":543,"children":545},{"src":544},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F21.jpg",[],{"type":23,"tag":29,"props":547,"children":548},{},[549,551,557,559,565],{"type":33,"value":550},"With ",{"type":23,"tag":61,"props":552,"children":554},{"className":553},[],[555],{"type":33,"value":556},"sudo -l",{"type":33,"value":558},", we saw which commands we can run with sudo. The ",{"type":23,"tag":61,"props":560,"children":562},{"className":561,"id":107,"style":126},[106],[563],{"type":33,"value":564},"(ALL, !root)",{"type":33,"value":566}," part catches our attention. We know that if such a situation exists—that is, if the rule is set for everyone except root—there might be a vulnerability in sudo. Now, let's check the sudo version.",{"type":23,"tag":24,"props":568,"children":570},{"src":569},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F22.jpg",[],{"type":23,"tag":29,"props":572,"children":573},{},[574,576,582,584,591,593,600],{"type":33,"value":575},"And yes, our sudo version is ",{"type":23,"tag":61,"props":577,"children":579},{"className":578},[],[580],{"type":33,"value":581},"1.8.10p3",{"type":33,"value":583},". This version is affected by ",{"type":23,"tag":36,"props":585,"children":588},{"href":586,"rel":587},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F47502",[40],[589],{"type":33,"value":590},"this vulnerability",{"type":33,"value":592},". This is a well-known vulnerability, and all versions of sudo before 1.8.28 were affected by it. This vulnerability only becomes exploitable when there is a special sudoers configuration (\"ALL, !root\"). For a detailed explanation, see ",{"type":23,"tag":36,"props":594,"children":597},{"href":595,"rel":596},"http:\u002F\u002Fhackpaper.com\u002F2025\u002Ftryhackme-agentsudo-writeup#privilege-escalation",[40],[598],{"type":33,"value":599},"here",{"type":33,"value":187},{"type":23,"tag":29,"props":602,"children":603},{},[604,606,612,614,620],{"type":33,"value":605},"When we examine the vulnerability, we can run a program with root privileges using ",{"type":23,"tag":61,"props":607,"children":609},{"className":608},[],[610],{"type":33,"value":611},"sudo -u#-1",{"type":33,"value":613},". In our case, we are allowed to use ",{"type":23,"tag":61,"props":615,"children":617},{"className":616},[],[618],{"type":33,"value":619},"\u002Fusr\u002Fbin\u002Fvi \u002Fhome\u002Fgwendoline\u002Fuser.txt",{"type":33,"value":187},{"type":23,"tag":29,"props":622,"children":623},{},[624,626,632,634,639,641,647,649,655],{"type":33,"value":625},"So, we can open the ",{"type":23,"tag":61,"props":627,"children":629},{"className":628},[],[630],{"type":33,"value":631},"user.txt",{"type":33,"value":633}," file with root privileges using ",{"type":23,"tag":61,"props":635,"children":637},{"className":636},[],[638],{"type":33,"value":611},{"type":33,"value":640},". In the vi screen that opens, we can press the ",{"type":23,"tag":61,"props":642,"children":644},{"className":643},[],[645],{"type":33,"value":646},":",{"type":33,"value":648}," key to switch to command mode and request a shell by typing ",{"type":23,"tag":61,"props":650,"children":652},{"className":651},[],[653],{"type":33,"value":654},"!\u002Fbin\u002Fbash",{"type":33,"value":187},{"type":23,"tag":318,"props":657,"children":659},{"code":658},"sudo -u#-1 \u002Fusr\u002Fbin\u002Fvi \u002Fhome\u002Fgwendoline\u002Fuser.txt",[],{"type":23,"tag":24,"props":661,"children":663},{"src":662},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F23.jpg",[],{"type":23,"tag":29,"props":665,"children":666},{},[667],{"type":33,"value":668},"And we are root...",{"type":23,"tag":24,"props":670,"children":672},{"src":671},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-Year-of-the-Rabbit-writeup\u002F24.jpg",[],{"title":7,"searchDepth":674,"depth":674,"links":675},4,[676,678,679],{"id":47,"depth":677,"text":50},2,{"id":349,"depth":677,"text":352},{"id":533,"depth":677,"text":536},"markdown","content:posts:2025:tryhackme-Year-of-the-Rabbit-writeup.md","content","posts\u002F2025\u002Ftryhackme-Year-of-the-Rabbit-writeup.md","posts\u002F2025\u002Ftryhackme-Year-of-the-Rabbit-writeup","md","\u002Fposts",[688,692],{"_path":689,"title":690,"date":691},"\u002F2025\u002Ftryhackme-fowsniff-writeup","TryHackMe - Fowsniff CTF","2025-09-02T07:57:20.000Z",{"_path":693,"title":694,"date":695},"\u002F2025\u002Ftryhackme-b3dr0ck-writeup","TryHackMe - b3dr0ck","2025-09-04T15:20:00.000Z",1777022958953]