Youtube Walkthrough:-
Scanning
First we run a nmap scan-
I personally tag on a -sV and -sC to scan for versions and also to run a quick script scan as well to see if anything is obviously vulnerable. I also use -oN to output to a text file in case I need to use the scan information again and it saves me having to re-scan if I close the window or clear
As we can see from Nmap there are 3 ports open. 21, 22 and 80. 21 as an FTP server, 22 as a ssh and 80 as http.
Enumeration
1st we will try to enumerate the FTP server. the 1st thing we notice when we look at it is that Anonymous login is allowed.
Once logged in the 1st thing we notice is a file called test.txt so lets get that 1st and then keep looking around.
If you look carefully there is another directory we can look in. after going in you find a file called yougotgoodeyes.txt so lets get that as well
If we cat into both of these files we see that the test file is just a test file and contains no information the yougotgoodeyes file however contains what looks like a website directory
Going onto the website we see an apache default page,
If we add the recently discovered directory to the end we find a secret login page, but we have no usernames or passwords.
What we will do is scan the website with Nikto to see if there’s anything of interest on there.
From the results we can see that there is a robots.txt that we should view, upon viewing it seems we have found yet another hidden directory
From here we can see 2 files credentials and userid, it seems we’ve found our username and password lists, so lets get those downloaded and lets get ready to brute force our way in.
Access
First of all lets find the username. now if you play with the log in form you’ll find it says incorrect username, with that in mind lets see if we can bruteforce the username with Hydra. to do that we need to get the post request details from burpe suite, (if your unfamiliar with burpe i recommend doing the TryHackMe lab on it here) With the information we got from burpe we get the following command for hydra
hydra -L userid -P credentials.txt 10.10.126.160 http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect username”
Running that command we discover the username enox works.
now onto the password. the hydra command for the passwords is pretty much the same, we have to change the -L to a lowercase l as we aren’t using a list of usernames, just a single one now. We also need to change the thing we are looking for to incorrect password instead of username so it now looks like this:
hydra -l enox -P credentials.txt 10.10.126.160 http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect password!”
Now we have a username of enox and a password of P@ssword1234 so lets try those and see if we can log in. once logged in we are greated with a fileuploader
This is good as with this we can easily upload a php reverse shell to gain access.
You can download a php reverse shell from here:
Not forgetting to go in and edit it with your TryHackMe vpn connections IP and a port of your choosing where it says (this is really simple to do its lines 49 and 50 in the code)
Once edited, upload the file to the site. now we have to try to find it. to do this we need to run a gobuster
Here we find a directory called /images, if we go to that in the browser we find a directory with a /uploads, in that directory we find our uploaded reverse shell. Now before we click it we need to get a listener set up,
Jump back into your terminal and get the listener set up
to do that use netcat, the command below will help
nc -lvnp <what ever port you put in the php file>
Now the listener is set up feel free to click the file in the browser.
As you can see the listener has caught the reverse shell.
from here we just need to navigate to home and then d4rckh and we find the user.txt file which is the answer to the 1st question
Privilege Escalation
From here the 1st thing we want to do is sure up the shell and upgrade it to a tty shell(they are much more reliable and allow it to be much more interactive). To do that we put the following python script in
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now lets start with user 1.
Lets first see what sudo priviledges the user has, do that we use sudo -l
Here we can see that we could run the /var/www/gbd binary as user thirtytwo without password. with that information lets check GTFObins and see what we can find on gdb, from here we can see an exploit we can use,
sudo -u thirtytwo /var/www/gdb -nx -ex ‘!sh’ -ex quit
Running the above exploit and we can confirm we are now thirtytwo (we can check this with whoami)
another quick check of sudo priviledges of this user and we find that we can run /usr/bin/git as user d4rckh with no password. a quick check on GTFObins again
and we find another exploit to run.
Now you’ll notice there is option a and b, trying option a and it won’t work as we could set the pager environment, therefore we need to use option 2
sudo -u d4rckh git -p help config
!/bin/sh
Doing this gets us into d4rckh, the 1st thing we need to here is navigate to his home directory where the flag was. We see a cleanup.py file, a quick check of the file and it seems to clean up the home/cleanup directory. With that in mind maybe its a scheduled root task called a cron job.
So lets cat /etc/crontab and there we see it.
cleanup.py is ran by the root user with weak permissions set.
We can exploit this by replacing the file with a python reverse shell (a bit like what we did earlier but with python and as root user this time).
Before we do that lets once again run our pty script to sure up the shell and make it more interactive for us with the following script
python -c ‘import pty; pty.spawn(“/bin/bash”)’
we should also create a backup of the cleanup, just in case with this command.
mv cleanup.py cleanup.py.bak
We can now go grab a python reverse shell script from pentest monkeys by
navigating here
we can scroll down to the python code section and copy and paste it into the editor of your choice. The s.connect needs to be changed to your IP and a port of your choosing as above. We will also need to make this file on the system and call it cleanup.py, the best way of doing this is by using a simple echo command to place the code in a file and name it cleanup.py
From here we need to start a new netcat listener, this time on the new port and wait for the cronjob to run cleanup.py again, a few moments wait and bam…. you’ve now got root access from here you can cat root.txt and get the final flag to complete the box.
Comments
Post a Comment