IDE - TryHackMe

go back / p4p1


Created on Sat. 16 oct 2021



I'm back at it! Did a quick room last night to just stay active on my host assessment skills. I was looking at my Hack The Box profile and realized I could sit down for most of the easy rooms to practice a bit more. So I decided in 2022 to get the same level on Hack The Box that I have on TryHackMe. After that I opened tryhackme and saw this box and figured it would be cool to give it a shot. I didn't think I was going to do a blog post about it but I enjoyed it enough to showcase it here!

Reconnaissance

This room is very focused on Recon and after doing the OSCP exam which is a great way to test your recon tactics by the way I figured I should refresh my knowledge on recon on this box. For those that are thinking of doing the OSCP and are stressed for the exam I think this box puts a lot in perspective for the exam. This is exactly the kind of machine inside of the exam!

          
          Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-16 03:47 BST
          NSE: Loaded 155 scripts for scanning.
          NSE: Script Pre-scanning.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 03:47
          Completed NSE at 03:47, 0.00s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 03:47
          Completed NSE at 03:47, 0.00s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 03:47
          Completed NSE at 03:47, 0.00s elapsed
          Initiating Ping Scan at 03:47
          Scanning 10.10.59.69 [2 ports]
          Completed Ping Scan at 03:47, 0.07s elapsed (1 total hosts)
          Initiating Parallel DNS resolution of 1 host. at 03:47
          Completed Parallel DNS resolution of 1 host. at 03:47, 0.02s elapsed
          DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
          Initiating Connect Scan at 03:47
          Scanning 10.10.59.69 [65535 ports]
          Discovered open port 22/tcp on 10.10.59.69
          Discovered open port 80/tcp on 10.10.59.69
          Discovered open port 21/tcp on 10.10.59.69
          Connect Scan Timing: About 44.51% done; ETC: 03:48 (0:00:39 remaining)
          Discovered open port 62337/tcp on 10.10.59.69
          Completed Connect Scan at 03:48, 46.21s elapsed (65535 total ports)
          Initiating Service scan at 03:48
          Scanning 4 services on 10.10.59.69
          Completed Service scan at 03:48, 11.37s elapsed (4 services on 1 host)
          NSE: Script scanning 10.10.59.69.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 03:48
          NSE: [ftp-bounce 10.10.59.69:21] PORT response: 500 Illegal PORT command.
          Completed NSE at 03:48, 3.08s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 03:48
          Completed NSE at 03:48, 0.17s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 03:48
          Completed NSE at 03:48, 0.00s elapsed
          Nmap scan report for 10.10.59.69
          Host is up, received syn-ack (0.022s latency).
          Scanned at 2021-10-16 03:47:34 BST for 60s
          Not shown: 65531 closed tcp ports (conn-refused)
          PORT      STATE SERVICE REASON  VERSION
          21/tcp    open  ftp     syn-ack vsftpd 3.0.3
          |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
          | ftp-syst: 
          |   STAT: 
          | FTP server status:
          |      Connected to ::ffff:10.14.8.145
          |      Logged in as ftp
          |      TYPE: ASCII
          |      No session bandwidth limit
          |      Session timeout in seconds is 300
          |      Control connection is plain text
          |      Data connections will be plain text
          |      At session startup, client count was 3
          |      vsFTPd 3.0.3 - secure, fast, stable
          |_End of status
          22/tcp    open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
          | ssh-hostkey: 
          |   2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
          | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC94RvPaQ09Xx+jMj32opOMbghuvx4OeBVLc+/4Hascmrtsa+SMtQGSY7b+eyW8Zymxi94rGBIN2ydPxy3XXGtkaCdQluOEw5CqSdb/qyeH+L/1PwIhLrr+jzUoUzmQil+oUOpVMOkcW7a00BMSxMCij0HdhlVDNkWvPdGxKBviBDEKZAH0hJEfexz3Tm65cmBpMe7WCPiJGTvoU9weXUnO3+41Ig8qF7kNNfbHjTgS0+XTnDXk03nZwIIwdvP8dZ8lZHdooM8J9u0Zecu4OvPiC4XBzPYNs+6ntLziKlRMgQls0e3yMOaAuKfGYHJKwu4AcluJ/+g90Hr0UqmYLHEV
          |   256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
          | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBzKTu7YDGKubQ4ADeCztKu0LL5RtBXnjgjE07e3Go/GbZB2vAP2J9OEQH/PwlssyImSnS3myib+gPdQx54lqZU=
          |   256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
          |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+oGPm8ZVYNUtX4r3Fpmcj9T9F2SjcRg4ansmeGR3cP
          80/tcp    open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
          |_http-title: Apache2 Ubuntu Default Page: It works
          | http-methods: 
          |_  Supported Methods: GET POST OPTIONS HEAD
          |_http-server-header: Apache/2.4.29 (Ubuntu)
          62337/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
          |_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F
          |_http-title: Codiad 2.8.4
          | http-methods: 
          |_  Supported Methods: GET HEAD POST OPTIONS
          |_http-server-header: Apache/2.4.29 (Ubuntu)
          Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

          NSE: Script Post-scanning.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 03:48
          Completed NSE at 03:48, 0.00s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 03:48
          Completed NSE at 03:48, 0.00s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 03:48
          Completed NSE at 03:48, 0.00s elapsed
          Read data files from: /usr/bin/../share/nmap
          Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
          Nmap done: 1 IP address (1 host up) scanned in 61.31 seconds
          
        

After running the nmap I sat down and ran a few more scans on the 2 Web Apps on port 80 and 62337.

Port 80
          
          ===============================================================
          Gobuster v3.0.1
          by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
          ===============================================================
          [+] Url:            http://10.10.59.69/
          [+] Threads:        10
          [+] Wordlist:       /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
          [+] Status codes:   200,204,301,302,307,401,403
          [+] User Agent:     gobuster/3.0.1
          [+] Extensions:     html,php,asp
          [+] Timeout:        10s
          ===============================================================
          2021/10/16 03:51:52 Starting gobuster
          ===============================================================
          /index.html (Status: 200)
          
        
Port 62337
          
          ===============================================================
          Gobuster v3.0.1
          by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
          ===============================================================
          [+] Url:            http://10.10.59.69:62337/
          [+] Threads:        10
          [+] Wordlist:       /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
          [+] Status codes:   200,204,301,302,307,401,403
          [+] User Agent:     gobuster/3.0.1
          [+] Extensions:     html,php,asp
          [+] Timeout:        10s
          ===============================================================
          2021/10/16 03:53:44 Starting gobuster
          ===============================================================
          /index.php (Status: 200)
          /themes (Status: 301)
          /common.php (Status: 200)
          /data (Status: 301)
          /plugins (Status: 301)
          /lib (Status: 301)
          /languages (Status: 301)
          /js (Status: 301)
          /components (Status: 301)
          /config.php (Status: 200)
          /workspace (Status: 301)
          
        

Nothing was interesting on port 80 but a lot more on port 62337. After going through a bit more of the web app I found the service running on port 62447 and it's version. After searching through exploit-db I found a vulnerability with remote code execution with creds needed so I figured I could find that somewhere.

Port 21
          
          @ftp> ls -la
          200 PORT command successful. Consider using PASV.
          150 Here comes the directory listing.
          drwxr-xr-x    3 0        114          4096 Jun 18 06:10 .
          drwxr-xr-x    3 0        114          4096 Jun 18 06:10 ..
          drwxr-xr-x    2 0        0            4096 Jun 18 06:11 ...
          226 Directory send OK.
          @ftp> cd ...
          250 Directory successfully changed.
          @ftp> ls -la
          200 PORT command successful. Consider using PASV.
          150 Here comes the directory listing.
          -rw-r--r--    1 0        0             151 Jun 18 06:11 -
          drwxr-xr-x    2 0        0            4096 Jun 18 06:11 .
          drwxr-xr-x    3 0        114          4096 Jun 18 06:10 ..
          226 Directory send OK.
          @ftp> cat -
          ?Invalid command
          @ftp> get -
          200 PORT command successful. Consider using PASV.
          150 Opening BINARY mode data connection for - (151 bytes).
          Hey john,
          I have reset the password as you have asked. Please use the default password to login.
          Also, please take care of the image file ;)
          - drac.
          -
          - 226 Transfer complete.
          - 151 bytes received in 0.00103 seconds (143 kbytes/s)
          -
          
        

Exploitation

Enumerating got me thinking I have two usernames and no passwords so I figured I was going to brute force the login with Burp but BurpSuite crashed when I loaded rockyou.txt inside of intruder so I just guessed the login to the web service! So I then used the exploit from exploit-db to get a foot hold on the machine!

With that done I wanted to pivot inside of the machine to gain access to the drac user (to find it I used the w command which shows you who is currently logged in the machine). I ran a few scans such as linpeas and checked what I could use to either get to root or something else. After looking around for a few minutes I then looked through the content of /home/drac and what I could read there. I found that I was able to read .bash_history so I run cat against it and jackpot!

Using that I got to ssh into the machine!

Privilege Escalation

Inside of the machine as drac I was then able to run sudo -l and see that I could restart the vsftpd service as root and that I was able to edit the service file. I never done a privesc like that surprisingly and I wanted to give it a shot without looking at a tutorial to see if I could figure it out. So I edited the service file and tried refreshing the service but it didn't work I got an error saying that I needed to run systemctl daemon-reload. I decided to run that and I didn't need root privileges to do so. After editing the file a bit more I got to this:

I then could just run /bin/bash -p and was root! Pretty cool to see that I was able to do that without researching it more in depth!


Thank you for reading if you are coming from TryHackMe check out my other posts I write about a wide variety of Cyber Security Topics and I have a few open source projects on github which are decently active with me contributing and if you are into bug bounty you can check out my app xss_bomb on google play :D It's free on github btw.

My tryhackme account