From 6e454ed160b3b15f0f334c1d5de2babf67dd2d59 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Tue, 5 Oct 2021 06:21:33 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Lockdown.md | 198 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 198 insertions(+)
create mode 100644 TryHackMe/Lockdown.md
diff --git a/TryHackMe/Lockdown.md b/TryHackMe/Lockdown.md
new file mode 100644
index 0000000..bc64245
--- /dev/null
+++ b/TryHackMe/Lockdown.md
@@ -0,0 +1,198 @@
+# TryHackMe-Lockdown
+
+## NMAP
+
+```bash
+
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 27:1d:c5:8a:0b:bc:02:c0:f0:f1:f5:5a:d1:ff:a4:63 (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1Xdw3dCrCjetmQieza7pYcBp1ceBvVB6g1A/OU+bqoRSEfnKTHP0k5P2U1BbeciJTqflslP3IHh+py4jkWTkzbU80Mxokn2Kr5Qa5GKgrm
+e4Q6GfQsQeeFpbLlIHs+eEBnCLY/J03iddkt6eukd3VwZuRXHnEHl7G6Y1f0IEEzProg15iAtUTbS8OwPx+ZwdvXfJTWujUS+OzLLjQw5wPewCEK+TJHVM02H+5sO+dYBMC9rgiEnPe5ayP+nupA
+XMNYB9/p/gO3nj5h33SokY3RkXMFsijUJpoBnsDHNgo2Q41j9AB4txabzUQVFql30WO8l8azO4y/fWYYtU8YCn
+| 256 ce:f7:60:29:52:4f:65:b1:20:02:0a:2d:07:40:fd:bf (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGjTYytQsU83icaN6V9H1Kotl0nKVpR35o6PtyrWy9WjljhWaNr3cnGDUnd7RSIUOiZco3UL5+
+YC31sBdVy6b6o=
+| 256 a5:b5:5a:40:13:b0:0f:b6:5a:5f:21:60:71:6f:45:2e (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHVz0M8zYIXcw2caiAlNCr01ycEatz/QPx1PpgMZqZN
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
+| http-cookie-flags:
+| /:
+| PHPSESSID:
+|_ httponly flag not set
+| http-methods:
+|_ Supported Methods: POST OPTIONS
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+```
+
+## PORT 80 (HTTP)
+
+When we visit to the web server it's going to redirect us to a domain name `contacttracer.thm/` so let's add this to `/etc/hosts` file
+
+
+
+After adding the domain name in the file , we can see a login portal
+
+
+
+
+
+
+
+Let's try some default credentials for admin, I tired `admin:admin` , `admin:password` , `admin:admin123` but they didn't worked so I ran `gobuster` to fuzz for files and directories
+
+
+
+So most of the directories were forbidden , so on the admin panel I tried a simple sqli to login `admin' or 1=1 -- ` and I got access
+
+
+
+
+
+## Foothold
+
+To get a shell there are two ways , on going to settings we can change the login page's image to a php rev shell file
+
+
+
+
+
+Another way ,we can also dump the database on login page that way we can find the name of whatever file we upload but I didn't dump the whole database becuase it was time-based sqli so it was taking some time so I stopped doing this
+
+
+
+Anyway contining with stabilizing the shell
+
+
+
+Let's do some basic enumeration , first I checked `sudo -l`
+
+
+
+We don't have a password so let's move on , next I checked crontabs but those were empty as well
+
+
+
+Checked if there are any SUID's we can abuse but there weren't any
+
+
+
+
+
+## Privilege Escalation (Cyrus)
+
+We can see there are two users `cyrus` and `maxine` also if we remeber we saw `config.php` from gobuster's result so let's visit that file also this what the uploaded files look like
+
+
+
+On reading config.php file we'll get a username and password
+
+
+
+I tried cracking this hash but was not successful , I read `DBConnection.php` file and found some creds
+
+
+
+
+
+But there wasn't anything in the database that was interesting to us but this `admin` hash , on cracking it we get the password `sweetpandemonium`
+
+
+
+
+
+
+
+## Privilege Escalation (root)
+
+On running `sudo -l` , this user can run a script as a root user
+
+
+
+```bash
+#!/bin/bash
+read -p "Enter path: " TARGET
+
+if [[ -e "$TARGET" && -r "$TARGET" ]]
+ then
+ /usr/bin/clamscan "$TARGET" --copy=/home/cyrus/quarantine
+ /bin/chown -R cyrus:cyrus /home/cyrus/quarantine
+ else
+ echo "Invalid or inaccessible path."
+fi
+```
+
+This is the bash script , it's going to read the file name and it's going to check in the if condition with `-e` that if that file exists and with `-r` if that files is readable then it's going to run `clamscan` which is an AV tool , if there's a virus found it's going to copy that file to `/home/cyrus/quarantine` so let's run this tool with the provided sample in cyrus's home directory
+
+
+
+So it copied that file in that `quarantine` directory
+
+
+
+I looked up on clamscan's documentation and it seems that we can write our own rules (YARA rules) to identifiy which file maybe contain a virus
+
+https://docs.clamav.net/manual/Signatures/YaraRules.html
+
+We need to find where `clamscan` loads the rules from ,so I used `find` command to search for `clam*` and found the directory where it had rule to flag a file it has a virus or not
+
+
+
+
+
+
+
+This is the rule file
+
+
+
+But it's more of a signature based rule file `hdb` , we can't do that as we are not able to `root.txt` flag so we won't be able to do this instead we can write a yara rule for `/etc/shadow` file , as we can flag that file as malicious by creating rule which would look for `root` string and if that exists it's going to flag that file has a virus and will copy that file to quaranitne folder
+
+```bash
+rule root
+{
+ strings:
+ $string = "root"
+
+
+ condition:
+ $string
+}
+```
+
+This is a simple YARA rule which holds the string value "root" in `string` variable and in condition section it's going to check for the `string` variable that if it's found in any of the file when it's passed to `clamscan` it's going to flag it as a malicious file
+
+
+
+
+
+
+
+In the shadow file we don't see any root hash but we do have hashes for the two users
+
+
+
+We already have passsword for cyrus , so let's crack the hash for `maxine` user
+
+
+
+
+
+
+
+
+## References
+
+- https://docs.clamav.net/manual/Signatures/YaraRules.html
+- https://blog.nviso.eu/2017/02/14/hunting-with-yara-rules-and-clamav/
+
+
+```
+dev_oretnom : 5da283a2d990e8d8512cf967df5bc0d0
+cts : YOUMKtIXoRjFgMqDJ3WR799tvq2UdNWE
+ sweetpandemonium
+
+```
\ No newline at end of file