This is an easy Linux box and it contains 2 flags. Our aim is to find a user flag and root flag in the vulnerable machine.
STEP 1: Connect VPN.
Download the VPN file from TryHackMe-> Access -> Download My Configuration File.
Open a terminal in your attack machine backtrack machine (kali Linux).
Command: sudo openvpn <filename.ovpn>
If the Initializing sequence completed messages shows on your terminal, then you are good to go.
After connecting it to the VPN, start the machine. You will get the IP address of the target machine in less than 1 minute.
STEP 2: Scanning and Enumeration.
Command: nmap -sC -sV <IP>
The output shows that the ports 22 and 80 are open and port 80 is running an Apache server.
So open the browser and paste the IP address here. A default Apache page will flash.
There is nothing that pokes my curiosity here. So let’s do some directory brute forcing now and see what we will find.
Command: dirb <target URL> -R
- R is for Interactive Recursion. (Ask in which directories you want to scan)
The first round is done using the common.txt wordlist and we found a directory called “content”.
Now we can proceed with the result or continue brute-forcing on the newly found directory.
I have given “yes” as the input and I came back to the browser to see check the directory called “/content/”.
We did a new discovery of the Content Management System used is SweetRice. it is another CMS Just like WordPress, Drupal, Joomla, etc.
Now we know the CSM, let’s try to find the publicly available vulnerabilities of this CMS system.
Command: searchsploit sweet rice
STEP 4: Exploitation
After noticing the backup disclosure vulnerability in SweetRice 1.5.1, I searched for the details and exploitation techniques from exploit-db.
Let’s look for the login page at <ip>/content/inc/mysql_backup/
I downloaded the file and opened it and realized it was a PHP file after seeing the first line as “<?php….”. After some analysis, I was able to find out an admin username and password in the file.
I copied the hashed password and tried to crack it with CrackStation and it was successful.
After this, I tried to find a login page where I can use these credentials. And later found a directory that I found in the initial recon.
After logging into the admin panel,I was able to find a arbitary file upload vulnerable page in the media section of the panel.Now let’s try to get a back door from the server by uploading a shell code and running it on the server.
I choose a reverse shell from PentestMonkey and edited the file with my IP where I need the reverse connection.
Save it as a .phtml inorder to make it work for you. Save the file and upload it to the media section.
Before you click on the file after uploading, Start a listener in your local machine.
Command: nc -lvnp 4444
Now click on the uploaded file and we shall get a reverse connection instantly. Make sure you listen on the same port mentioned in the uploaded vulnerable file.
After getting the connection I tried a few commands like “whoami” which will show your privillage in the machine and “sudo-i” command to check if I have any sort of NOPASSWORD sudo usage. Since the admin was super lazy, We can execute perl program as an admin without any password.
You can CAT the backup.pl file which is located under home user and the output was as given below.I changed directory to that location to see what are the contents there and I found something interesting.
Perl backup file executes a copy.sh file which is located under /etc folder.
I went into the /etc folder and found this.
You have read,write and execution privileges for the file and the command in the copy.sh is nothing but a reverse shell.
From there I went into the home directory and found our first flag.
STEP 3: Privilege Escalation.
There are multiple ways to do privillage escallation. We are going to do a simple meathod here.
echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /etc/copy.sh
From the above command a copy of the bash file is moved to /tmp folder and then root SUID (Set owner User ID up on execution) (-rwS) is set to the bash file. Since this file is now owned by the root when you execute the bash it would execute as a root. Once you execute the backup.pl script with sudo privilege you can confirm if the “bash” is copied to /tmp folder, then you can run /tmp/bash -p command to spawn a shell.
Start anotherterminal and a netcat listener on another port 4445 before hitting enter.
We got the root access now.
Now we can find the root flag easily here with a “ls” and “cat” command.
Summary
Enumeration is the key here. There were lot of times I was stuck because of less attention I gave to enumeration phase.
- Port 80 and 22 were open
- In directory bruteforcing we used dirbuster tool in Recursive mode.
- SweetRice was vulnerable to backup file disclosure.
- Using credentials from backup file we logged in to admin panel.
- With help of arbitary file inclusion vulnerability we gained reverse shell.
- Due to less securitry we were able to get Root privillage easily.
Connect with me on Linkedin. Happy Hacking✌🏻.
