En-pass — TryHackMe
This is the write-up for TryHackMe’s room named En-pass: Get what you can’t.This room can be found at this URL:
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.248.167
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,8001 10.10.248.167
So we have SSH at port 22 and a Website at port 8001. First let’s explore the website.Open it up in your favorite browser and we see some images and some text printed on them.We can view all these text by doing view source on the web page:
Ehvw ri Oxfn!! is Caesar Cipher for Best of Luck with shift value of 3
U2FkCg== base64 for Sad
Well looked like we were trolled.
Time to do directory Brute Forcing. Let’s use gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001 -t 40
Explore /reg.php found above:
If we input something e.g. 1234 we see in the response back from the server contains the following php code:
So we need to bypass the filter in the above code to move forward. Reading the code the following conditions should met for the input to pass the filters:
- Lowercase/uppercase alphabets and numbers are not allowed.
- Input is splited in to chunks with ‘,’ as the delimiter and individual chunks should have certain lengths as mentioned in the code.A sum variable is calculated based on all the conditions match and compared with value 9 to give is the result, which is the way forward.
I used an online php compiler to debug the code and finally figured out the input which will give is the result. Input can contain symbols so used ‘$’ and also made the individual chunks of the required lengths.
Submit this input and got a password:
Also Exploring /web directory above with gobuster we found one more directory named resources:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001/web -t 40
Keep exploring these directories further with gobuster we will find our first answer — the Path. Browsing to this path in browser gives us an Encrypted Private key which we will download using wget:
We have a password and an Encrypted Private key, let’s use both of them and see if we can get a private key which we can use:
openssl rsa -in key -out id_rsa
Using this private key and password as the passphrase, tried few user names like sadman,sau,cimihan which we found earlier but it didn’t worked.Maybe there is a different username which we need to find out.During directory brute forcing we saw another page /403.php and the hint given is “The path you get will forbid to see but you can bypass it.”. So to move forward we somehow need to bypass 403.php. Searching around found this tool which can “Fuzz 403ing endpoints for bypasses”:
This tool can send the request via the proxy as well, so we will start Burp Suite with intercept off and will analyse the requests and responses.Let’s run the tool as:
Sorted the output in the Proxy Tab in Burp Suite with status code and found one request and response pair which gave a different response.That response had a new user name.
Lets use this username to do SSH with the private key:
ssh -i id_rsa USERNAME@10.10.141.184
So we were able to login using this new username found and also got the user’s flag.
Upgrade the shell using the following command so that it is more usable:
/usr/bin/script -qc /bin/bash /dev/null
Ran both linPEAS and lse privilege escalation scripts but nothing jumps out. Manually browsing the file system found one interesting script located here /opt/scripts/file.py
imsau@enpass:/opt/scripts$ cat file.py
import yamlclass Execute():
def __init__(self,file_name ="/tmp/file.yml"):
self.file_name = file_name
self.read_file = open(file_name ,"r")def run(self):
return self.read_file.read()data = yaml.load(Execute().run())
This looks to be our way to get root.This file is owned by root.But their is no cronjob that is executing this python file. Looking closely /tmp/file.yml is in the constructor, but couldn't find that in /tmp. May be the root user is deleting it. Let’s confirm this by making a file with the same name in /tmp
And sure enough file.yml is getting deleted every minute. This link points to an issue which we can exploit:
python -c ‘import yaml; yaml.load(“!!python/object/new:os.system [echo EXPLOIT!]”)’
We will create a file /tmp/file.yml with the following content:
!!python/object/new:os.system ["cp /bin/bash /tmp; chmod +s /tmp/bash"]
And after a minute or so we will a suid bash binary which we can run with -p option to get root shell and root flag:
That all. Thanks for reading. Have a nice one.