Takedown
https://tryhackme.com/room/takedown
Last updated
https://tryhackme.com/room/takedown
Last updated
By Jacvbtaylor
SITUATION Cyber Criminal operations cell RISOTTO GROUP is suspected to be active in Area of Operations (AO). 501st operators are tasked with intercepting RISOTTO GROUP, regaining control of a target webserver, and removing opposing force from target infrastructure.
MISSION Identify indicators of compromise of the INFINITY webserver Regain positive control of the INFINITY webserver Prosecute and deny RISOTTO GROUP operators Produce proof of positive control of the target webserver (user.txt and root.txt)
Using my nmap script, I located 2 open ports:
I pulled up the webpage and started an enumeration scan to look for interesting files and folders. using gobuster dir -u http://takedown.thm.local/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Almost immediately I was able to locate what may be an interesting file:
This led to to find http://takedown.thm.local/js/main.js which referenced mailchimp. This won't be useful to me I discover a database set up for the site, or possibly an email address hiding inside some of the code which could lead me into a better direction.
With some help from local file inclusion in the /images directory, I was able to find an ELF file called shutterbug.jpg.bak on the server. This is one of the malware samples from the debriefing PDF we were given before starting the CTF.
I uploaded the file to Virus Total and analyze.intezer.com and got confirmation that the file was malicious
I ran the file in my VM and some emojis spewed out
I chose to examine that file a little further and found some human readable text inside referencing exe files in windows and kali and leaves me a little curious as to what else this may be used for.
I started gathering more information on the file to see if I could figure out what its purpose was
Looking at the strings I noticed something interesting:
The URL http://takedown.thm.local/api is referenced but the server doesn't respond back with that directory when I request it. The 5th line in the screenshot above references /api/ag[*] which didn't mean much to me at first, but later I noticed another string
first being user-agent, agent source/destination as well as the /agents/ directory. The robots.txt file wasn't disallowing certain user agents, but that doesn't mean some other form of code isn't set up to do so.
My current user agent references my Linux VM, and the remote server response with a 404 error
If I edit this to the UA I found in the ELF file and send that packet to the server, I get server code 200
When I forward my packet with the modified UA, I am now able to see the receive /register page, or at least some form of it.
The source code doesn't reveal anything so I intercepted the web traffic with Wireshark, but nothing seemed helpful there. Instead of going back and forth with Burpsuite to edit my user agent, I installed a firefox extension to spoof it for me and starting playing around with my URL from the browser. I really wanted to fuzz for files and directories but wasn't sure how to go about this while needing the custom UA, so manually changing the URL was my only current option.
when treating agents like an endpoint or file inside the api folder, the server responds with more information. A UID and hostname.
I wasn't sure where to move from here, so I stepped back and thought about what else I was possibly missing. I found the user agent from the shutterbug file, but that isn't granting me as much access as I would like. User agent wasn't disallowed from the robots.txt file but favicon.ico was.. and the PDF debriefing mentioned the favicon file as Gunrunner malware. Can I get that file as well? I ran wget http://takedown.thm.local/favicon.ico and it downloaded successfully.
The favicon file appears to be a windows executable. I may be able to get all of the information I need from it, similar to how I extracted information from the shutterbug file.
So far it seemed to interact very similar, if not the same, to the shutterbug file. It was giving me seemingly the same information. Both of these files appear to work as some sort of proxy. This file was easier to read though and seemed to lay out what seem to be commands
I requested the commands file and was actually served the commands I could use
This confirms l should be able to access or interact with the following directories:
/commands
/upload
/download
I made various attempts at running these commands, trying to get a different output from the server, but wasn't having any success. I went back to Burpsuite to see if I could further manipulate my packet.
I found that each time I was served "You're not a live agent" I was actually being served 401 unauthorized. My aim was to stay within the status 200 bounds. What I hadn't tried yet was changing my type of request. If I want to tell the server what to do, I need to escape my GET requests. I looked at an example of a POST request and edited mine appropriately inside Burpsuite's repeater, or so I thought. I wasn't getting a response back from the server, so I canceled my request and looked into what I could try. This is when I came across json content-type. This seemed promising since I could enter my own text into a field using brackets. As long as I can figure out the right URL path and/or content to send to the server, I should get a proper response.
After reading up on json a bit, I saw syntax examples such as {"name":"john"} and tried to see how I could play with this. Mostly of my attempts got status 400 responses:
I requested /api/agents/upload and wasn't having any luck. I tried user the UID I found earlier in my URL before upload and referencing the command layout in the favicon file, I saw upload and file.
@/upload
@/api/agents/
@file
@ from C2 server
@[*] Ready to receive
Since I was already requesting the upload in my URL, I added file in my json syntax and tried requesting all of the files.
{"file":"*"} This was making the server timeout and give me a 500 error. Does this mean it worked? Did I overload the request? I tried a known Linux file /etc/hosts instead
This worked! I noticed 172.20.0.7 c2-shrike-1 inside the host file. Not sure if I'll need this information, but I kept note of it. I used this opportunity to try and get as much information as I could before ultimately attempting to use the download and exec command
I wanted a shell to the machine, so I decided to try and use the exec command through the URL.
/api/agents/tupc-jfpa-jfqb-zlri/exec
(It is worth noting that each time this VM is rebooted, you are assigned a new UID and IP that you need to update in the /etc/hosts and get from the /agents "file" in order to process your POST request properly)
After many failed attempts, I eventually got in:
With this server access, I was able to reach and read the first flag
My user doesn't seem to have sudo privileges so escalating privileges may be just as much of a challenge as it was getting into the C2 server as this low level user
I started off by running find / -perm -u=s -type f 2>/dev/null to see if there was any SUID privilege escalation I could attempt, but nothing was going to work without having sudo. I was not sure how I was going to get escalated privilege yet. I navigated through the file structure and could not find anything that I could use. I knew there was a Docker container running from the directory enumeration I had done previously but was denied access to list the docker containers, but can I list the regular processes running?
I ran ps aux and saw the name of the docker container, but I also noticed an interesting folder in /usr/share/
It took me a second to navigate into this folder:
svcgh0st is an ELF file, but I am not sure I can interact with it while stuck in this reverse shell. Since this odd file was currently running, I attempted to kill all of the processes associated with the diamorphine_secret folder but was stuck with one still running. This folder wasn't shown in the /usr/share/ folder, but I was able to navigate to it once I knew the name. This wasn't adding up too much, so I searched the name and came up with a GitHub page referencing this:
I was not use to killing signals as opposed to processes, so what I was doing wasn't working at first. I briefly referenced this page here for some basic information and then another one here that says the signals go up to 64.
I referenced the GitHub page one more time and read the following:
"Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64
When loaded, the module starts invisible;
Hide/unhide any process by sending a signal 31;
Sending a signal 63(to any pid) makes the module become (in)visible;
Sending a signal 64(to any pid) makes the given user become root;
Files or directories starting with the MAGIC_PREFIX become invisible;"
So I killed that signal, and I was root.
