Apala S

A place for all my writeups :)

2 minute read

Deploy the machine

Connect to TryHackMe network and deploy the target machine.

Reconnaissance

namp scan

Scan the target machine using nmap to find all the open ports and the service/version running on said ports. namp -sSCV -oN nmapScan <target_IP>

  • -sS $\implies$ TCP SYN scan
  • -sV $\implies$ Probe open ports to determine service/version info
  • -sC $\implies$ use default script (or --script=default)

img1

We see that 2 ports (22/ssh and 80/http) are open on the target machine. Port 22 is running ssh and the Apache version is 2.4.29

gobuster

Since port 80 is open we can visit the website hosted on it:

img2

Next we use gobuster to perform file enumeration to discover hidden directories and files on the web server

gobuster dir -u <target_url> -w <wordlist>

img3

We see 2 interesting directories /uploads and /panel visiting both:

  • http://<target_IP>/panel $\rightarrow$ leads us to a page containing an upload form

img4

  • http://<target_IP>/uploads $\rightarrow$ the directory where we can potentially see the files uploaded

img5

Getting a shell

Since our website contains an upload form, we can use the php-reverse-shell payload . The script will open an outbound TCP connection from the webserver to a host and port of your choice.  Bound to this TCP connection will be a shell.

Download the php-reverse-shell.php file from github and configure the file to connect to your machine.

This can be done by changing the IP in the file to your attacking machine’s IP. We can also choose a different port to listen on.`

img6

After configuring the file save and upload it

img7

img8

This gives an error which roughly translates to ‘uploading php files is not allowed’ One of the easiest ways to bypass file uploading filtering is to rename it. We can rename the file extension to older php formats like

  • .phtml
  • .php3
  • .php4
  • .php5
  • .inc etc…

img9

uploading this renamed file:

img10

Success !!!

We can find our uploaded file in the /uploads directory

img11

Before executing this we need to open a netcat listener

img12

Once the listener is listening, execute the uploaded file and we will receive a connection on our terminal.

img13

We can upgrade the shell using the pty python library

python -c 'import pty; pty.spawn("/bin/bash")'

img14

Use find to locate the user.txt file

img15

cat the file to obtain the flag

img16

Privilege escalation

The first task under privilege escalation is a big hint. We need to search for a file with SUID permission

NOTE
This is a special permission in the linux filesystem assigned to executable files, where it allows users who execute the file to temporarily assume the privileges of the file’s owner $\implies$ a user without the necessary permission can access/execute these files.

We can use find to locate all files that have the SUID permission

img17

From the list of files, we can exploit the python file by using GTFObins

Search GTFObins on how to exploit SUID permissions in python files:

img18 img19

Use the command to escalate privilege to root

img20

Find the root.txt file:

img21

cat the root.txt file to capture the last flag: img22

You May Also Enjoy

Mr Robot CTF

3 minute read

Introduction Mr. Robot is a beginners/intermediate level machine with 3 keys. As always let’s begin by deploying the machine. It will take a few minutes to...

Bounty Hacker

1 minute read

Deploy the machine Connect to the Try Hack Me VPN and deploy the machine. It will take a few minutes to boot.