July 31, 2021

THM Res room

This was a fun room and on the easier, for me at least. It's nice to see the skills progress as I move through all the rooms in the THM and HTB services. I will give all of you a little tutorial on this room.

The first thing I want to do with any challenge is to scan the IP address using nmap to find out what ports are open. To do that I used the following command nmap -sV -sC -p- -oA nmap/server IP_ADDRESS and save the output to a file that I can reference later. I found 2 ports open on the machine, one was the HTTP service which doesn't help with this and the other was the database service.

After searching the internet I found a tutorial on how to get shells onto the machine through this database. Once the shell is on the page I continued to upload the Pentestmonkey's reverse PHP shell to the server so that I can do more than one command at a time.

Logged into the Redis database.

Once the reverse shell PHP file is on the server don't forget to start netcat on your computer before you navigate to the website to start the reverse shell. The command that I used is nc -lvnp 8888 to catch the reverse shell. I made sure that the port for netcat aligned with what I entered into the shell.php file I uploaded. If not this will not work.

The first thing I will do once I am on the machine is get a stable shell. To do that use the following commands 'python -c 'import pty; pty.spawn("/bin/bash")' and export TERM=xterm to get tab completion. After I did those commands I poked around a little bit to see if I could see anything. In vianka's home directory is the first flag (user.txt). Just use the cat command to get the contents of that file.

Once I submitted the flag it is on to try and escalate privileges to see the next flag (root.txt). The www-data user doesn't have privileges to do anything so the next step is to see if there is the SUID set on any files that we can use. How to search for that is to use this command find / -user root -perm /4000 2>/dev/null. The 2>/dev/null is to direct all errors to null so that I can get a cleaner output from the find command.

After running that command I found something that is useful. With that information I go to gtfo bins and see how the command can be used to escalate. Now it is time to see if we can figure out what to do. According to the information from gtfo bins I can use the command to view the contents of the /etc/shadow file. After looking at that I can see the hash from vianka.  

Covered some of the hash so that you have to do a little work. ;)

I took the hash and saved it to a file on my machine so that I could use john to break the hash. Luckily john was quick in finding the password using the default word list.

Armed with the password for vianka I now can use su vianka to switch users and see what vianka can do on this server.

The first thing I do with this user is to run sudo -l to see what this user can do as a sudo user and I can see that this use can do anything they want to.

So, I have a feeling the file we are looking for is /root/root.txt and I am going to just use the cat command to see if I am correct.

Luckily I guessed right and I now have the final flag for this room. This was a fun room and I learned a little bit about Redis and that it can be used to create files on the server if it isn't secured. With the ability to create files on the server I can try to upload a shell to the machine to try and get easier remote code execution.

As always, if you have questions or comments please send them to [email protected] and until next time have a great time.