I have tackled this room because it looked interesting. As usual I started the room by clicking on the start machine button and waiting for the machine to come online.
Once the machine was online I started to run nmap to give me a list of the ports that are open. nmap -sV -sC -p- -oA nmap/server <IP ADDRESS> The output that I got from the server is:
While that scan was running the next step is to run Gobuster and see what folders are available on the website. The command that I use for this is gobuster dir -u http://<IP ADDRESS> -w /usr/share/dirbuster/wordlists/diretory-2.3-medium.txt | tee directory.txt I like to tee the output to a file that I can reference at a later date.
I navigated to the /content folder and the only thing that was displayed was a page that said the site was down. The next thing that I want to do is to scan the /content folder.
Gobuster returned this to me:
The next thing that I want to do is to search using searchsploit to see if there are any vulnerabilities for Sweetrice CMS now that I have a little bit of a lay of the land on this server.
I will start to look at the vulnerabilities that are the newest (1.5.1). The interesting ones are the backup disclosure and arbitrary file upload. The page for the backup disclosure shows me the path that the file is located at.
I will now navigate to the /content/inc/mysql_backup page and take a look at what is there.
I downloaded the sql file and then opened it in Sublime text to see the contents of it. After looking at the file I saw a chunk of text that went off the screen. I then turned on wordwrap to save myself some scrolling and then I see that there is some interesting information.
Now that I have the username and the password I can try to use the upload python script that I saw in the searchsploit search. Looking at the python script it needs to have a username and password along with a file to upload. I now have a way to get a file onto the machine and I want to upload a reverse shell that I got from Pentest monkey.
I tried to upload just a php file but that file didn't execute when I wanted it to go the page. I changed the extension .phtml to see if that worked and the file executed so I now had a shell on the box using netcat: nc -lvnp 8888
The next thing that I want to do is to stabalize my shell on the box. To do that I use the following command python -c 'import pty; pty.spawn("/bin/bash")' and to get the terminal to behave you want to use do export TERM=xterm and now you have a stable shell that you can explore the system with.
Now that I have a stable shell on the box I can start to explore the system. The first place I want to look is in the current user's home directory. Using the whoami command I get www-data and I then navigate to /home/itguy. When in the directory I run the ls command to get a directory listing and I see the following files in the directory.
I see the user.txt file and that looks really interesting. I then cat the file to see the contents of the file. That is the flag for the user on the TryHackMe page. Now that I have the user flag it is time to try and escalate to the root user on the box. The first command that I want to do is the sudo -l command to see if the current user can run anything as a sudoer.
I see that the user can run the backup.pl file as a root user. The next thing that I want to do is to see what that file's contents are.
I see that the perl file will run /etc/copy.sh file as a root user. Now it's time to go and find out what that /etc/copy.sh file contains. To modify that file I copied the contents and then modified the IP address and then echoed that back into the original file.
The whitespace in the photo is where my ip address would be located. On my machine I startup another netcat listener on port 5554 and then run the following command on the webserver sudo /usr/bin/perl /home/itguy/backup.pl and then on the new netcat listener I should have root on the machine.
I now have access to the root.txt file. In order to get the flag I cat that file and then submit it and I have now completed the room. As always if you have questions or feedback please submit it to: feedback@markschindel.com.