boot2root, hacking, web application security

@TryHackMe – Solving RootMe

Another day, another challenge.

In today’s post we’re going to solve the RootMe room in TryHackMe.

Let’s get started.

Going to the room let’s deploy the machine. This will give us the IP target IP address.

Note: Make sure you’re logged into TryHackMe’s network through OVPN.

After the deployment is complete, we see the following.

Note: Your IP will be different.

Let’s answer the questions

First question:

We can press the completed button as we have successfully deployed our machine.

Second question:

We need to see how many ports are open. Let’s use the application – nmap. Nmap or Network mapper is used to find open/active services on a server.

We’re going to use the -sV (all) command to get find the version numbers of the active services.

Let’s open a terminal and enter the below command.

The complete command is nmap -sV <IP address from deployment> in my case the command will be nmap -sV 10.10.239.135

A screenshot below shows:

2 ports are open. 22 and 80. Corresponding to SSH and HTTP.

So the answer is two.

Entering this into the text box and pressing Enter, we see that is the right answer.

Moving on to question 3.

Going back to our screenshot above of our nmap results we see the version is Apache 2.4.29. Entering 2.4.29 into the text box and pressing Submit we see that’s the correct answer.

Now to question 4.

Going back to our nmap scan we see that for port 22 the service is SSH (case matters!)

Entering this into the text box and pressing Submit we see that is the correct answer.

Question 5

We need to find directories on the web server using the GoBuster Tool.

First we need to figure out – what is the web server?

Going back to our nmap results, the web server is port 80 or HTTP. HTTP stands for Hyper Text Transport Protocol. You’re using the HTTP protocol right now by viewing this blog post. When accessing the internet, and typing in http is invoking the above protocol.

Now that we know that the web server is port 80 or HTTP. How do we access the GoBuster tool?

Well if you’re using the Parrot Security or Kali virtual machine (or attack box on TryHackMe) all you need to do is open a terminal and type gobuster

To access the different directories we’re going to enter the following command gobuster dir -u http://<ip address from deployment> -w /usr/share/wordlists/dirb/common.txt. In my case the command will be gobuster dir -u http://10.10.239.135 -w /usr/share/wordlists/dirb/common.txt.

Let’s break this command down

We enter gobuster to invoke the program

dir to specify we want to brute force or view all directories

-u http://<ip address from deployment> – specifies we want to view all directories from this website

-w /usr/share/wordlists/dirb/common.txt – specifies we want to use this file as our wordlist to find the hidden directories.

Entering the above command into a terminal and pressing enter we have the following:

Let’s explain the numbers next to the results

The numbers are HTTP codes and can tell you a lot of information

Let’s break give a brief breakdown of the different codes

HTTP Code 200 – OK – meaning the website rendered correctly

HTTP Code 301/302 – Redirection – meaning the website will redirect to another page. Pages with this number you should delve deeper into by visiting the actual page

HTTP Code 401 – Unauthorized – meaning you’re not authenticated (or logged in) to view the page

HTTP Code 403 – Forbidden – meaning you’re not authorized to view the page

From the screenshot above we see a few 301’s (redirects) that we should check out.

Question 5 is a gimme/free question as it says no answer is needed, so press Submit to collect the points.

Now, on to question 6

We need to find the hidden directory.

Looking at our gobuster results and what we know about HTTP codes, the 302 are the results we should focus on. Looking at the results and the number of characters the question is looking for – we can surmise the answer is panel.

Entering /panel/ into the text box and pressing Enter we see the assumption was correct.

We can also double check this by opening a web browser and entering the following http://<IP address from deployment>/panel

Doing this on my machine – I see the following

Again – just because we see a redirect doesn’t mean the page will not render. Always check 301 and 302 HTTP codes!

Now on to question 7.

First we’re in a new section of the challenge titled – getting a shell. This is where things get interesting…

What is a shell? Well there are two types of shells

Bind shell – need to have a listener running on the target machine. How bind shells work is the attacker connect to the listener on the target machine to gain a remote shell. This is a two step process. Also, the listener has to be on the target machine. If it’s not this type of shell will not work.

An visual example of a bind shell:

Netcat bind shell

Note: The -e /bin/sh specifies to send a Bourne shell to the attacker’s box

Reverse shell – listener is on the attacker machine, and the target connects to the listener on the attacker machine with a shell. This is the best option as it removes having a listener on the target machine. Also reverse shells allows to be done on popular ports such as HTTP

netcat-reverse-shell

In our case we’re going to use a reverse shell.

How are we going to do this?

We know that we have a secret directory named – panel. When we went to this page we also noticed that we can upload files.

Let’s try to upload a php file that has a reverse shell attached to it.

Going to this site, we see a file of PHP code.

Copy the code and open a text editor and paste the results.

Scrolling down we see a few lines that need to be changed.

I’m going to explain this below.

The two lines we need to change are our IP address and port.

The IP address is going to point to our IP from our TryHackMe account. You can find the address at the top of the page in green. My address is 10.13.2.231. This will be considered the Attacker’s box.

The port we can make anything we want. In this case let’s make it 1234

Save the file and exit the editor.

Now doing a listing (ls) we see the following

We need to change the permission to have the file execute. To do this we enter the command chmod +x test.php

Now let’s go to the panel directory.

Opening a browser and entering http://<IP address from deployment>/panel, we see the following. Let’s try to update our test.php file.

After pressing upload we see there’s an error. PHP files are not permitted.

How can we fix this? Well, let’s try changing the extension from PHP to PHP5.

Going back to the terminal let’s enter the command: cp test.php test.php5. This will create a new file named test.php5.

Doing a listing (ls -la) we see that the file is created.

Going back to the panel directory let’s browse and select test.php5

After pressing Upload we see that the file was uploaded successfully.

We see the file was uploaded, but how do we get to the file? Going back to to our gobuster results, we see there’s another 301 named uploads. Let’s try to navigate to this directory.

Opening another tab and entering http://<IP address from deployment>/uploads we see the following:

Our test file is here!

Now how do we connect to the target box?

First, we need to open a new terminal and enter nc -nvlp 1234

Let’s explain what’s happening:

nc – is a program named netcat. You can think of netcat as a swiss-army program that can do a lot of information. In our case, we’re going to use netcat to set up our listener on our machine.

nvlp – this is a series of parameters that do the following not resolve names, verbose printing, listen, on a specific port

1234 – is the port we’re going to listen on. **Make sure this matches the port inside your test.php5 file, otherwise the next steps will not work**

Going back to the tab with the uploads folder, click on the test.php5. You will notice the application is running and seems to hang. This is what we want.

Going back to our terminal where we set up the netcat listener, we have input! Our reverse shell worked successfully! We’re officially on the target machine!

We can prove this by entering the command whoami which will give us our current user. The current user is www-data which signifies the web user.

OK, we’re on the machine, but how do we find and open the user.txt file (we need this to answer the question). We need to find it on the file system.

Entering the command find / -name=user.txt 2>/dev/null

Let’s explain this command:

find – is the program we’re using

/ – specifies we want to start at the root

-name user.txt – specifies the file we want to find on the file system

2 >/dev/null – specifies if there are any errors – such as we access denied, send that output to /dev/null. In other words do not output it to the screen.

Entering this in the terminal we see the following:

The user.txt is at /var/www/user.txt

Navigating to the /var/www directory using the cd (change directory) command, we need to view the user.txt file. We’re going to do that with the cat (concatenate) command.

Doing this we see:

We found the answer!

Entering THM{y0u_g0t_a_sh3ll} into the text field we see it’s the correct answer.

Now on to question 8.

OK, we need to search SUID permissions to find a weird file.

First, we need to describe what is a SUID. SUID or a user sticky bit is a permission inside of Linux that allows an application to run as it’s root owner. This is good for system administrators when they want to run commands without switching users. However, there are times where these files are overly permissive or too open for anyone to run. With these files we can do something called privilege escalation which means we can upgrade our user from a regular user to an admin/super user.

How do we find files that have the sticky bit turned on in Linux?

Well we enter the command find / -perm -u=s -type f 2>/dev/null.

Let’s break this down

find – the program we’re using

/ – start at the root of the file system

-perm – specifies we’re looking at permissions

-u=s – specifies we’re looking for the SUID. u is user, and s specifies the sticky bit with execution turned on. If we didn’t want execution turned on we would use S (this wouldn’t help us as we need to execute the program)

2>/dev/null – specifies if there are any errors (such as permission denied) send it to /dev/null

Looking at the output, some of these files are standard. There is one file that looks suspect. The file is /usr/bin/python.

Entering this in the text box we see this is the correct answer.

On to question 9

We need to escalate our privileges to change from www-data to root.

From question 8, we see that /usr/bin/python is the weird file in question that shouldn’t have the SUID bit on. We’re going to use this file to escalate our privileges from www-data to root.

Going to this site and scrolling down we see a section to escalate our privileges using python. Let’s go back to the terminal and enter the command

Let’s break this down

/usr/bin/python – specifies we want to execute the python program

-c = execute the following command

‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’ – specifies we want to import the os library. Then we’re going to execute another command execute command line (execl) with the following parameters:

/bin/sh – specifies we want ot use the Bourne shell

sh – we’re specifying the file or the shell

-p – specifies the command we want to use

This question is a gimme so we can click the completed button.

Now, on to the last question – question 10.

We need to find the root.txt file

After the above command and doing a whoami command we see that we’re root!

Now we need to read the root.txt file

Navigating to the /root folder and doing a listing (ls -la) we see the root.txt file!

Opening the root.txt file with the cat command, we see:

Entering the above THM{pr1v1l3g3_3sc4l4t1on} into the text box we see that’s the correct answer and we have solved all the challenges.

Like this content and want more? Well support me by Buying Me A Coffee. Link –> https://www.buymeacoffee.com/thefluffy007

boot2root, hacking, web application security

@Vulnhub – Solving #Cofveve

Another day, another challenge.

In this post we’re going to solve the Cofveve virtual machine.

Let’s get started

After downloading the virtual machine and starting it we see the following:

Using the netdiscover command we can find the IP that the virtual machine is using

Going back to our attacking machine (I’m using the parrot virtual machine).

Doing an nmap scan with the command – nmap -sV <IP address from netdiscover command>, we see the following

There are three ports that are open – ssh, and two http ports.

When http ports are opened the next step is to try to do a recursive brute force attacks to find hidden directories.

We’re going to use two programs – dirb and gobuster.

Doing the dirb of port 80, we get:

Using gobuster we see:

We see that both of the programs did not return anything.

Let’s try to the following programs with the 31337 port, let’s start

We see five files – a robots.txt, and four hidden files (start with .)

The robots.txt gives information about sites that should not be crawled by the internet. This is useful as it will give us files or directories (folders) to review to get more information.

Going to the robots.txt we see:

Hmm, there are three directories that are disallowed. Let’s try to go to them.

Let’s start with taxes. When navigating there we see:

We found the first flag!

Going to the second directory .bashrc we see

Hmm, it’s a file, let’s save it.

Going to the last directory of .profile we see

Another file to save.

Going back to either dirb or gobuster results we have one more directory, .ssh.

This is strange. The .ssh which is hidden should not be exposed on the internet. This folder has information about how to login into the system. Such information is a private key (which only the user should know) public key (which everyone knows), as well as other things.

Going to this folder we see:

We see three items, which look like additional files.

Let’s see if we can navigate to these files.

Navigating to the first item, id_rsa we see:

Another file, so let’s save it.

Let’s try the second file – authorized_keys. Going there we see:

Another file, let’s save it.

Finally, let’s go to the third item – id_rsa.pub

Now that we saved everything let’s go back to our virtual machine and open the files.

First, let’s open the id_rsa.pub file. This file is the public key that is part of a pair. The other pair is the private key. As the name suggests only the user should know their private key and not expose it to anyone else. The public key can be exposed to everyone.

Opening the file we see:

We see a ssh-rsa. RSA is a cryptographic algorithm. Looking at the end of the file we see a valid user – simon@covfefe. We need to save this user as we will need it later.

Opening the id_rsa file we see:

This file is the private key to log into the SSH server as Simon! This is bad, as I said before this file should NOT be exposed as Simon private key should only be known by him only.

Opening the authorized_keys file it has the same content as the id_pub

How can we use this information?

We know a user (simon@covfefe) and a private key.

Well we can log into the ssh server.

Let’s start.

We can use the command ssh -i id_rsa simon@covfefe

Let’s break this down.

We’re logging into the SSH server, specifying a file id_rsa (Simon’s private key) and the user of Simon

We get the following output:

Uh oh – we received an error:

The private key is too open. We need to change the make it less accessible. To do this we’re going to change the permissions from 644 to 600. What this will do is give access to the owner in this case parrot (which is us).

To do this we will use the command chmod 600 id_rsa

Trying to log in again we have the following:

We need a passphrase… which we don’t have. How do we get this?

Doing a good ol’ Google search of cracking passphrase for id_rsa we see the following link

We see there’s a command ssh2john which can be used to crack the passphrase. Let’s do it!

First, we located where the ssh2john command lives in the file system. Next, we’re going to create a hash using ssh2john. We’re going to use this for the next step.

Next, we’re going to send our hash to john which will be used to crack it. We’re going to use the wordlist rockyou.txt which is a common wordlist used to crack passwords. Doing so, we found our passphrase – starwars.

Running our SSH command again, we enter the passphrase of starwars and we’re in the system!

Doing a long listing and showing all of the files (ls -la) we see the files we found before when brute forcing the directories. Let’s look at the .bash_history. This file is good to review as it will let you know commands that were executed on the machine.

Opening this file we see a read_message and then exit. What is read_message? Is this a program?

Executing the read_message we get a prompt. Let’s enter the name Simon. We received a message stating this is is a private messaging system and the source code is in the root directory.

Navigating to the root directory and doing a long listing with all the files (ls -la) we see there’s a read_message.c file, and flag.txt!

Opening the flag.txt file we see a permission denied :-(. Looking at the long listing again this file (flag.txt) can only be accessed the owner, which in this case is root (column 4). I am the user Simon, so I can’t view the file.

Opening the read_message.c file, we see source code, and… the second flag!

And it’s giving us a hint – we need to review the source code.

Looking at the source code we have a buffer (buf) that is holding 20 characters and is executing another file program which is pointing to /usr/local/sbin/message. Whenever we see buf we need to think of buffer overflows.

Buffer overflows are a vulnerability where you overflow the input to access other parts of the computer system. In this case, since we have a holding space of 20 characters – we’re going to overload the buffer with characters OVER 20 characters. Also we’re going to try to change the shell to /bin/sh <— bourne shell. We’re going to change the shell to escalate the user. Changing from Simon to root. We need to be root to open the flag.txt file.

Let’s try it.

Running the commands id and whoami we see we’re root!

Now let’s open the flag.txt and see what’s in the file.

We solved the challenge!