Sustah TryHackMe walkthrough

Hello guys back again with another walkthrough this time am going to be handling Sustah fromTryHackme the room was released about 2 hours ago. What made me fall in love with this room was the initial foothold since we had to bypass a failed guess count that the server keeps. And i learnt a new trick in the process. We’ll go a step further and even create a python brute forcer am sure you’ll love the writeup. The writeup start off by us having to guess a number and if the number is correct we get a path which contains a CMS (Content Management System) website that is vulnerable to an authenticated remote code execution vulnerability through a file upload functionality. We upload a malicious PHP script and get code execution which lands us a shell on the box. Looking around we find a backup file containing valid credential for a user, use those credentials to escalate our privileges to a different user on the box the looking at doas.conf file we see that the user Kiran can run rsync as the root user without his password exploit that misconfiguration to get root on the box. A really nice box and thanks to the creator kiransau . A really fun box without much say let’s jump in.

As always we’ll start of by running a nmap scan of the box this enables us to find open ports on the box. And also identifies different services that are running on the boxes if we are lucky we may find a service which is outdated it might have a vulnerability which we can easily exploit. Looking at the nmap results you can see that 3 ports are open

SSH, and two HTTP ports

SSH service requires credentials and we don’t even have a valid username which we could use to perform a brute force attack. So we’ll have to keep SSH in our back pocket as of now. I started by enumerating HTTP(websites).

From nmap results you can see that we have two HTTP ports open

Opening web service running on port 80 we get a standard web page

Opening HTTP service running on port 8085 we get a HTTP server that is also running runicorn meaning its a flask web application and it appears to be a gaming site

Going back to the description of the room we see that the author of the room wrote

The developers have added anti-cheat measures to their game. Are you  able to defeat the restrictions to gain access to their internal CMS?

And from this reason to decided to enumerate port 8085 first.

Taking a further look at the web application you can wee that we can guess a number and if it’s correct we will be provided a path

This is where fuzzing comes in handy since we don’t really know the right number we’ll have to try different number combinations till we hit the right one. So i intercepted the request using burpsuite and forwarded it to the intruder tab.

Then used the numbers payload from burpsuite and started to fuzz hoping that maybe it would hit the right number

But after a while i got an error saying

rate limit execeeded

And the app then blocks our requests. After about 10 seconds we are then allowed to guess a number again. But taking a closer look at the web application server header we get some headers which are not standard

X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1611357883
Retry-After: 22

The first thing a i did was go online and tried searching of there was a way i could bypass those header restrictions and found some articles that gave provided ways to bypass that restriction using some headers

I copied those headers to a file and decided to create a simple python brute force since which would include all those headers in the requests it made and determine if it could bypass the restrictions

Below is a portion of the exploit script i created. If you are not using burpsuite pro the intruder can be slow and that’s why i created the python script

Saved the script after i had finished coding and and ran it

We can see that some headers had already failed to bypass the restriction that the web application has but i did let the program ran for some time while i did other enumeration. I decided to ran a Gobuster on port 80 since we had not done it before. Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

Going back to the script it had found the right number and given us a path

On port 80 i decided to navigate to that path and voila got a CMS (Content Management System) instance called Mara CMS

First thing i did was check if it had any vulnerability by searching it using exploitdb

Looking at the results returned by searchsploit we get one exploit which is a remote code execution but its authenticated meaning we need to have valid credentials to access any admin protected content. Searching around i got the login URL of the CMS to be

http://ipaddress/YouGotTh3P@th/index.php?login=

I tried default credentials for the web application which is

admin:changeme

And by luck i got in

The web application is vulnerable to a insecure file upload which in turn leads code execution

Using the URL

http://ipaddress/YouGotTh3P@th/codebase/dir.php?type=filenew

I was presented with an upload functionality. On my box i created a simple PHP payload which when uploaded to the server would give me code execution

Then uploaded the file to the server

After i had clicked the start Upload button i got a message saying that the upload was successful and was also given the exact path where the file was stored

I navigated to that path using Mozilla and found that the file existed

Since we didn’t get a 404 NOT FOUND as seen in the screenshot above. And on adding the parameter which i had specified in the PHP payload i got code execution

Sweet. Next i intercepted the request using burpsuite and sent it to the repeater tab. My goal was now to get a shell on the box. First i set up a netcat listener on my port using port 9001

And added a bash reverse shell payload on the parameter in burpsuite and forwarded the request

Going back to my netcat listener i had a shell on the box

Next i decided to look at the CMS config file because if i got a password or hash we could use it to escalate our privileges . I got some hashes but they turned out to be a dead end

But on doing further enumeration in

/var/backups/

There was a backup file which had credentials

And we have read access on the file sweet. Taking a look at the file we find credentials for the user kiran

I tried to use those credentials to escalate my privileges to Kiran user and it worked

I had a shell as Kiran

From here i downloaded linpeas to the box and specified that it should perform all checks

After linpeas had finished running i found out that kiran could run rsync as the root user without providing the root’s password. This was a misconfiguation on it’s own

Looking at GTFOBins there is a way we could get a shell using rsync

So i tried executing the command as kiran user

The command was

doas -u root rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

Looking at the screenshot above i was root on the box. Sweet

Going to Kiran user’s directory we had the users flag

Going to the root’s folder we also has the root’s flag

You can submit box flag and earn the points on TryHackMe but the box is done!!. I hope you enjoyed the walkthrough if so clap for me down below and follow me so that you wont miss any upcoming article. The python script will by available on my GitHub page once this writeup goes live

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)