Cybersecurity, File Inclusion, Misconfigured Permissions, Hacking
TryHackMe — Expose Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
I started off by scanning the network to see which ports were open/services running on the ports.
$ nmap -A -O -sC -sV -p- <machine_IP>
Next, I ran gobuster on the webpage on port 1337.
Then I ran gobuster on the /admin directory.
And on the /admin_101 directory.
Vulnerability assessment:
I found a potential thing to note in the script.js script located in the /assets directory. That must be used with the chat.php page.
There was also a login field on the /phpMyAdmin directory. I tried logging in with basic credentials and got an error message.
I used sqlmap and burpsuite to capture a login request to see if I could get any information but had no luck with that page.
I visited /admin to see:
That was the same on /admin_101
However, when trying to login to both pages, /admin_101 returned an alert error.
Exploit:
Since I got an error, I ran another captured request text file from burpsuite in sqlmap and got a few hits!
Now I know there’s a user that starts with the letter “Z”
Visiting /file1010111/index.php:
Entering the cracked password then shows this:
Time to do some parameter fuzzing then.
I used gobuster once more to see if I could locate the /etc/passwd file from that page.
# using the FUZZ parameter to pass different words to search for local file inclusion
$ gobuster fuzz -u http://<machine_IP>:1337/file1010111/index.php?FUZZ=/etc/passwd -w /path/to/wordlist
Now I have the username that starts with “Z” with a local file inclusion vulnerability!
Visiting /upload-cv00101011/index.php:
After uploading a php reverse shell I got this message:
NOTE: I did have to change the extension to .png to upload it.
I didn’t see anything in the source code, so I uploaded another image and captured the request with burpsuite and found the path the uploads are sent to.
Now to access the shell, I had to visit hxxp[:]//<machine_IP>:1337/file1010111/index.php?file=../upload-cv00101011/upload_thm_1001/shell.php.png
NOTE: Since the /file1010111/index.php had the LFI vulnerability that’s the injection point to access the reverse shell file.
I used the python one liner to upgrade my shell.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
I checked the home directory for other users aside from the one I already knew of. Just “Z”.
Inside the user’s home directory were two files.
I couldn’t read the flag file but, even better for me, I could view the ssh_creds text file.
Privilege Escalation:
I got an SSH session going and I got the user flag!
Checking for any low hanging fruits such as cronjobs, what I could run as root or anything in writable directories was a dead end.
However, when checking for binaries with the SUID bit set I had some luck.
$ find / -perm -u=s -type f 2>/dev/null
There are a few ways to get the root flag by either privilege escalation OR just using the SUID binaries as the current user!
Escalating to root via find command:
$ /usr/bin/find . -exec /bin/sh -p \; -quit
As current user:
Using nano to read the root flag.txt file.
$ nano /root/flag.txt
You could also use find to execute a command.
# using find to concatenate the file flag.txt in the /root directory
$ /usr/bin/find /root -exec cat "/root/flag.txt" \;
Reporting:
It is recommened to add more data sanitization for the SQL database to prevent the LFI vulnerability.
Also add sanitization checks to make sure correct files are uploaded and also contents are safe.
Add a salt/pepper to hashes and use a strong crytographic hash function such as SHA256.
Turn off anonymous login for the FTP server.
Check all permissions on files/binaries to be set correctly.
