TryHackMe Walkthrough | LOCKDOWN
This is a CTF walkthrough of THM machine Lockdown. It’s a medium difficulty challenge. Let’s get started.
Link: https://tryhackme.com/room/lockdown
NMAP
First we will do a Port scan using NMAP.
nmap –sV –sC 10.10.251.57
We can see that there are only two open ports in the machine: one for SSH and the other for HTTP web server.
PORT 80(HTTP)
When we visit the webpage it redirects us to http://contacttracer.thm. So we need to add it to /etc/hosts file.
After adding the domain name in the file, we can see a login portal.
Trying simple sqli for login bypass, I got through using ‘ or 1=1 — -
We can perform a directory scan on the web server running on port 80.
dirb http://contacttracer.thm/
Found few directories but we were not authorized.
On further enumeration I came across profile page which allows us to upload our data:
I uploaded php reverse shell instead of the image. Also don’t forget to open netcat listener in the background.
After that logout of the system and go to login.php. We find that the initial image is replaced and on viewing the image location we are directed to the uploads directory.
Checking our nc listener
NICE! We got the SHELL
Stabilizing the shell
The shells we obtain through reverse shells are generally limited in functionality i.e we can’t use certain commands like su, tab completion ,arrow keys, can’t properly use text editors like vim, etc. If we press Ctrl+C by mistake it kills the whole process and we lose the whole connection. Therefore we spawn a new shell using the following commands.
Let’s enumerate now to get user. Looking in the config.php file we find a path classes/DBConnection.php.
Checking out the DB file we find credentials of MySQL database.
Using these creds we get the access and looking at various tables we get an admin hash.
Using an online cracking website (crackstation.net) we get our password.
Password: sweetpandemonium
Looking for various users. We get through user cyrus using the above password.
We find user.txt and get the USER FLAG
Privilege Escalation
Running sudo -l
We found that the cyrus user can run /opt/scan/scan.sh file as root.
The script asks for path of file, if the file exists and readable it will scan this file for viruses using clamscan command and if it is infected it will move the file to /home/cyrus/quarantine and make cyrus the owner of that file.
Run the script using sample testvirus file given in our home directory.
We can see that the file has been copied to /home/cyrus/quarantine
I also tried running the script for /root/root.txt but since the file isn’t infected it was not copied to quarantine.
So we will have to make a virus rule such that when clamscan runs, it will identify it as a virus and copy root.txt to quarantine directory.
On further searching we found a way to make custom virus using YARA rules.
https://docs.clamav.net/manual/Signatures/YaraRules.html
We create a rule.yara file containing the following rule:
rule root{
strings:
$abc = "THM"condition:
$abc
}
Saving the file above in /var/lib/clamav, run the scan script using sudo /opt/scan/scan.sh and pass /root/root.txt in the target.
We can see that the number of viruses has increased to 2 and root.txt is copied to quarantine directory.
We got the ROOT FLAG
It was a simple machine overall, with basic SQL injection, reverse shell and getting hash from the database. The only thing that took time to understand was the clamscan and YARA documentation. I really had to google a lot to find a way through.
CHEERS!
Connect with me on LinkedIn
