The end of the VulnNet series.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 bb:2e:e6:cc:79:f4:7d:68:2c:11:bc:4b:63:19:08:af (RSA) | 256 80:61:bf:8c:aa:d1:4d:44:68:15:45:33:ed:eb:82:a7 (ECDSA) |_ 256 87:86:04:e9:e0:c0:60:2a:ab:87:8e:9b:c7:05:35:1c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts.
Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging.
We discover that blog.vulnnet.thm is running Typo3 CMS.
There appear to be SQL injection vulnerabilities with Typo3 so we’ll pop that into SQLmap and see if it comes up with anything…
It appears to be vulnerable and we see 3 databases to dump. Let’s have a look at blog and vn_admin.
Eventually we find a table (fe_users) that contains a username and hashed password.
Apparently Hashcat doesn’t handle these Argon2 hashes, so we’ll have to use JTR. Cracking the hash takes an eternity with Rockyou, but we did manage to get a big old password list from the blog database, there has to be a reason for 600 passwords in the table.
Phew, that did it. We’ve a login now for the CMS. Before we can upload a PHP reverse shell we have to change the deny filters.
We’ll remove everything from here and upload our reverse shell.
We can navigate to our shell, the directory is hidden but we know it’s there.
And like that, we pop a shell as www-data.
After enumerating for quite a while we find the user system has firefox installed, which is always worth investigating.
From one of the profiles we extract Chris_W’s tryhackme.com login details.
For a moment it looks like it’s the same as their Typo3 password, but it’s different and I’ll try it for the SSH login.
Whew, it worked. So we’ve got access now as system. We’re not allowed to run anything as sudo, so there’s another way to root.
We find that in our home directory there’s an OpenSSL binary with SUID set, GTFO bins we can use that for file read/write.
We can read /etc/shadow, dump to a file and copy the system password. Then hopefully re-write and su to root.
cat /tmp/shadow.txt | ./openssl enc -out /etc/shadow
With the above command, we overwrite /etc/shadow with our modified version, where root password is the same as system.
It worked, we’re now root, gobble up the flags and box done.