En-pass Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “En-pass”
Room link: https://tryhackme.com/room/enpass
Note: This room is free
Nmap Scan
We have only two ports open. SSH is running on port 80 and a HTTP server is running on port 8081 and the banner is telling us this is a ubuntu box. Since there is not much to look into the SSH service, let us start the enumeration with HTTP service on port 8001
HTTP service on Port 8001
Gobuster
gobuster dir -u http://10.10.200.74:8001/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Gobuster on /web
gobuster dir -u http://10.10.200.74:8001/web -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Gobuster on /web/resources
gobuster dir -u http://10.10.200.74:8001/web/resources -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Gobuster on /web/resources/infoseek
gobuster dir -u http://10.10.200.74:8001/web/resources/infoseek -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Gobuster on /web/resources/infoseek/configure
gobuster dir -u http://10.10.200.74:8001/web/resources/infoseek -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
visiting /web/resources/infoseek/configure/ key
We get a encrpyted private key.
When i will try to decrypt the key using ssh2john. And the password was not cracked by john as it was not available on rockyou.txt
curl http://10.10.200.74:8001/web/resources/infoseek/configure/key > hashVisiting /zip
We get a list of zip files. There are about 100 zip files. As we can see on the picture, all the zip files have exact date of modification and size, except the file a.zip
Downloading a.zip first
Extracting the content
As I was manually extracting the zip files, all of the zip files have a file called a inside them and the content on the file was sadman.
Downloading and extracting remaining zip files
for i in `seq 1 100`; do wget -q http://10.10.200.74:8001/zip/a$i.zip && unzip a$i.zip && cat a && rm a && rm a$i.zip; done
This went on and all I got was sadman.
This was a dead end. So, lets continue with our enumeration.
Visiting /reg.php
If we input something e.g. 1234 we see in the response back from the server contains the following php code:
So we need to bypass the filter in the above code to move forward. Reading the code the following conditions should met for the input to pass the filters:
- Lowercase/uppercase alphabets and numbers are not allowed.
- Input is splited in to chunks with ‘,’ as the delimiter and individual chunks should have certain lengths as mentioned in the code.A sum variable is calculated based on all the conditions match and compared with value 9 to give is the result, which is the way forward.
I used an online php compiler to debug the code and finally figured out the input which will give is the result. Input can contain symbols so used ‘$’ and also made the individual chunks of the required lengths.
Checking the source
There is a PHP code with some checks implemented. And the code says we will get what we need if we pass the checks being implemented.
Final PHP Code
<?php
$title = "$$,$$,$$,$$$,$$,$$,$$,$$,$$$";
if (!preg_match('/[a-zA-Z0-9]/i' , $title )){
$val = explode(",",$title);
$sum = 0;
for($i = 0 ; $i < 9; $i++){
if ( (strlen($val[0]) == 2) and (strlen($val[8]) == 3 )) {
if ( $val[5] !=$val[8] and $val[3]!=$val[7] )
$sum = $sum+ (bool)$val[$i]."<br>";
}
} if ( ($sum) == 9 ){
echo $result;//do not worry you'll get what you need.
echo " Congo You Got It !! Nice ";
}
else{
echo " Try Try!!";
}
}
else{
echo " Try Again!! ";
}
The condition is that our POST variable title should not contain any alphanumeric characters. After that explode with , which will break our title variable into arrays. Looking at the for loop, we have to pass the title variable such that there will be 9 element in the array. So to do that, we have to use 8 commas (,) on our title variable and few simple check are being implemented afterwards.
Submiting the payload
$$,$$,$$,$$$,$$,$$,$$,$$,$$$
And we get the password. Now we can try if this is the password for that key.
Trying to decrypt the key with the obtained password
edit rockyou.txt and paste password in it and check
Yes the password is correct
OR you can check by this method
And we successfully decrypt the key. Since the SSH is open, we can try and login with this private key, but the problem is that we do not have a username yet.
I have spent a fair amount of time here.
Checking /403.php
Looking at the page, It looked like we have to bypass this forbidden 403 to get what we are looking for, i.e. username. And also looking at the hint provided by the creator, it seems to be the right path
So I manually tried bunch of custom header and things but was not able to bypass the check. Then I searched and downloaded few github tools which try multiple payloads to try and bypass the 403 error. From those tools, one seem to get what I wanted and the check was bypassed.
Fuzzing with 403fuzzer
Cloning the repo
It is nice that it has option for proxy. Now we can analyse the whole traffic using burpsuite.
Running the exploit
The exploit was running and I was observing the response on the burpsuite. And I get a different reponse length with status code 200
Do not On Intercepted
Yes we Got user imsau
Another Method
curl "http://10.10.40.95:8001/403.php/..;/"
Again We got user imsau
Get into shell
Privilege Escalation
I ran linpeas first and did not get that much information from it. So as I was manually looking through different directories, I found a script directory on /opt.
It loads the content of file /tmp/file.yml and passes to yaml.load() function.
Checking if /tmp/file exists
And there is no /tmp/file.yml.
This means that we can create a file called /tmp/file.yml with arbitary content and this content will be passed to yaml.load() function. I checked online and found that this can be used to execute code on the box. This can be visualized as desearialization of untrusted user input.
Even though this code was vulnerable, we must be somehow able to execute this script as root.
Upload pspy into box
Run pspy on box
We can notice few things on this image. There is a cronjob which is being executed by root every minute. It executes the script /opt/scripts/file.py, removes the file /tmp/file.yml, changes the owner of the file /tmp/file.yml and again executes and deletes it. It’s kind of strange to be honest. But what we can do is make a file with our malicious payload and run a infinite loop which copies this malicious payload to /tmp/file.yml.
Content of shell.yml
We just set the SUID bit on the /bin/bash binary.
Executing infinite loop and watching the binary using watch
press Ctrl+c
And after a minute or so, the bash binary has SUID bit set on it.
Getting a root shell
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
