battery — TryHackMe — Writeup

TonyRahmos
6 min readJan 21, 2021

--

Hello. I’m Rahmos. Here is my battery — TryHackMe — Writeup. Check it out!

1/ Enumeration

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

nmap
nmap

There’re 2 ports opened: 22(SSH), and 80(HTTP). As port 80 is opened, let’s access the website.

website

Page source(Ctrl+U):

page source

Well the page source does not help me much. Let’s find some hidden dirs using dirbuster:

After running dirbuster, I’ve found these hidden dirs:

dirbuster
dirbuster

After enumerate these folders(and files), I can only access /admin.php, /report.php and /scripts. All other folders need to be admin to access.

/forms.php
/acc.php

Ok so first let’s access /admin.php:

/admin.php

Well, looks like I can login here. But I haven’t got the credential yet! let’s register an account:

register
register

Ok so now login using the account I’ve just registered:

login

After login, I’ve been redirected to dashboard.php. In dashboard, I can access many hidden dirs above (/with.php(Withdraw Money), /depo.php(Deposit Money), /tra.php(Transfer Money)).

However, the most interesting folder is ‘Command’, which is /forms.php, can only be accessed by admin.

That’s everything I’ve got so far. Let’s access /report to see what’s in there:

report

It’s a binary file. Download it and use ghidra to decompile:

main function
main function
options function
update function
users function

So here’s the explanation of the code:

First, I need to login. If I login as guest:guest, I will have 2 options to choose:

1/ List available username

2/ Change password. In order to change password, I need to enter email as:
admin@bank.a”. So I think that this is the username for the admin account.
I cannot “Add users” and “Delete users”, as they’re not available for guest account.

Now let’s register an account as “admin@bank.a”:

Well I cannot. So the php code has checked the username string, if it’s ‘admin@bank.a’, then it will reject and show this notification.

I need to bypass this by adding null byte to the string. It’s commonly seen vulnerability in PHP website. It’s called null byte injection. You can learn more about this vuln here.

null byte injection

Here, I add “%00”, which is a null byte in url to the end of uname string. It will bypass the uname check, but still keep my username as ‘admin@bank.a’ And the response:

Now let’s login as admin@bank.a

Login

Navigate to ‘command’:

command (/forms.php)

Click ‘Send Message’ and use Burpsuite to catch the request:

You may notice that, this website use XML Entity to represent data.

XML Entities

So, it may be vulnerable to XXE (XML external entity) injection. You may learn more about it here.

I will modify the request like this to add read /etc/passwd file:

request

And here’s the response:

response

So I’ve got the /etc/passwd file! Looking at this, I know that there’re 3 users I can login: root, cyber, and yash

Keep using this vuln, I can read the source code of acc.php

Request:

request

Response:

response

Decode the string as base64, I’ve got cyber’s ssh credential:

cyber’s credential

Now SSH as cyber!

2/ Base flag

ssh

Get the Base flag:

flag1.txt

3/ User flag

Now I need to escalate to yash in order to see files inside his home:

Transfer LinEnum.sh to the machine using wget:

Then move it to /tmp, chmod 777 and run:

sudo permission

Well, cyber can run this python script as root without password needed! Let’s run this script as sudo:

run script

Well it does not help much. And I can’t view or edit this file, due to permission.

file’s permission

So let’s find another way. This time, find Kernel’s version:

Kernel’s version

This’s a very old kernel version. Search for exploit and I found this exploit on exploit-db. So, download the exploit code, compile and transfer to the target machine. Then ‘chmod +x’ and run the file:

get root

Now I’m root! Get the 2 remained flags.

user flag
root flag

The end.

HAPPY HACKING

--

--