battery — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my battery — TryHackMe — Writeup. Check it out!

1/ Enumeration

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

There’re 2 ports opened: 22(SSH), and 80(HTTP). As port 80 is opened, let’s access the website.

Page source(Ctrl+U):

Well the page source does not help me much. Let’s find some hidden dirs using dirbuster:

After running dirbuster, I’ve found these hidden dirs:

After enumerate these folders(and files), I can only access /admin.php, /report.php and /scripts. All other folders need to be admin to access.

Ok so first let’s access /admin.php:

Well, looks like I can login here. But I haven’t got the credential yet! let’s register an account:

Ok so now login using the account I’ve just registered:

After login, I’ve been redirected to dashboard.php. In dashboard, I can access many hidden dirs above (/with.php(Withdraw Money), /depo.php(Deposit Money), /tra.php(Transfer Money)).

However, the most interesting folder is ‘Command’, which is /forms.php, can only be accessed by admin.

That’s everything I’ve got so far. Let’s access /report to see what’s in there:

It’s a binary file. Download it and use ghidra to decompile:

So here’s the explanation of the code:

First, I need to login. If I login as guest:guest, I will have 2 options to choose:

1/ List available username

2/ Change password. In order to change password, I need to enter email as:
admin@bank.a”. So I think that this is the username for the admin account.
I cannot “Add users” and “Delete users”, as they’re not available for guest account.

Now let’s register an account as “admin@bank.a”:

Well I cannot. So the php code has checked the username string, if it’s ‘admin@bank.a’, then it will reject and show this notification.

I need to bypass this by adding null byte to the string. It’s commonly seen vulnerability in PHP website. It’s called null byte injection. You can learn more about this vuln here.

Here, I add “%00”, which is a null byte in url to the end of uname string. It will bypass the uname check, but still keep my username as ‘admin@bank.a’ And the response:

Now let’s login as admin@bank.a

Navigate to ‘command’:

Click ‘Send Message’ and use Burpsuite to catch the request:

You may notice that, this website use XML Entity to represent data.

So, it may be vulnerable to XXE (XML external entity) injection. You may learn more about it here.

I will modify the request like this to add read /etc/passwd file:

And here’s the response:

So I’ve got the /etc/passwd file! Looking at this, I know that there’re 3 users I can login: root, cyber, and yash

Keep using this vuln, I can read the source code of acc.php

Request:

Response:

Decode the string as base64, I’ve got cyber’s ssh credential:

Now SSH as cyber!

2/ Base flag

Get the Base flag:

3/ User flag

Now I need to escalate to yash in order to see files inside his home:

Transfer LinEnum.sh to the machine using wget:

Then move it to /tmp, chmod 777 and run:

Well, cyber can run this python script as root without password needed! Let’s run this script as sudo:

Well it does not help much. And I can’t view or edit this file, due to permission.

So let’s find another way. This time, find Kernel’s version:

This’s a very old kernel version. Search for exploit and I found this exploit on exploit-db. So, download the exploit code, compile and transfer to the target machine. Then ‘chmod +x’ and run the file:

Now I’m root! Get the 2 remained flags.

The end.

HAPPY HACKING

I’m Groot