┌──(zero㉿zero)-[~]
└─$ rustscan 10.10.11.8
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.8:22
Open 10.10.11.8:5000
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,5000 10.10.11.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-10 16:25 PDT
Initiating Ping Scan at 16:25
Scanning 10.10.11.8 [2 ports]
Completed Ping Scan at 16:25, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:25
Completed Parallel DNS resolution of 1 host. at 16:25, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 16:25
Scanning 10.10.11.8 [2 ports]
Discovered open port 22/tcp on 10.10.11.8
Discovered open port 5000/tcp on 10.10.11.8
Completed Connect Scan at 16:25, 0.18s elapsed (2 total ports)
Nmap scan report for 10.10.11.8
Host is up, received conn-refused (0.098s latency).
Scanned at 2024-04-10 16:25:06 PDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
5000/tcp open upnp syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
There are 2 open ports here, 22/ssh and 5000/upnp. A upnp is a universal plug and play protocol which is used for port forwarding.
I also ran an nmap scan to see if I could find a URL. The following result gave me something quite interesting:
I will come back to that, but first I need to check the website itself. Since I couldn’t find an actual website address I tried navigating to the upnp port. Once there I found this webpage, it seems like this might be the landing page for a future website.
Press enter or click to view image in full size
Clicking the button “For questions” led to me this page:
Press enter or click to view image in full size
The next thing to do is to find any additional URLs that might be hiding, so I ran a Fuzzscan:
Okay so there seems to be a dashboard that I sadly can’t access when I navigate to it.
Next I searched for current vulnerabilities for the platforms that were running. Wekzeug(2.2.2) and Python(3.11.2). Wekzeug had some pretty interesting vulnerabilities, one VERY recent one for RCE (remote code execution) and a couple more that could trigger a DDoS attack. These didn’t seem to be useful for my needs so I moved on.
Python(3.11.2) had a URL Parse vulnerability that uses blank chars to get around blocklists set up by the host. I am not sure this is what I am after either, since there is no block list to get around her say (CVE-2023–24329).
There were 2 other exploits that I found that could potentially give me a foothold onto the system: CVE-2023–40217 and CVE-2023–27043. None of which resulted in anything of value.
Next I tried just using the support page to send a message to get shell access. Using this:
Above is what I got back as a response. Whoops! So it looks like the comment box can actually take commands. So with this information plus the odd cookie value that I had gotten before, I needed to do some research.
The answer and potential vulnerability was with XSS to steal a cookie. After researching a fair bit this was the piece of code that would hopefully result in me getting stealing an admin cookie:
The above code tries to create an image, with its source (src) being ‘x’. This would throw an error, since x isn’t an image format. Thus triggering the onerror portion of the code. This would then try and fetch something from my machine, but also send a cookie back to my machine as part of the fetch request.
This is the above response I got when intercepting the submit button request on the website. I did have to find a place to plant my payload in Burp Suite, I messed around with a few options before landing a successful entry in the User-Agent field. You can see this broken image in the below screenshot.
With this new cookie, I should now be able to log in to the websites back end as the admin.
Press enter or click to view image in full size
Permission elevation
I am learning a lot about Burpe Suite from this box. While digging a little more on how I could possibly get any further, I discovered that I could slam some commands in an intercepted packet to probe further.
Using this information I tried to get a reverse shell. However, this didn’t work. So I tried just some basic commands to see what I could find out.
I modified the date output. Putting a ; to end the line of code then adding whoami to see if I could get a response.
Seems like that worked! I am dvir!
Next I just needed to search for something I could use to get a foothold. I used sudo -l to see what perms I had and got this result:
My next step was to try and get root access or at least access to a shell on the server. I did this by uploading a shell file to the server using the above method of executing commands.
I used the above command to send and execute a shell in bash which granted me access to the system via my listener!
After a little poking around I managed to find the user flag! I also found an interesting line of code in one of the files called app.py.
I checked the permissions next to see what dvir could possibly run. It looks like it can run /usr/bin/syscheck. After looking into that file it seems it interacts with a file called initdb.sh.
After the creation of the file was done, I would need to make /bin/bash executable and then have it accessable by myself. So I used the code below to do that, then ran syscheck using the perms I already had.
Then after executing /bin/bash I had root permissions.
Press enter or click to view image in full size
After some more digging I found the root flag!
Conclusion
I learned a ton from this box. First and foremost was learning how to better use Burp Suite, being able to execute commands after intercepting a packet if the server on the other side allows. This was a large stepping stone in this box that taught me a lot. XSS cookie stealing was something that I had not come across before either, so learning how to do that was very interesting and I have taken many notes from doing so. I think one thing I struggle with a little is WHAT to look for and these easy boxes are teaching me that!
