 |
| https://tryhackme.com/room/valleype |
We will start with some standard NMAP and GoBuster enumeration.
 |
| nmap -A -T5 -sV -O -p1-65535 -oN=output.txt <THM_IP> |
 |
| gobuster dir -u <THM_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
There are three ports open on this machine, SSH, HTTP, and FTP (37370.) NMAP did not detect FTP auto logon as enabled.
Pivoting to "/static" shows an empty directory for our Apache server. Let's perform some fuzzing against this directory to be thorough.
Upon enumeration of the "static" directory we find the following results.
 |
| gobuster dir -u http://<THM_IP>/static/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
These numbers are all image files except for "/00". Here we find notes from "valleyDev".
We see a reference to another directory as well as a reminder to check for SIEM alerts. Interesting. Let's navigate to this directory.
We arrive at a login page. I quickly tried several common credentials with no success. After that I viewed page source where we can see two java script files running on this site. Let's take a look at "dev.js".
This script checks for the correct credentials that are stored in the code in clear text. After using this credentials we are redirected once again.
Two things stand out to me, these are notes about the FTP server, and they are reusing credentials. Let's use these credentials to try to logon to the FTP server.
 |
| ftp siemDev@<THM_IP> -p 37370 |
We do not have many permissions as this user. But we can download these three .pcapng files to view on our attacking machine using the "GET" command.
Opening the first file (siemFTP.pcapng) with Wireshark we can see that an individual with the IP address "192.168.111.136" logged on as "anonymous". This is probably why it is now disabled!
I spent some time looking through the next file (siemHTTP1.pcapng) but I did not find anything useful.
After spending quite some time looking through the third file (siemHTTP2.pcapng) I found this TCP stream (line 2332):
Let's try these credentials with SSH.
Success! We have our initial foothold on the system. Let's explore the file system to see if we can find any means of privilege escalation.
We've found the first flag in our user's home directory!
Moving up a directory, there is a binary called, "valleyAuthenticator". Let's pull this down to our attacking machine to examine it.
The first thing I do when examining a binary in any CTF challenge is to run strings against it for easy hits. Let's output strings to a text file and search for "username" or "password".
Line 6441 looks like a hash to me. Let's give crackstation a go.
Given that this binary was called "valleyAuthenticator" and there is a directory called, "/home/valley", let's attempt to "su valley" with this password to switch accounts to "valley."
Now that we're logged in as valley, let's perform further enumeration in attempt to escalate our privileges.
Searching valley's home directory didn't yield any results.
I uploaded linpeas.sh to the "/tmp" directory to automate the enumeration process.
There is a cron job that runs "photosEncrypt.py" every minute as root.
We do not have write permissions for this file, however, we can read it's contents.
This script takes .jpg files in the /photos directory and encodes them with base64. Then it saves them as .enc file in the /photos/photoVault directory.
Notice that this script imports the base64 library. If we have write permissions to "/usr/lib/python3.8/base64" we can inject malicious code that will be executed when this script is ran every minute.
We only need to add two lines to elevate our privileges.
import os
os.system ("chmod u+s /bin/bash")
Doing this sets the "setuid" permission on the "/bin/bash" binary. This allows a user who runs that file to temporarily gain the privileges of the owner file, using the Bash shell.
Now, simply wait one minute and check the permissions for "/bin/bash".
Notice the "s" in the permissions. The "setuid" permission has been set.
Now we can run bash with the "-p" option for privileged mode.
With that, we have rooted the machine!
This room required compromising many different services and used lots of steps. I really enjoy learning about different ways to exploit Python scripts and this was a very interesting and easy way to do so.