[Tut] Road Walkthrough TryHackMe – A Black Box Pentesting Challenge - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] Road Walkthrough TryHackMe – A Black Box Pentesting Challenge (/thread-100723.html) |
[Tut] Road Walkthrough TryHackMe – A Black Box Pentesting Challenge - xSicKxBot - 02-09-2023 Road Walkthrough TryHackMe – A Black Box Pentesting Challenge <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1119030","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </p></div> <figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/road-walkthrough-a-black-box-pentesting-challenge/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FThXCCPY0jPQ%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure> <h2>CHALLENGE OVERVIEW</h2> <ul> <li><strong>Link</strong>: <a href="https://tryhackme.com/room/road" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/road</a></li> <li><strong>Difficulty</strong>: Medium</li> <li><strong>Target</strong>: user/root flags</li> <li><strong>Highlights</strong>: retrieving user credentials from a <a href="https://blog.finxter.com/mongodb-developer-income-and-opportunity/" data-type="post" data-id="169746" target="_blank" rel="noreferrer noopener">Mongo DB</a>, privilege escalation by exploiting a glitch in the <code>pkexec</code> bin</li> <li><strong>Tools used</strong>: <code>nmap</code>, <code>dirb</code>, <code>burpsuite</code></li> <li><strong>Tags</strong>: <em>pentesting, security, mongoDB, SSH</em></li> </ul> <h2>BACKGROUND</h2> <p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f4ac.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>What is <em>black box</em> pentesting?</strong></p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="746" height="499" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-139.png" alt="" class="wp-image-1119093" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-139.png 746w, https://blog.finxter.com/wp-content/uploads/2023/02/image-139-300x201.png 300w" sizes="(max-width: 746px) 100vw, 746px" /></figure> </div> <p>The term <em><strong>black box</strong></em> refers to a challenge where only the target machine IP is known to the penetration tester. Nothing else about the server is disclosed to the attacker, so everything must be discovered during the enumeration stage. </p> <p>On the other end of the spectrum is <em><strong>white box</strong></em> pentesting, where information about the internal workings of a server is shared with the pentester. </p> <h2>ENUMERATION/RECON</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="908" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-140.png" alt="" class="wp-image-1119094" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-140.png 607w, https://blog.finxter.com/wp-content/uploads/2023/02/image-140-201x300.png 201w" sizes="(max-width: 607px) 100vw, 607px" /></figure> </div> <p>Let’s kick things off with some standard <code>nmap</code> and <code>dirb</code> scans.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo nmap -p- -A $targetIP -O -o /home/kalisurfer/THM/road-walkthrough/nmap.txt</pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="809" height="193" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-136.png" alt="" class="wp-image-1119051" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-136.png 809w, https://blog.finxter.com/wp-content/uploads/2023/02/image-136-300x72.png 300w, https://blog.finxter.com/wp-content/uploads/2023/02/image-136-768x183.png 768w" sizes="(max-width: 809px) 100vw, 809px" /></figure> </div> <p>It looks like they are running SSH and HTTP services. No surprises here!</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">dirb http://$targetIP</pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="584" height="504" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-135.png" alt="" class="wp-image-1119046" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-135.png 584w, https://blog.finxter.com/wp-content/uploads/2023/02/image-135-300x259.png 300w" sizes="(max-width: 584px) 100vw, 584px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="566" height="473" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-134.png" alt="" class="wp-image-1119045" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-134.png 566w, https://blog.finxter.com/wp-content/uploads/2023/02/image-134-300x251.png 300w" sizes="(max-width: 566px) 100vw, 566px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="570" height="503" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-133.png" alt="" class="wp-image-1119044" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-133.png 570w, https://blog.finxter.com/wp-content/uploads/2023/02/image-133-300x265.png 300w" sizes="(max-width: 570px) 100vw, 570px" /></figure> </div> <p>Our <code>dirb</code> scan sniffed out a few interesting directories: <code>/assets</code> <code>/phpMyAdmin/ChangeLog</code> and <code>/v2</code>. We’ll look into each of these in more detail.</p> <h2>INVESTIGATING /phpMyAdmin</h2> <p>We discover a login portal at <code>/phpMyAdmin/index.php</code></p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="492" height="414" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-132.png" alt="" class="wp-image-1119043" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-132.png 492w, https://blog.finxter.com/wp-content/uploads/2023/02/image-132-300x252.png 300w" sizes="(max-width: 492px) 100vw, 492px" /></figure> </div> <h3>INVESTIGATING /assets</h3> <p>When we browse the changelogs, we can identify the version number (5.1.0) for <strong>phpMyAdmin</strong>. </p> <p>We also find a link to a Git repo with changelogs going back all the way to the year 2000! </p> <p>This is a potential treasure trove of interesting information. We’ll check <code>exploit-db</code> to see if there are any known vulnerabilities. There are a bunch, but nothing for version 5.1.0. </p> <p>For now, let’s move on. </p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="823" height="241" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-131.png" alt="" class="wp-image-1119042" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-131.png 823w, https://blog.finxter.com/wp-content/uploads/2023/02/image-131-300x88.png 300w, https://blog.finxter.com/wp-content/uploads/2023/02/image-131-768x225.png 768w" sizes="(max-width: 823px) 100vw, 823px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="443" height="297" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-130.png" alt="" class="wp-image-1119041" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-130.png 443w, https://blog.finxter.com/wp-content/uploads/2023/02/image-130-300x201.png 300w" sizes="(max-width: 443px) 100vw, 443px" /></figure> </div> <h3>INVESTIGATING /v2</h3> <p>We discover another login portal <code>/v2/admin/login.html</code>. This one has a register option, so we can go ahead and create a new user and see what else we can view from within a standard user account.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="468" height="743" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-129.png" alt="" class="wp-image-1119040" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-129.png 468w, https://blog.finxter.com/wp-content/uploads/2023/02/image-129-189x300.png 189w" sizes="(max-width: 468px) 100vw, 468px" /></figure> </div> <h2>INITIAL FOOTHOLD</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="882" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-141.png" alt="" class="wp-image-1119095" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-141.png 607w, https://blog.finxter.com/wp-content/uploads/2023/02/image-141-206x300.png 206w" sizes="(max-width: 607px) 100vw, 607px" /></figure> </div> <p>We pivoted from our new user to the admin account by intercepting the TCP request to change the password using <code>burpsuite</code> and modifying the parameters to the admin’s email address before forwarding the request.</p> <p>After successfully changing it to the admin’s password, we can login as admin with our new password and upload a revshell via the profile pic upload option.</p> <figure class="wp-block-image size-large"><img decoding="async" loading="lazy" width="1024" height="387" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-128-1024x387.png" alt="" class="wp-image-1119039" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-128-1024x387.png 1024w, https://blog.finxter.com/wp-content/uploads/2023/02/image-128-300x113.png 300w, https://blog.finxter.com/wp-content/uploads/2023/02/image-128-768x290.png 768w, https://blog.finxter.com/wp-content/uploads/2023/02/image-128-1536x580.png 1536w, https://blog.finxter.com/wp-content/uploads/2023/02/image-128.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>From our admin dashboard, let’s go ahead and upload a revshell (from PHP pentest monkey, naming it <code>revshell.php</code>), start up a <code>netcat</code> listener on the corresponding port, and finally trigger it by loading the following address in our browser.</p> <pre class="wp-block-preformatted"><code>http://10.10.154.107/v2/profileimages/revshell.php</code></pre> <p>We caught the revshell and now we have our initial foothold!</p> <h2>EXTRACTING USER CREDENTIALS FROM MONGO DB</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="670" height="488" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-127.png" alt="" class="wp-image-1119038" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-127.png 670w, https://blog.finxter.com/wp-content/uploads/2023/02/image-127-300x219.png 300w" sizes="(max-width: 670px) 100vw, 670px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="450" height="172" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-126.png" alt="" class="wp-image-1119037" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-126.png 450w, https://blog.finxter.com/wp-content/uploads/2023/02/image-126-300x115.png 300w" sizes="(max-width: 450px) 100vw, 450px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="680" height="300" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-125.png" alt="" class="wp-image-1119036" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-125.png 680w, https://blog.finxter.com/wp-content/uploads/2023/02/image-125-300x132.png 300w" sizes="(max-width: 680px) 100vw, 680px" /></figure> </div> <p>And now we have user <code>webdeveloper</code>’s password in plaintext from Mongo DB! We can use “<code>su webdeveloper</code>” to switch users with our new password. </p> <h2>LOCAL RECON</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="611" height="917" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-142.png" alt="" class="wp-image-1119096" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-142.png 611w, https://blog.finxter.com/wp-content/uploads/2023/02/image-142-200x300.png 200w" sizes="(max-width: 611px) 100vw, 611px" /></figure> </div> <p>We easily found our first flag, <code>user.txt</code>, in the <code>/home/webdeveloper</code> directory.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">63—-omitted—---45</pre> <p>After uploading Linpeas to the target machine via a <a href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank" rel="noreferrer noopener">python3 simple HTTP server</a>, let’s run it and analyze the results.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="687" height="209" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-124.png" alt="" class="wp-image-1119035" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-124.png 687w, https://blog.finxter.com/wp-content/uploads/2023/02/image-124-300x91.png 300w" sizes="(max-width: 687px) 100vw, 687px" /></figure> </div> <p>The first CVE is the one we will use to privesc. Instead of using the three file method that is outlined on <code>exploit-db</code>, we’ll do it manually using two terminals logged in as <code>webuser</code>.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="730" height="795" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-123.png" alt="" class="wp-image-1119034" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-123.png 730w, https://blog.finxter.com/wp-content/uploads/2023/02/image-123-275x300.png 275w" sizes="(max-width: 730px) 100vw, 730px" /></figure> </div> <p>Let’s also check sudo privileges.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="805" height="153" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-122.png" alt="" class="wp-image-1119033" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-122.png 805w, https://blog.finxter.com/wp-content/uploads/2023/02/image-122-300x57.png 300w, https://blog.finxter.com/wp-content/uploads/2023/02/image-122-768x146.png 768w" sizes="(max-width: 805px) 100vw, 805px" /></figure> </div> <p>The <code>LD_PRELOAD</code> and <code>sky_backup_utility</code> are both interesting findings. We’ll save these for later in case we hit a dead end with CVE 2021-4034.</p> <h2>PRIV-ESC</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="752" height="417" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-143.png" alt="" class="wp-image-1119098" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-143.png 752w, https://blog.finxter.com/wp-content/uploads/2023/02/image-143-300x166.png 300w" sizes="(max-width: 752px) 100vw, 752px" /></figure> </div> <p>We’ll execute privilege escalation by exploiting a glitch in the <code>pkexec bin</code> (policykit vulnerability – <a href="https://nvd.nist.gov/vuln/detail/cve-2021-4034" target="_blank" rel="noreferrer noopener">cve-2021-4034)</a>. Open a second shell as <code>webdeveloper</code>. </p> <p>Issue the following commands one-by-one in the corresponding terminals.</p> <figure class="wp-block-table is-style-stripes"> <table> <tbody> <tr> <td><strong>Terminal 1</strong></td> <td><strong>Terminal 2</strong></td> </tr> <tr> <td><code>echo $$</code></td> <td></td> </tr> <tr> <td></td> <td><code>pkttyagent --process <number of the process ID from echo $$></code></td> </tr> <tr> <td><code>pkexec "/bin/bash"</code></td> <td></td> </tr> <tr> <td></td> <td><em>password for <code>webdeveloper</code></em></td> </tr> <tr> <td><em>(recieve the root shell in terminal 1)</em></td> <td></td> </tr> </tbody> </table> </figure> <h2>POST-EXPLOITATION</h2> <p>Let’s grab the root flag:</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="409" height="216" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-137.png" alt="" class="wp-image-1119082" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-137.png 409w, https://blog.finxter.com/wp-content/uploads/2023/02/image-137-300x158.png 300w" sizes="(max-width: 409px) 100vw, 409px" /></figure> </div> <h2>FINAL THOUGHTS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="753" height="496" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-144.png" alt="" class="wp-image-1119099" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-144.png 753w, https://blog.finxter.com/wp-content/uploads/2023/02/image-144-300x198.png 300w" sizes="(max-width: 753px) 100vw, 753px" /></figure> </div> <p>This box was fairly challenging and really pushed me to take careful notes about my findings during enumeration and also to thoughtfully plan my strategy for gaining the initial foothold and for the priv-esc stage. </p> <p>These more advanced boxes are forcing me to start putting together longer sequences of hacking tricks that were used more in isolation on the easier boxes. </p> </div> https://www.sickgaming.net/blog/2023/02/08/road-walkthrough-tryhackme-a-black-box-pentesting-challenge/ |