Lockdown – Medium
Let’s cover another awesome machine, Lockdown by ‘hangrymoose‘, on TryHackMe.
Summary
- Port 22 and 80 open
- Add ‘contactracer.thm’ to /etc/hosts
- Web Application – Coronavirus Contact Tracer
- SQLi on the admin login
- Reverse shell upload using Profile Avatar or System Image
- SQL Database Dump using SQLMAP (report page)
- DB password re use for ‘cyrus’ user.
- ‘cyrus’ can run ‘/opt/scan/scan.sh’ as root
- Add a custom YARA rule to identify /root/root.txt and /etc/shadow as ‘infected’
- Use the ‘scan.sh’ script to get hash for ‘maxine’ and crack it.
- Login as maxine and then ‘sudo su’
- All done 🙂
Enumeration
The nmap results showed that there are only two ports open 22 and 80.
When browsing the application running on port 80, there is redirection to “http://contacttracer.thm/login.php”
Once “contacttracer.thm” has been added to the /etc/hosts file, the “Coronavirus Contact Tracer” application can be accessed.
Exploitation
Tried multiple common credentials on the login form of the “admin panel”, no luck. However, the username field was found to be vulnerable to SQLi. Therefore, we were able to access the “admin” console using: ' or '1'='1'-- -
Once logged in, we browsed the application and found an upload field.
We were successful in uploading our php reverse shell using that field.
However, the main objective then was to find the location where it was stored and to check if it was executable.
To find the uploaded file, GoBuster was run in the /uploads directory, but couldn’t find the file.
Considering that we got into the admin account by leveraging “SQL Injection”, we tried to get more information using the same.
Basic manual testing on the ‘date’ parameter showed that it might be vulnerable to SQLi. Therefore, sqlmap was run on the date parameter, in attempt to extract more information.
Commad: sqlmap -r req --dump -p date
This disclosed the location of our reverse shell uploaded earlier and the hash of admin user’s password. By browsing to the retrieved location we executed the shell and got in as www-data user.
Browsing through the system, nothing was obviously helpful in escalating privileges. Therefore, we tried using the password that we cracked earlier to see if there is any password re-use, which worked for the ‘cyrus’ user.
Here we found the user.txt.
Privilege Escalation
Further looking for escalation.
By running sudo -l we found that the ‘cyrus’ user can run /opt/scan/scan.sh file as root.
What this file basically does is, it asks for a target, checks the files against set of rules and if it identified as infected, it will move the file to /home/cyrus/quarantine and make cyrus the owner of that file. Therefore, to exploit this we needed to determine how we can modify the rules it checks the files against.
By performing further research on clamav, we found that the rules are stored in /var/lib/clamav directory. Here, we can add our own yara rules.
Ref: https://yara.readthedocs.io/en/stable/writingrules.html#private-strings
There are multiple ways in which we can get the root flag.
- Option 1 – Read the root flag only
- Option 2 – Gain access as root and then read the root flag
Option 1:
We can create a rule.yara file containing the following rule:
rule root
{
strings:
$s = "thm" nocase
condition:
$s
}
After saving the file above in /var/lib/clamav, can run the scan script using sudo /opt/scan/scan.sh and pass /root/root.txt in the target.
Option 2:
We can create a rule.yara file containing the following rule:
rule root
{
strings:
$s = "cyrus" nocase
condition:
$s
}
After saving the file above in /var/lib/clamav, can run the scan script using sudo /opt/scan/scan.sh and pass /etc/shadow in the target.
The hash for maxine found inside the shadow file was cracked using john and rcokyou.
Once cracked, we logged in as maxine and found that this user has permission to run any command using sudo.
Then we run sudo su and get a root shell 😀
Hope you enjoyed reading this writeup.
Happy Hunting!
Posted by: infinity