https://tryhackme.com/room/superspamr
Defeat the evil Super-Spam, and save the day!!
1) Enumeration
# Nmap 7.91 scan initiated Sat Aug 7 19:25:30 2021 as: nmap -p- -A -Pn -oN resultsNmap -vv 10.10.110.84
Nmap scan report for 10.10.110.84
Host is up, received user-set (0.17s latency).
Scanned at 2021-08-07 19:25:31 IST for 360s
Not shown: 65530 closed ports
Reason: 65530 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 60 Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: concrete5 - 8.5.2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: "Home :: Super-Spam "
4012/tcp open ssh syn-ack ttl 60 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:60:04:c0:a5:36:46:67:f5:c7:24:0f:df:d0:03:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjPfdefRhbpiW/oi5uUVtVRW/pYZcnADODOU4e80iSnuqWfRB5DAXTpzKZNw5JBQGy+4Amwz0DyX/TlYBgXRxPXwFimpBXnc02jpMknSaDzdRnInU8wFcsBQc+GraYz1mMH
vRcco2FfIrKurDbyEsBCzwJuk/RKdSq2rcFLhq8QAPoxc9FQcNeUIZrBt53/7+fD7B7NvjjU22+hXZhjt6PLC3LDWcaMvpYCxMYGwKoC9xTs+FtzEFrt6yWzKrXV1iNuKdNyt8vu22bcPl2GrQ9ai9I89DEY4wB3dADP6AfNikb
i0QWjdNbW2fhblG9PvKRu9s3IbpVueX2qBfInuAF
| 256 ce:d2:f6:ab:69:7f:aa:31:f5:49:70:e5:8f:62:b0:b7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs/ZpOvCaKtCEwW4YraPciYLZnrRXDR6voHu0PipWaQpcdnsc8Vg1WMpkX0xgjXc9eD3NuZmBtTcIDTJXi7v4U=
| 256 73:a0:a1:97:c4:33:fb:f4:4a:5c:77:f6:ac:95:76:ac (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHX1bbkvh6bRHE0hWipYWoYyh+Q+uy3E0yCBOoyY888
4019/tcp open ftp syn-ack ttl 60 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Feb 20 14:42 IDS_logs
|_-rw-r--r-- 1 ftp ftp 526 Feb 20 13:53 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.9.26
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
5901/tcp open vnc syn-ack ttl 60 VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6001/tcp open X11 syn-ack ttl 60 (access denied)
Observations from nmap scan.
Port 80 - Apache 2.4.29 - Webserver
Running a website that makes use of Concrete5 CMS 8.5.2 ( looking at page source, and also using Wappalyzer )
Possible XSS Exploit - Concrete5 8.5.4 - 'name' Stored XSS, https://raw.githubusercontent.com/Quadron-Research-Lab/CVE/main/CVE-2021-3111.pdf
Another possible RCE Exploit -> https://hackerone.com/reports/768322, https://github.com/concrete5/concrete5/issues/8319Port 4012 - SSH - OpenSSH 7.6p1
-
Port 4019 - FTP - vsftpd 3.0.3
Anonymous login allowed. Let's take a look inside.
ftp> ls -la 227 Entering Passive Mode (10,10,140,162,190,141). 150 Here comes the directory listing. drwxr-xr-x 4 ftp ftp 4096 May 30 19:26 . drwxr-xr-x 4 ftp ftp 4096 May 30 19:26 .. drwxr-xr-x 2 ftp ftp 4096 May 30 19:26 .cap drwxr-xr-x 2 ftp ftp 4096 Feb 20 14:42 IDS_logs -rw-r--r-- 1 ftp ftp 526 Feb 20 13:53 note.txt ftp> ls 227 Entering Passive Mode (10,10,140,162,182,217). 150 Here comes the directory listing. -rwxr--r-- 1 ftp ftp 370488 Feb 20 14:46 SamsNetwork.cap 226 Directory send OK. ftp> ls -la 227 Entering Passive Mode (10,10,140,162,193,19). 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 May 30 19:26 . drwxr-xr-x 4 ftp ftp 4096 May 30 19:26 .. -rw-r--r-- 1 ftp ftp 249 Feb 20 13:36 .quicknote.txt -rwxr--r-- 1 ftp ftp 370488 Feb 20 14:46 SamsNetwork.capVERY IMPORTANT - Usually we don't look for hidden files in FTP servers, which in this case would have caused me to miss the
.capdirectory. I'll admit I did not see them in my first attempt at the machine. Came back to the machine, and executels -ain an act of desperation, which thankfuly turned out to be true.Contents of
note.txt
┌──(kali㉿kali)-[~/Documents/thm_superspam] └─$ cat note.txt 12th January: Note to self. Our IDS seems to be experiencing high volumes of unusual activity. We need to contact our security consultants as soon as possible. I fear something bad is going to happen. -adam 13th January: We've included the wireshark files to log all of the unusual activity. It keeps occuring during midnight. I am not sure why.. This is very odd... -adam 15th January: I could swear I created a new blog just yesterday. For some reason it is gone... -adam 24th January: Of course it is... - super-spam :)It seems we have to look into the
.pcapfiles aka network capture files to get more info. Apparently whatever unusual stuff happened, it happened around midnight.The hacker probably compromised the CMS and deleted the blog post left by this
adam(possible username to keep in mind). And looks like the hacker is such a show-off that they left a message innote.txt.After going into the
IDS_logsfolder, we see so many files. Most of the files in this dir are zero-byte files. But there were four .pcap files that I downloaded, which were the only ones that had any bytes in them.
Now, to the contents of the
.capdirectory.
Contents of.quicknote.txt
└─$ cat .quicknote.txt It worked... My evil plan is going smoothly. I will place this .cap file here as a souvenir to remind me of how I got in... Soon! Very soon! My Evil plan of a linux-free galaxy will be complete. Long live Windows, the superior operating system!The other file in this directory is
SamsNetwork.cap. So according tosuper-spam, this capture file contains the means for us to "get in", whatever that means.
2) Foothold
PHP File Upload Attempt
For this, my first attempt was to get a reverse shell using a PHP file upload.
While going through the blog, I noticed that the blog posts allowed comments to be made, along with attachments.
Although image attachments were allowed in the comments, PHP attachments were not. This was due to a client-side filter(jQuery file upload handling code).
This filter can easily be avoided by modifying the page response using a proxy(Burp Intercept/ZAP Breakpoint).
But even after this, there seemed to be server-side filters preventing a file upload.
Cracking NTLM hashes found in "IDS_logs" packet captures
Now, let's take a step back and take a look at the packet captures. From note.txt earlier, the "unusual" activity was close to midnight.
The 12th April 2021 pcap involves activity that occurs around 1 AM. Its mostly the SAMR protocol(https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380).
The pcap files for 13th and 16th are regarding HTTP requests to a Chinese domain, which we will ignore for now.
The pcap file for the 14th April 2021 is interesting, since it contains SMBv2 protocol captures that include NTLM authentication attempts. Let's see if we can get some useful data from this.
Note: Ultimately these credentials turned out to be useless, but it was a nice rabbit hole to follow :D You can skip the NTLM hash cracking section and scroll down to the next one
Took the help of this article to crack the NTLM hash, because I'm a noob at this => https://research.801labs.org/cracking-an-ntlmv2-hash/
Domain Name: 3B
User Name: lgreen
Host name: 02694W-WIN10
NTProofStr: 73aeb418ae0e8a9ec167c4d0880cfe22
NTLMv2 Response:
010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000
NTLM Server Challenge: a2cce5d65c5fc02f
According to the article, final crackme format is
username::domain:ServerChallenge:NTProofstring:modifiedntlmv2response
which in our case would be
lgreen::3B:a2cce5d65c5fc02f:73aeb418ae0e8a9ec167c4d0880cfe22:010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000
Saving above to a file called crackme.txt and running hashcat on my host machine, with rockyou.txt as a password list.
❯ hashcat -m 5600 crackme.txt rockyou.txt
hashcat (v6.1.1) starting...
LGREEN::3B:a2cce5d65c5fc02f:73aeb418ae0e8a9ec167c4d0880cfe22:010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000:CENSORED
SUCCESS!! Our password is CENSORED, for the user lgreen
- Trying this password for the VNC service at port 5901. Nope not working.
- Let's try the
lgreen:CENSOREDcombo for the SSH Service at port 4012. Nope not working. - Maybe trying at the login portal in Concrete5 CMS will work? Tried. Nope not working. Tried with
adminandrootusernames as well. In case you are wondering where the "Login" portal can be found.
Ok, time to move on
Cracking WiFi password from SamNetwork.cap file
Since we have gathered as much as possible(I think) from the IDS logs, let's see what we can infer from the SamsNetwork.cap packet capture, which apparently is how super-spam "got in".
Looks like a Network capture from a WiFi network. Looks like we'll have to use aircrack-ng to guess the password for the network. Let's use rockyou.txt as our wordlist.
Disclaimer: Not an expert on Wifi cracking :D Just used this command after reading some articles on how to crack Wifi passwords.
aircrack-ng -w /usr/share/wordlists/rockyou.txt SamsNetwork.cap
Password found is CENSORED. Let's try this in the login portal for the Blog. But what usernames do we use? Good question. Let's simply try using the usernames that are available in the blog posts themselves.
- Go to https://10.10.142.204/concrete5/index.php/blog
- Click on each of the Individual blog posts and extract the usernames found. We get a total of four users.
The usernames we find are:
- adam_admin
- benjamin_blogger
- lucy_loser
- donald_dump
Let's try the password we just found for all of these usernames in the Blog Login portal.
Success! The password works for the user donald_dump.
Uploading a PHP Reverse Shell.
When you log in, you will see what looks like a debugging stack trace. But the URL will be set to http://IP/concrete5/index.php/dashboard/welcome.
Just change the URL to "http://IP/concrete5/index.php", and we will be at the home page in "dashboard" mode for the CMS.
Now that we logged in to the CMS, let's try to upload a PHP reverse shell to get a foothold in the machine. Click on Settings(top-right corner button), go to File Manager. Here there is an "Upload Files" button. Let's try that.
We get an Invalid File Extension(hover cursor over the uploaded file box).
At this point, we must remember that we found an RCE exploit for Concrete5 CMS 8.5.2(scroll up to the beginning of the Foothold section).
According to the HackerOne report, we need to go to Settings -> "System & Settings" -> Allowed File Types(under Files), and add PHP. Apparently, this will allow us to configure the File Manager to allow PHP file uploads. The report also says we need an "Admin" role. Looking at the Donald_Dump user in Dashboard -> Members -> Donald_Dump we see
With that taken care of, let's try to add PHP to the list of allowed extensions.
And now let's go back to File Manager and see if we can upload our reverse shell file.
It works! Note down the "URL to File". Since the CMS seems to be using random number folder names to store uploaded files, we will need the exact path to access this, to get our reverse shell.
The URL was like this for me => http://10.10.140.162/concrete5/application/files/7516/2852/3656/revshell.php
BTW this is the Pentest Monkey PHP Reverse Shell file.
Start netcat listener, and then visit to the Reverse Shell URL in the browser.
And we have shell! Foothold secured!
Looking for user.txt
Let's navigate around to look for the user flag in the home directory
www-data@super-spam:/home$ ls -lR
.:
total 20
drwxr-xr-x 2 benjamin_blogger benjamin_blogger 4096 Apr 9 15:22 benjamin_blogger
drw-rw---- 6 donalddump donalddump 4096 Apr 9 15:23 donalddump
drwxr-xr-x 7 lucy_loser lucy_loser 4096 Apr 9 15:23 lucy_loser
drwxr-xr-x 5 root root 4096 May 30 20:08 personal
drwxr-xr-x 4 super-spam super-spam 4096 Apr 9 15:24 super-spam
./benjamin_blogger:
total 0
ls: cannot open directory './donalddump': Permission denied
./lucy_loser:
total 12
-rw-r--r-- 1 root root 28 Feb 24 17:27 calcs.txt
drwxr-xr-x 2 root root 4096 Feb 24 17:27 prices
drwxr-xr-x 2 root root 4096 Feb 24 17:27 work
./lucy_loser/prices:
total 0
./lucy_loser/work:
total 0
./personal:
total 12
drwxr-xr-x 2 root root 4096 May 30 20:07 Dates
drwxr-xr-x 2 root root 4096 May 30 20:07 Work
drwxr-xr-x 2 root root 4096 May 30 20:08 Workload
./personal/Dates:
total 0
./personal/Work:
total 4
-rw-r--r-- 1 root root 47 May 30 19:56 flag.txt
./personal/Workload:
total 4
-rw-r--r-- 1 root root 215 Feb 20 17:04 nextEvilPlan.txt
./super-spam:
total 4
-rw-r--r-- 1 root root 251 Feb 24 17:25 flagOfWindows
And we have found our flag.txt in /home/personal/Work/flag.txt
Also, the names of all the users who have folders in the /home/ folder
- benjamin_blogger
- donalddump
- lucy_loser
- super-spam
Let's have a look at the other folders and see if we can get something useful.
Found something in lucy_loser's directory
Well well. Looks like Lucy's a traitor :D And they are using XOR encryption to communicate. The folder also a file xored.py that allows you to XOR two images and output a result image.
Finding the answers for the "encryption" questions
The folder has ten files of the type cX.png, where X ranges from 1-10. And then a d.png.
My guess is we can use the xored.py script to remove the overlay(which was added as part of encryption probably), to make the underlying text more clearer.
The encryption process is not intuitive, since we don't know what the "key" file is.
As for how XOR Encryption works, read the "Example" section of this Wikipedia page => https://en.wikipedia.org/wiki/XOR_cipher
So, technically speaking. "Original Message" XOR "Encryption Key" => "Encrypted Message"
Also, "Encrypted Message" XOR "Encryption Key" => "Original Message"
The machine has Python3. So starting a web-server to download all the files so that we can do the work on our own machine. I was able to start the server on port 8080 and download the files.
Looking at the files on my own system.
d.png is the clearest image of all the four. It has some underlying text, over which some Lorem Ipsum text has been super-imposed, which I am guessing is the result of a XOR operation.
The cX.png files are not legible. The d.png is as follows.
I did not run the XOR Encryption. Just opened the file in an Image Viewer, and zoomed in as much as possible, and then typed out the message, which is
Senior Favaeull, I am sending you this encrypted message so that you can maintain your persistence on the machine. Please be assured that I have encypted this message using Xor. I have told that clumsy assistant of mine to use different random keys for each message sent. I hope this finds you well. The new password will grant you access, it is the following: CENSORED. stay safe and well.
-Super Spam
To be absolutely sure about the password(especially the first half), I tried running xored.py for the cX.png files against each other. I got a good result for c8.png XOR c4.png.
In the TryHackMe room, the password we obtain in this step is the answer for
Q: What key information was embedded in one of super-spam's encrypted messages?
Now, who the hell is Favaeull? The "clumsy assistant" mentioned here is clearly Lucy.
Tried this password all users on the SSH port 4012.
Success! It works for donalddump. Now we have a proper shell.
3) Privilege Escalation
We can finally look into the /home/donalddump/ dir. We cannot change into the home dir initially. This is due to lack of execute permissions. Just execute chmod u+x donalddump and get in.
Now there is a strange passwd file here. It has some bytes. Try reading it in vim, and this is what you see.
Now I did not know what to make of this. Probably encoding/encryption of some kind.
I kept this aside, and ran the linPEAS.sh script to find PrivEsc vectors.
That's when I came across this strange entry in the process list in the linPEAS results
You might wonder why this caught my eye. If you scroll up to the beginning, and look at the nmap enumeration, you will see we have a VNC service running at port 5901, which we haven't used for anything yet.
Also another entry that caught my eye, that will be useful later on.
Those lines are from the machine's /etc/ssh/sshd_config file => https://github.com/carlospolop/PEASS-ng/blob/master/linPEAS/linpeas.sh#L2314
So root login via SSH is allowed. Good thing to keep in mind.
Finding a way to connect to the VNC service
So now, I am guessing this is a password file for the VNC service. Let's try to find some details.
So Startpage search for "vnc passwd file" => https://www.tightvnc.com/vncpasswd.1.php
So I am thinking, since we can't get the original password, why not try to change the password. The vncpasswd command is available on the machine. But when we try to run it, it asks for a password.
donalddump@super-spam:~$ vncpasswd
Using password file /home/donalddump/.vnc/passwd
VNC directory /home/donalddump/.vnc does not exist, creating.
Password:
Password too short
Since this is my first time dealing with TightVNC, I assume maybe I can try to set a new password. So I do a search for "change vnc password", and I come across this article => https://linuxconfig.org/how-to-change-vnc-password-on-linux
After reading this article, it dawns on me that this is an encrypted password, which is the output of the vncpasswd command. Ok. Now search for "decrypt vnc password".
And I find https://github.com/jeroennijhof/vncpwd. A very convenient utility to help you decrypt the password.
And we have the VNC Service password! Let's try connecting to it.
Aaaand we have root shell! But there is no root flag in the home dir.
Finding the root.txt file
This VNC session is very inconvenient to navigate around. If you remember from earlier, this machine allows root login via SSH. So let's generate some SSH keys to enable private key login.
Run below commands on remote machine
-
ssh-keygento generate keys cd /root/.ssh/ && cat id_rsa.pub > authorized_keys- Run Python3 webserver and download private key file
id_rsaonto your machine
On your local machine(assuming Kali)
sudo chown kali:kali id_rsa-
sudo chmod 600 id_rsa
Now use this key file to login to the machine using the SSH Service at port 4012.
Executing an ls -laR in the root home dir yields the following.
So the root flag is in /root/.nothing/r00t.txt. Note the zeroes in the file name.
The contents are as follows:
We will have to decode it to get the answer. This was obviously not Base64. I initially tried https://rot13.com/ but that did not yield anything.
This is where @tan on the THM Discord server gave me a hint about trying to use GCHQ CyberChef magic formula to try and guess what kind of encoding this was.
Aaand done!! Whew what a ride that was. Thanks for reading!
Seriously recommend trying the machine yourself => https://tryhackme.com/room/superspamr
Top comments (0)