TryHackMe-Lockdown

Hello everyone , in this post I will be sharing my writeup for THM:Lockdown room , which was medium difficulty machine having 2 services running , ssh and http. The web server was having a login page what we bypassed with sqli and managed to access the dashboard , afterwards we found that we can edit the picture or icon on the login page so here we were able to upload a php reverse shell and get a foothold , that we found database creds which had a hash in users table that when cracked ,password belonged to cyrus user and privilege escalation was related to creating a yara rule so that we can get /etc/passwd to be flagged as a malicious file and get access to it and crack maxinie's hash to get root.

NMAP

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 27:1d:c5:8a:0b:bc:02:c0:f0:f1:f5:5a:d1:ff:a4:63 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1Xdw3dCrCjetmQieza7pYcBp1ceBvVB6g1A/OU+bqoRSEfnKTHP0k5P2U1BbeciJTqflslP3IHh+py4jkWTkzbU80Mxokn2Kr5Qa5GKgrm
e4Q6GfQsQeeFpbLlIHs+eEBnCLY/J03iddkt6eukd3VwZuRXHnEHl7G6Y1f0IEEzProg15iAtUTbS8OwPx+ZwdvXfJTWujUS+OzLLjQw5wPewCEK+TJHVM02H+5sO+dYBMC9rgiEnPe5ayP+nupA
XMNYB9/p/gO3nj5h33SokY3RkXMFsijUJpoBnsDHNgo2Q41j9AB4txabzUQVFql30WO8l8azO4y/fWYYtU8YCn
| 256 ce:f7:60:29:52:4f:65:b1:20:02:0a:2d:07:40:fd:bf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGjTYytQsU83icaN6V9H1Kotl0nKVpR35o6PtyrWy9WjljhWaNr3cnGDUnd7RSIUOiZco3UL5+
YC31sBdVy6b6o=
| 256 a5:b5:5a:40:13:b0:0f:b6:5a:5f:21:60:71:6f:45:2e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHVz0M8zYIXcw2caiAlNCr01ycEatz/QPx1PpgMZqZN
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

When we visit to the web server it’s going to redirect us to a domain name contacttracer.thm/ so let's add this to /etc/hosts file

After adding the domain name in the file , we can see a login portal

Let’s try some default credentials for admin, I tired admin:admin , admin:password , admin:admin123 but they didn't worked so I ran gobuster to fuzz for files and directories

So most of the directories were forbidden , on the admin panel I tried a simple sqli to login admin' or 1=1 -- and I got access to dashboard.

Foothold

To get a shell there are two ways , on going to settings we can change the login page’s image to a php rev shell file

Another way ,we can also dump the database on login page that way we can find the name of whatever file we upload but I didn’t dump the whole database because it was time-based sqli so it was taking some time so I stopped doing this

Anyway continuing with stabilizing the shell

Let’s do some basic enumeration , first I checked sudo -l

We don’t have a password so let’s move on , next I checked crontabs but those were empty as well

Checked if there are any SUID’s we can abuse but there weren’t any

Privilege Escalation (Cyrus)

We can see there are two users cyrus and maxine also if we remember we saw config.php from gobuster's result so let's visit that file also this what the uploaded files look like

On reading config.php file we’ll get a username and password

I tried cracking this hash but was not successful , I read DBConnection.php file and found some creds

But there wasn’t anything in the database that was interesting to us but this admin hash , on cracking it we get the password sweetpandemonium

Privilege Escalation (root)

On running sudo -l , this user can run a script as a root user

#!/bin/bash
read -p "Enter path: " TARGET

if [[ -e "$TARGET" && -r "$TARGET" ]]
then
/usr/bin/clamscan "$TARGET" --copy=/home/cyrus/quarantine
/bin/chown -R cyrus:cyrus /home/cyrus/quarantine
else
echo "Invalid or inaccessible path."
fi

This is the bash script , it’s going to read the file name and it’s going to check in the if condition with -e that if that file exists and with -r if that files is readable then it's going to run clamscan which is an AV tool , if there's a virus found it's going to copy that file to /home/cyrus/quarantine so let's run this tool with the provided sample in cyrus's home directory

So it copied that file in that quarantine directory

I looked up on clamscan’s documentation and it seems that we can write our own rules (YARA rules) to identify which file maybe contain a virus

https://docs.clamav.net/manual/Signatures/YaraRules.html

We need to find where clamscan loads the rules from ,so I used find command to search for clamscan* and found the directory where it had rule to flag a file it has a virus or not

This is the rule file

But it’s more of a signature based rule file hdb , we can't do that as we are not able to readroot.txt flag so we won't be able to do this instead we can write a yara rule for /etc/shadow file , as we can flag that file as malicious by creating rule which would look for root string and if that exists it's going to flag that file as a malicious file and will copy that file to quarantine folder

rule root
{
strings:
$string = "root"
condition:
$string
}

This is a simple YARA rule which holds the string value “root” in string variable and in condition section it's going to check for the string variable that if it's found in any of the file when it's passed to clamscan it's going to flag it as a malicious file

In the shadow file we don’t see any root hash but we do have hashes for the two users

We already have password for cyrus , so let’s crack the hash for maxine user

References

BS CS undergraduate | CTF Player