Lockdown - Write Up

Table of Contents
Link | Level | Creator |
---|---|---|
Here | Medium | hangrymoose |
Reconn
Hey! Welcome back!
Once again we are running nmap
against this machine, to see what services are running!
Simple machine for now, 2 open ports 22
running ssh
and the 80
running a web
.
Let’s go to the web!
If you try to go directy to the IP of the machine, you will probably see this:
Because we have to add the following line to our /etc/hosts
file:
{MACHINE_IP} contacttracer.thm
Edit the {MACHINE_IP}
with the IP of the machine.
After that, we can go to the page.
We can see a normal page, a Contact Tracer
for the Coronavirus, very useful on this pandemic situation…
We have an admin
login! Maybe we can exploit an SQLi
like this…
And we succed!
We can see a normal page, what the interesting thing is at the lower right:
We have the version of this platform, an we can now search for a public exploit!
That we found here. Also I tweaked a little this exploit to have a better shell, you can find it here
So let’s run the exploit!
We are in!
Foothold - User
We are in, but we can’t read the user’s flag.
So searching for interesting files, I found a mysql connection’s credentials!
We can use them to login to the mysql
server!
And we have now a hashed password!
We have many ways to de-hash it!
I’m gonna use STH (Search That Hash)
. But you can use crackstation
or even john
.
We have now the plain text password!
Let’s see if any user reused this password…
Luckily for us, the user cyrus
reused the password and we now have the user’s flag!
Root
To get the root’s flag, we have to follow an interesting path…
First, we can run an script with sudo
Reading this script, it will trigger an scan on the path that we give to it…
Looking around, we can see that to check for “viruses” on a file, the script will check a DB
And here we have the Databases…
So, to check for viruses is using YARA rules
… You can read more about this in this link.
But basically we can create out own YARA
rule to read the root’s flag, like this:
This rule will search for any file with the strings
THM or root.
Now let’s copy this rule to the folder where the script is looking for the DBs and Rules…
Great, let’s now run the script with sudo, and let’s use the path to the root’s flag!
The exploit worked as expected! We now have a file in “quarantine”, and this file is the root’s flag! So let’s read it!!!
And we rooted the machine!
That’s all from my side, hope you find this helpful!