narancs's blog

TryHackMe – Lockdown walkthrough

TryHackMe Lockdown room logo

Introduction

This is a walkthrough of the Lockdown CTF room on TryHackMe. In this room we need to gain initial access to the target through a web application, Coronavirus Contact Tracer. Used tools / techniques: nmap, Burp Suite, php reverse shell, sqlmap, mysql, privilege escalation.

Enumeration

Nmap scan results:

2 ports are open: SSH is running on port 22, and HTTP on port 80.

I did not have possible usernames and/or passwords for SSH, so I started enumerating the webserver. When I opened the page in my browser it redirected to http://contacttracer.thm/login.php. To be able to visit the page I added the domain to /etc/hosts.
				
					10.10.151.8    contacttracer.thm
				
			

On the login page there was a link ‘Go to Admin Panel’ that pointed to /admin/login.php.

I tried a couple of default credentials, but none of them worked. However, I was able to login with basic SQL injection. In the username field I entered:

				
					' OR 1=1 -- -
				
			

I clicked login and I found myself logged in to the dashboard as Administrator.

When I checked the different features of the web app, I found few ways to upload files:

  • Upload avatar on the user page (http://contacttracer.thm/admin/?page=user)
  • Upload image while editing an entry on the People page (http://contacttracer.thm/admin/?page=people)
  • Upload image while editing an entry on the Establishment page (http://contacttracer.thm/admin/?page=establishment)

I was able to upload a PHP reverse shell, but I did not know where was the file uploaded.

Later I checked the login form further with sqlmap. I intercepted a login request via Burp Suite and saved it in a file named login_request.txt.

Then I used that saved request as input for sqlmap. First I tried to find the name of the database:

				
					sqlmap -r login_request.txt --current-db
				
			

The username parameter was vulnerable for time-based blind SQL injection. The name of the database was successfully enumerated by sqlmap: cts_db

Then I ran the following command to get the list of tables:

				
					sqlmap -r login_request.txt -D cts_db --tables
				
			

Tables found: barangay_list, city_list, establishment, people, state_list, system_info, tracks, users.

I dumped the users table first. It contained the password hash for the admin user of the web application. But it was useless, because I was already logged in as Administrator. Also, password login was not allowed for SSH, so I was not able to brute-force login credentials.

I uploaded my reverse shell as an image while editing an establishment, so I dumped that table next.

				
					sqlmap -r login_request.txt -D cts_db -T establishment --dump
				
			

The table contained the path of the uploaded file. With that information, I was able to trigger a reverse shell. That is what I needed to get initial access to the target.

User flag

I started a netcat listener to catch the reverse shell. Then I sent a request to http://contacttracer.thm/uploads/1639932780_shell.php.

Now I had a shell as www-data user on the target. I checked for other users. I found home directories for cyrus and maxine, but www-data user had no permissions on them.

Then I checked for configuration files in the root directory of the web server. I found credentials in /var/www/html/config.php:

				
					$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
				
			

I was not able to crack the password hash. These credentials are probably useless for this room.

Then I also found the database credentials in /var/www/html/classes/DBConnection.php.

This password was also not working for any of the Linux users. Then I connected to the database and checked all the tables.

There was another password hash in the users table (I also dumped this table earlier with sqlmap).

I was able to crack the password using https://crackstation.net/. This password worked for cyrus user. The user flag was in /home/cyrus/user.txt file.

Root flag

cyrus user had sudo capabilities to run /opt/scan/scan.sh as root user.

The scan.sh script:

				
					#!/bin/bash
read -p "Enter path: " TARGET
if [[ -e "$TARGET" && -r "$TARGET" ]]
  then
    /usr/bin/clamscan "$TARGET" --copy=/home/cyrus/quarantine
    /bin/chown -R cyrus:cyrus /home/cyrus/quarantine
  else
    echo "Invalid or inaccessible path."
fi
				
			

The script reads the path of a file from user input. If the file exists and readable:

  • clamscan will scan the file. If it is infected, the file will be copied to /home/cyrus/quarantine
  • The user for /home/cyrus/quarantine directory and everything in it will be changed to cyrus

So, if we could ‘trick’ clamscan to flag every file as infected, we could copy any file to /home/cyrus/quarantine and read it.

I checked the documentation of ClamAV and found the following at https://docs.clamav.net/manual/Signatures.html

In order to detect malware and other file-based threats, ClamAV relies on signatures to differentiate clean and malicious/unwanted files. ClamAV signatures are primarily text-based and conform to one of the ClamAV-specific signature formats associated with a given method of detection. These formats are explained in the Signature formats section below. In addition, ClamAV 0.99 and above support signatures written in the YARA format. More information on this can be found in the Using YARA rules in ClamAV section.

Also:

The CVD and CLD database archives may be supplemented with custom database files in the formats described to gain additional detection functionality. This is done simply by adding files of the following formats to the database directory, typically /usr/local/share/clamav or "C:\Program Files\ClamAV\database". Alternatively, clamd and clamscan can be instructed to load the database from an alternative database file or database directory manually using the clamd DatabaseDirectory config option or the clamscan -d command line option.

So YARA rules can be added in the database directory. By adding rules, we can have an influence on how clamscan will flag files as infected. I found the location of the database directory in the config file.

				
					cyrus@lockdown:~$ grep DatabaseDirectory /etc/clamav/freshclam.conf
DatabaseDirectory /var/lib/clamav
cyrus@lockdown:~$ 
				
			

To create a YARA rule I checked this page in the documentation: https://docs.clamav.net/manual/Signatures/YaraRules.html

I created /var/lib/clamav/myrule.yara file with the following rule in it:

				
					rule CheckFileSize
{
  strings:
    $abc = "abc"
  condition:
    ($abc or not $abc) and filesize > 0
}
				
			

This rule will flag any file as infected. So this way I was able to read the root flag from /root/root.txt.

[Extra] Gaining root shell

After getting the root flag I also tried to gain a root shell on the target. For that I also used scan.sh to copy the shadow file into quarantine directory.

I put the password hash of maxine into a file and cracked the password using hashcat.

I switched to maxine user with the cracked password. Maxine had capabilities to run any command as root via sudo.

Summary

I enjoyed playing the Lockdoom room on TryHackMe. It required several tools and techniques to root the machine. There might be other ways as well to root it. E.g. I did not use the SSH service at all.

The target VM was running a web application called Coronavirus Contact Tracer. The admin login page of the app was vulnerable to SQL injection. I used this vulnerability to login as Administrator user, and also to dump data from the database. Logged in as Administrator I found 3 places where I was able to upload files. I uploaded a PHP reverse shell and gain initial access to the target.

Then, I checked the files in the webserver’s root directory. I found the database configuration file that contained the database credentials. From the DB I retrieved the password hash of the admin user and cracked the password on crackstation.net. With the discovered password I was able to switch to cyrus user and get the user flag. This user had privilege to run a shell script as root. Exploiting this script I could read the root flag as well.

Using the same exploit, I could also read the shadow file and retrieve the password hash of the other user, maxine. I cracked the password using hashcat and switched to maxine user. This user could run any command as root with sudo, so I gained root access on the target.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x