TryHackMe — Year of the Fox

https://tryhackme.com/room/yotf

Summary

Landing page on default nmap enumerated HTTP port revels a password protected web directory. Using username located by enum4linux or smbclient brute force the website with hydra. A base64 encoded payload passed with burp grants foothold shell. Use socat to port forward ssh to a port that can be bruted. Using bruted credentials login and copy PATH to tmp rename it as SUID. Execute it to gain root shell. This works because the binary does not have an absolute path set.

Action

Nmap Scan

# Nmap 7.91 scan initiated Tue May 11 15:26:02 2021 as: nmap -sC -sV -p- -vvv -oN initialnmap.txt 10.10.25.225
Nmap scan report for 10.10.25.225
Host is up, received echo-reply ttl 61 (0.20s latency).
Scanned at 2021–05–11 15:26:02 EDT for 765s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X — 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX

Host script results:
|_clock-skew: mean: -19m33s, deviation: 34m37s, median: 25s
| nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| YEAR-OF-THE-FOX<00> Flags: <unique><active>
| YEAR-OF-THE-FOX<03> Flags: <unique><active>
| YEAR-OF-THE-FOX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| YEAROFTHEFOX<00> Flags: <group><active>
| YEAROFTHEFOX<1d> Flags: <unique><active>
| YEAROFTHEFOX<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher…
| Check 1 (port 14796/tcp): CLEAN (Couldn’t connect)
| Check 2 (port 46194/tcp): CLEAN (Couldn’t connect)
| Check 3 (port 28614/udp): CLEAN (Failed to receive data)
| Check 4 (port 55680/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2021–05–11T20:39:07+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–05–11T19:39:07
|_ start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 11 15:38:47 2021–1 IP address (1 host up) scanned in 765.08 seconds

SMB Map

Enum4Linux

Web server is directory protected

Brute users found previously with Hydra

Login to website

Input is filtered. Can not use any special characters

Base64 encode a python reverse shell to bypass filter
Catch with netcat, obtain user flag

Upload enumeration scripts
Linpeas revealed ssh running on local host
User XXX is only allowed user

Upload socat binary, to remote machine and use it to port forward SSH to something we can brute

Use hydra to brute password

Now, we can relax. We have SSH credentials!

SSH to machine as XXX
Make sure to use port 8888

shutdown is NOT using absolute path. Copy bash shell, rename it to shutdown. Run the binary and be rewarded with a root shell.

Note: Copied initial shell correctly, this is a screen shot after initial root for display.

Root Flag is not in normal place!!

Thanks for reading! :)

Computer science, Cyber/InfoSec enthusiast. Wanna-be hacker.