Introduction
This is a stumble-through showing my thought process, success and failures attempting this machine.
This room has a public facing IP. Throttle down scans to a non-intrusive level or your ISP may block your attacks. This happened to me a few times. I had to terminate and re-deploy quite a bit until it dawned on me.
On release this room offered a contest to win an OSCP voucher.
Knowing when to stop attempting a certain vector is one of the biggest parts of the pentesting/red team game. Having the ability to drop one vector or thought process and immediately/fluently pick another is proving extremely valuable. A wide range of skills is absolutely necessary for any-color team. I can feel these skills developing, over time, as I progress. Hacking is getting easier!
Summary
Year of the Jellyfish on TryHackMe is heavy on the web side. Surprisingly, didn't have to use burp. Initial enumeration reveals 21, 22, 53, 80, 443, 8096 and 22222 open. Add subdomains from SSL certificate granting access to monitorr “framework”. Use browser navigation to reset monitorr database and register new user. Tool new user and infiltrate reverse shell granting foothold. Find machine vulnerable to CVE-2019–7304 dirty_sock. Deploy exploit and obtain root flag.
Action
Nmap Results
Pico CMS version 2.1
Apache 2.4.29
Headed to port 80 on IP to start and was met with host of robyns-petshop.thm
Add robyns-petshop.thm to /etc/hosts and reload webpage
Possible user name:
Robyn
Gobuster it! (might want to set throttle to default, -t 40 resulted in an ISP block)
Jellyfin media platform
I spent a good deal of time attempting to brute Jellyfin.. incorrect.
Considered attempting a reverse proxy to allow password reset..
Navigating to port 8000 looks promising. Spent a good deal of time fuzzing ID_HERE. incorrect.
Another time sink attempting DNSMASQ exploit.. incorrect
Remembering SSL I decided to check the certificate. This is where everything fell into place.
Add sub-domains to /etc/hosts from certificate
Navigate to monitorr.robyns-petshop.thm
Attempted this RCE exploit.. incorrect.
After some research (being modest.. this took awhile too) I came across this blog which I loosely followed.. SUCCESSFULLY.
Basically we have to reload the database from the installation directory as if we were loading the application for the first time.
Download the databases (datausers.db, users.db (this isn’t needed but good practice))
View database
At this point I thought I was in. Let john run for about an hour and took a break..
Further manual enumeration I found the install files to reload the database and data directory
In the assets/config/_installation/ folder there is a php file to reload the database and install the data directory.
Output after navigating ./mkbdajax.php. We have reset the database!
Head to the login page
Register a new admin account
List of /php
Use Upload.php to upload an image reverse shell payload. Filtering prevents a normal php shell.. you have to be creative. I was stuck here for awhile.. testing payloads. Eventually got one to work!
If you are human, make sure to set the cookie parameter correctly in your requests. Use 443 in payload, navigating SSL
Upload and navigate to shell to get reverse connection
Cat /etc/passwd for machine users (this isn’t needed for room but its something I always do)
Claim first flag
Copy linpeas and linux exploit suggester to client machine
LinPEAS (not sure but this is probably password for /business on port 80)
LES suggests CVE-2021–3056 sudoedit (it fails (should have verified first..))
Also suggests CVE-2019–7304 dirty_sock. This works and gets us root flag!
Navigate to /tmp and download the exploit to client machine
Run the exploit (use v2.. v1 did not work for this machine)
Switch to newly created dirty_sock user and claim root flag!
Thanks to MuirlandOrcale for his time and expertise.
Thanks for reading!
