TryHackMe : HiJack[Account Takeover]
Intro : Hello all Hackers! Welcom to my New Article on TryHackMe CTF Hijack. It is a Really Interesting Machine with Hijacking Admin Panel, Command Injection and Linux Privilege Escalation with Environment Variables. So let’s jump into it.
Nmap Scan :
As usual we start with a Normal Nmap Scan. It gives us 4 Ports are Open : 22(ssh), 80(http), 21(FTP), 111(rcpbind).
NFS Share:
So from this result it is clear that we have no FTP Anonymous Access. But in PORT 111 we can see nfs share is available. So we can mount some Folder from Victim’s machine to our VM.
So it is /mnt/share. We cloned it in our /tmp/share Folder. But when we try to Access it : Permission Denied. :)
The reason is uid & gid is different : 1003.
So we have to make a New User with that id to Access it.
Now we can easily access to that Folder. There is text File which reveals the FTP Username and Password.
So I use those and access FTP service. Here I downloaded all Important File in My VM.
Here I find a Password List and also a Text File from Admin saying that : Prevention of Brute Forcing Attack.
Web Explotation :
So I Visit the Web-Page. Though there is a Login page but we cannot use Brute Force Attack in Admin Account because of Brute Attack Prevention.
So I make a Regular Account with test:password and Login with that Creds.
I also Intercept the Request in Burp Repeater where I found the Real Hack.
I saw the PHPSESSID which is Base64 Encoded. I decode it.
It is my Username and my Password which is in MD5 Hash Format.
So what we can Try : admin : <convert_given_pass_into_md5> [Encode total into Base64] and try one by one for Admin Panel Access [Intruder Attack]. I make a Script to do this with Help of ChatGpt.
import hashlib
import base64
def md5_hash_password(password):
md5 = hashlib.md5()
md5.update(password.encode('utf-8'))
return md5.hexdigest()
# Replace 'passwords.txt' with the path to your own Password File
password_file = 'passwords.txt'
# Open the file and read passwords line by line
with open(password_file, 'r') as file:
passwords = [line.strip() for line in file]
# Create a list to store the formatted and base64-encoded entries
output_list = []
for password in passwords:
hashed_password = md5_hash_password(password)
formatted_entry = f'admin:{hashed_password}'
output_list.append(formatted_entry)
# Save the output to 'output.txt'
with open('output.txt', 'w') as output_file:
for entry in output_list:
# Encode the entry in base64
encoded_entry = base64.b64encode(entry.encode('utf-8')).decode('utf-8')
output_file.write(encoded_entry + '\n')At last I got all Possibilities.
Then I start Intruder Attack to find Admin’s SessionId.
And after sometime I got it and Get Access to Admin Panel.
It is like this in Web-page.
So here I can execute some Command but Normal Command : id,whoami don’t work. So I use $(id) and it gives me this Output.
Id as www-data. Now I put a Reverse Shell Payload and get a Reverse Shell.
User as Rick :
Then in my Netcat Listener I get Shell Access.
Here in config.php I got the User:Pass Combination.
I use this Creds and get User Access with SSH as Rick User and also the User Flag.
Privilege Escalation :
So it’s time for Some PrivEsc. First I type sudo -l and I get something like this.
I search it in Google And found this Post.
According to that Post I have to make a C File.
And then we have to compile it.
Tip : gcc -o /tmp/libcrypto.so.1 -shared -fPIC /tmp/<name.c>
Then we have to run just the following Command. And we will get the Root Access.
Tip : sudo LD_LIBRARY_PATH=/tmp /usr/sbin/apache2 -f /etc/apache2/apache2.conf -d /etc/apache2
So in this way we Pawned the Machine. Yup!!!!
THANKS FOR RAEDING!
If you like it don’t forget to Follow me for more Articles.
Happy Hacking~
