TryHackMe Red : Attack and Defense
Intro : It is a new Room in TryHackMe that releases some weeks ago. Today I solved it and it is little bit Tricky. Here you Attack the VM but you will get a Defense Mechanism which will prevent your attack. It includes Basic LFI Exploitation, Enumeration and Linux PrivEsc Technique.
Nmap Scan :
As usual we start with a Basic Nmap Scan and I get 2 Ports are open : 80(http) and 22(ssh).
Web Enumeration and LFI :
So I visit the Web-Server on Port 80. It is like below.
It is a Normal Web Template but from I notice the URL which indicates me some Types of LFI may be.
Note : http://<ip>/index.php?page=
If you don’t know about LFI then check this Here.
Then I intercept the URL in my BurpSuite and start Recon.
First I try for Normal Path Traversal but it Failed :)
Then I use the PHP base64 Filter Power and I easily get the ‘/etc/passwd’ File. Yup!!!!
Tip : http://<ip>/index.php?page=php://filter/convert.base64-encode/resource=<file_path>
Here I found 2 users : blue and red.
Then I try to search the home folder by Fuzzing and I found there is a .bash_history file in blue’s Home Folder.
It is something like Hashcat Password Rule to generate Password List. I try it but it needs a .reminder file but I don’t know what is in that File.
So I use LFI to get this. And it is like Below.
Then I make that .reminder File in my VM and run that Hashcat Command. And I get a Password List.
Then I use Hydra to Brute Force ssh password of Blue using that List.
User as Blue :
Then I use this Password to Login into his Shell.
Tip : blue : !dr0w**********
Here I get flag1.
User as Red :
Then I use pspy to see any Interesting Process is running.
After sometime I found a Reverse Shell command that is Running.
Here I found a Domain Name : redrules.thm.
So I check the host file Immediately.
I found that Domain but it is not in our Network. So I think we add this Domain with our tun0 IP in that Host File so when that I ran that Reverse Shell Command I get a new Shell. May be shell of Red User.
Then I ran that shell command that I found in pspy result.
Note : Set your Netcat Listener Before.
And in my Netcat Listener I get a Shell as Red.
And I get the flag2.
Privilege Escalation :
So Now time for some PrivEsc. :)
I search for Interesting SUID Binaries and I get this.
Tip : find / -perm -u=s -type f 2>/dev/null
I found the First Binary seems Interesting : /home/red/.git/pkexec.
I visit that Folder and I can check the Version of that Binary File.
I search for it in Google for any Exploit and I get this.
You will get it Here. It is about PWNKIT Vulnerability. I download that in my VM and change a Path in that Python File with Following SUID Path.
Then I send it in Victim’s Machine.
At last I ran that python File and I get directly Root Access.
And also get flag3.
And I pwned the VM. It is a really an Interesting one. Thanks to the Machine Creator.
If you like it don’t forget to Follow me for more Hacking Articles.
THANKS FOR READING.
Happy Hacking~
