TryHackMe — Cold VVars writeup

prv
4 min readJul 17, 2021

--

TryHackMe — Cold VVars

This is my TryHackMe — Cold VVars machine writeup.

You can also find the same writeup on my personal website here:

Scanning victim’s IP using nmap tool to see open ports the result is:

Browsing on port 8082 we can see that there is a website then I decided to scan it using “dirb”. So I found “login” section:

Browsing in it:

After a few tries I found that the username field is injectable. If I put:

' or 1=1

the result is:

Username or Password Wrong

But if I put:

" or 1=1

the result is:

Internal Error

So I found the right command injection:

" or "=" or "

Putting it and clicking “login”, credentials appear:

Trying one of the credentials found against port 445 (smb), using “smbclient” command, “SECURED” share exists:

So I can connect to SECURED share:

smbclient \\\\10.10.45.254\\SECURED -U <REDACTED>
and insert Password

Here is a file, note.txt. Download and read it:

It says “Secure File Upload and Testing Functionality”. I thought that it could mean that SECURED share is directly connected to the website. But I don’t find any path under port 8082 that made me see the note.txt file. So I decided to try with port 8080. Using “dirb” I found “dev” folder and trying to browse http://10.10.45.254:8080/dev/note.txt I could see file note.txt content:

http://10.10.45.254:8080/dev/ is the path in wich (via smb SECURED share) I can put a reverse shell or a webshell to try to get access to victim.

I found php reverse shell file here. Then I activate my netcat listener on my kali:

nc -lnvp 9999

Set my IP and port 9999 in reverse shell php file, upload it in /dev folder (via smb SECURED share using “put” command) and browsing http://10.10.45.254:8080/dev/reverse.php I got reverse shell.

Upgrade shell with this command:

/bin/bash -i

or with:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I am “www-data” user but I can read user.txt file.

Privilege escalation

Once shell upgrading (see above) I can run “su” command and I’m able to login as “Arth******an” user using password find above.

Doing enumeration I found that with “env” (or “printenv”) command there is a variable maybe useful:

So I tried to see if port 4545 is open:

netstat -tulpn

But port 4545 is not open.

Then I tried to open port 4545 with netcat on victim machine:

nc -l 4545

Appears some options. I tried all of these but the useful one is number 4. It go to “vi” editor and as said here I was able to get a shell running this within “vi”:

:!bash

Hitting “enter” I got “m****on” user shell.

Spawning shell with:

python -c 'import pty; pty.spawn("/bin/bash")'

Path to root

To get root I found that I could have take advantage from “tmux”, attaching active terminal. First listing active terminal with “tmux ls” command. Steps are the following:

$ TERM=xterm
$ export TERM

Then:

$ tmux ls
(you can see that the active terminal is number 0)

Finally attach to terminal 0.

$ tmux attach -t 0

Now you have to switch between tmux panel until the root shell appears. You can do it using <CTRL>b + n combination, then press “enter”.

When root shell appears for go to it use <CTRL>B + up arrow combination and press “enter”.

So I got root flag.

I like this room because in my opinion it is similar to reality and I like it a lot especially in the tmux part.

--

--