TryHackMe — Cold VVars
This is my TryHackMe — Cold VVars machine writeup.
You can also find the same writeup on my personal website here:
Scanning victim’s IP using nmap tool to see open ports the result is:
Browsing on port 8082 we can see that there is a website then I decided to scan it using “dirb”. So I found “login” section:
Browsing in it:
After a few tries I found that the username field is injectable. If I put:
' or 1=1
the result is:
Username or Password Wrong
But if I put:
" or 1=1
the result is:
Internal Error
So I found the right command injection:
" or "=" or "
Putting it and clicking “login”, credentials appear:
Trying one of the credentials found against port 445 (smb), using “smbclient” command, “SECURED” share exists:
So I can connect to SECURED share:
smbclient \\\\10.10.45.254\\SECURED -U <REDACTED>
and insert Password
Here is a file, note.txt. Download and read it:
It says “Secure File Upload and Testing Functionality”. I thought that it could mean that SECURED share is directly connected to the website. But I don’t find any path under port 8082 that made me see the note.txt file. So I decided to try with port 8080. Using “dirb” I found “dev” folder and trying to browse http://10.10.45.254:8080/dev/note.txt I could see file note.txt content:
http://10.10.45.254:8080/dev/ is the path in wich (via smb SECURED share) I can put a reverse shell or a webshell to try to get access to victim.
I found php reverse shell file here. Then I activate my netcat listener on my kali:
nc -lnvp 9999
Set my IP and port 9999 in reverse shell php file, upload it in /dev folder (via smb SECURED share using “put” command) and browsing http://10.10.45.254:8080/dev/reverse.php I got reverse shell.
Upgrade shell with this command:
/bin/bash -i
or with:
python -c 'import pty; pty.spawn("/bin/bash")'
Now I am “www-data” user but I can read user.txt file.
Privilege escalation
Once shell upgrading (see above) I can run “su” command and I’m able to login as “Arth******an” user using password find above.
Doing enumeration I found that with “env” (or “printenv”) command there is a variable maybe useful:
So I tried to see if port 4545 is open:
netstat -tulpn
But port 4545 is not open.
Then I tried to open port 4545 with netcat on victim machine:
nc -l 4545
Appears some options. I tried all of these but the useful one is number 4. It go to “vi” editor and as said here I was able to get a shell running this within “vi”:
:!bash
Hitting “enter” I got “m****on” user shell.
Spawning shell with:
python -c 'import pty; pty.spawn("/bin/bash")'
Path to root
To get root I found that I could have take advantage from “tmux”, attaching active terminal. First listing active terminal with “tmux ls” command. Steps are the following:
$ TERM=xterm
$ export TERM
Then:
$ tmux ls
(you can see that the active terminal is number 0)
Finally attach to terminal 0.
$ tmux attach -t 0
Now you have to switch between tmux panel until the root shell appears. You can do it using <CTRL>b + n combination, then press “enter”.
When root shell appears for go to it use <CTRL>B + up arrow combination and press “enter”.
So I got root flag.
I like this room because in my opinion it is similar to reality and I like it a lot especially in the tmux part.