GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. TryHackMe Writeups

Road

Inspired by a real-world pentesting engagement

PreviousVulnNet: NodeNextVulnNet:Internal

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/tryhackme/road
cd ~/Documents/tryhackme/road
mkdir recon notes enumeration
touch notes{README.md,vulns,creds}

export IP=10.10.169.117
export domain=skycouriers.thm

Enumeration

First of all I scan the machine using nmap and rustscan for open ports. I use rustscan because is faster than nmap, but I also still using it just to be sure that I found all ports open.

# just ports 
nmap -p- $IP -oN recon/ports
# services (nmap scan)
nmap -sC -sV -v $IP -oN recon/services
# services (rustscan)
rustscan -a $IP --ulimit 5000 -- -sC -sV -A -T4

I found two open ports, 22 default for SSH and 80, default for HTTP. When I just begin to enumerate 80 port I use simple tools, to check versions, emails, domain, methods and if it is any WAF.

# nikto
nikto -h http://$IP -C all -o enumeration/nikto.txt
# whatweb
whatweb -a 4 http://$IP

Found a domain, so change the /etc/hosts file and add this domain. First thing that I do when I found a domain I fuzz for subdomains, but I didn't find anything.

wfuzz -c -f enumeration/subdomains.txt -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hl 7 -t 200 -u "http://$IP" -H "Host: FUZZ.$domain"

Let's manually enumerate the website and see what can I find interesting. In this time I check for files and directories using feroxbuster

feroxbuster -t 10 -u http://$domain -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o enumeration/feroxbuster

I got a lot of output, but I found something interesting -> /v2. It redirects me to /v2/admin/login.html

I register and logged in to see whats in there. After some time spending on the web application I figured it out how to get access to this machine. I go to profile and see that I can upload an image, but only the admin can do that -> admin@sky.thm

Exploitation

It took a while, but I managed to figure it out. I attempted to reset my own password and examined the request/response in Burp Suite. After that, it became much easier.

All I had to do was swap out the email address with the one I discovered and update the password. With that done, I gained admin access. Next, I navigated to the profile section to upload a payload. However, I hit a roadblock when I couldn't locate the file needed to trigger a reverse shell. So, I examined the source code of /v2/profile.php, and there it was.

Now that I have access to the machine, you can check the home directory of the webdeveloper user and retrieve the user.txt flag.

Privilege Escalation

For privilege escalation, I stumbled upon a Git repository. All I have to do is upload the files and execute the bash script, and then I'll gain root access.

GitHub - mebeim/CVE-2021-4034: CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of conceptGitHub
Logo