Jan 30, 2023 / By Securium Solutions
This is a Tryhackme easy Linux machine walkthrough
Enumeration
- First we scan the ip :
The scan reveals two interesting ports & services are running. 22/tcp which is an SSH port running OpenSSH 7.2p2 and 80/tcp which is an HTTP port running Apache/2.4.18.
At first, We can try login in with default ssh and finding some known vulnerabilities but could not come up with something. After that, I switch my scope to port 80
- Started directory fuzzing on http://<Machine_IP>\
- We got a directory name “/content” and visited http://<Machine_IP>/
We got a webpage of CMS SweetRice is used to manage content, allowing multiple contributors to create, edit and publish. Going through google we found that sweetrice is vulnerable.
- So we again run directory fuzzing on http://<Machine_IP>/content
- We got a directory name “/inc” and visited http://<Machine_IP>/content/inc/
- We are able to download the file that might contain some useful information so we checked the MySQL backup database.
The downloaded file revealed the username and password but the password was in the hash so using an online hash decoder we decoded and got the password.
Our second directory fuzzing also revealed a second directory which is useful
- Visiting the URL http://<Machine_IP>/content/as/we got a login page of SweetRice. We can now log in using the credentials.
Successfully logging in we got an endpoint named media where we can upload a file so here we upload our PHP reverse shell and receive it with our netcat listener.
- Click on the file that we upload and check the NC we got our first shell
- We successfully got a shell. Now we can read the “user.txt” flag and also upgrade this shell.
Privilege Escalation
- Now we check what permissions we have using the “sudo -l” command.
- We can see there is a file we can execute with the sudo name “backup. pl”. So we “cat backup. pl”
- Which tells us that it runs a sh script so we “cat /etc/copy.sh”
We checked the permissions and know that we have written permission. So we changed the content without reverse shell and then executed the backup.pl file while keeping our new netcat listener on
After that, we can just cat the root flag.
