# Olympus ## Nmap ``` sudo nmap 10.10.46.71 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Web Server **Note:** Add olympus.thm to `/etc/hosts`. Browsing to the web server on port 80 after amending the hosts file, we are presented with the page shown below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FPsptY58Iby6VbkH4ht1D%2Fimage.png?alt=media\&token=077848fd-23a4-43d4-a2e6-7be4929e2101) Using `feroxbuster` to force browse the directories on the target system we get a valid hit for `/~webmaster`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FPiAITdseWiFKDIguQ2my%2Fimage.png?alt=media\&token=95a95ea6-955c-4c3e-afc3-91e285fe0077) ### Victor CMS - SQLi From here we are taken to a new page that appears to be running Victor CMS. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FyC9h120Z4iYfZ3vt5U2A%2Fimage.png?alt=media\&token=dc501348-81c4-4698-a18b-a946d17f01f5) A simple search with `searchsploit` shows multiple known issues. After going through some of the vulnerabilities I oped for the "cat\_id" option as this does not require any authentication. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxpX1sW008uza1jXdnEg1%2Fimage.png?alt=media\&token=4a4d331d-e741-49ef-bf62-824a652239bd) **Attack vector:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbAywemM5pZRckaTVKmCu%2Fimage.png?alt=media\&token=1c14f112-8b09-41fd-9b9f-f4cfc0bff3e7) Using the PoC linked above we perform the request and capture with `Burpsuite`. Saving the raw request in the process. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBi3XlYaBLPApMIRGRvYU%2Fimage.png?alt=media\&token=6040a3fb-17f3-4b08-a5d9-a6a20ed0d0b5) ### SQLmap With the saved request we utilize it with `sqlmap`. Using the --batch option we discover the olympus database and the "chats" table. Together with this information we then dump the table. ``` sqlmap -r ~/Desktop/request.raw --batch -D olympus -T chats --dump ``` Where we retrieve three password hashes for the accounts: * prometheus * zeus * root ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDdpaxmTDo8cLQSmKO0uk%2Fimage.png?alt=media\&token=00ea6331-7fdc-4a55-bce9-3ac3b2faa8fb) ### Flag #1 Dumping all tables in the olympus database also reveals the first flag under the "flag" table. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDEHgpnEOKsPPwPnHNHwC%2Fimage.png?alt=media\&token=74d787ab-3acf-40f4-9b80-bf72716f5dec) ### Hash cracking Running john against the captures hashes we soon get a single hit on the first hash for the prometheus. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDcToQ9DWnFvKl9NbyCrm%2Fimage.png?alt=media\&token=7ed452b2-9ae2-4c01-bd5f-3cea76715057) ### Chat.Olympus.thm From the remaining information dumped from the olympus database we also discver the virtual host "chat.olympus.thm". Browsing to this we find the following login page. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtSRj56Ljcbv4lobXVTwT%2Fimage.png?alt=media\&token=219f5141-cef3-467b-9f61-89561facef76) Where using prometheus' credentials cracked earlier we are able to authenticate. Looking at the existing message log we see we have the ability to upload files, however we see that uploaded file names are randomized. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8D2pVyYWHbJWoJebCLQk%2Fimage.png?alt=media\&token=2b1e6e30-bff8-4dc0-9a39-48038b9f7662) Firstly, we upload a PHP reverse shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4iM1ty9t30OvbyYJzEBY%2Fimage.png?alt=media\&token=b4dbf9c4-008e-40ad-9f6c-64841335f217) Then looking back at sqlmap we find the database stores the name of the file after it has been randomized. ![I](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FJ55RDYmUEYiogb1gh4dU%2Fimage.png?alt=media\&token=a9ebcb31-9b79-4bd1-88f9-59c2d9b561d3) ### Shell as www-data In the chat application we see mention of an "uploads" folder. Using this information combined with the name of the shell we have uploaded, we can browse and trigger our shell. Browse to: Where we obtain a shell as *www-data*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FEcvgw0sn1X5mwWYLFBPV%2Fimage.png?alt=media\&token=16636da9-f829-4943-9c19-9683c3f11f88) ### Flag #2 The next flag can be found in `/home/zeus/user.flag`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fx6KvqQcxFrT0384tnpDF%2Fimage.png?alt=media\&token=aef32ebd-f81c-4ceb-af05-00e43f23c535) ### Privilege Escalation #1 For privilege escalation linpeas.sh was run against the target system, linpeas identified where the binary `/usr/bin/cputils` has the SUID bit set for the user *zeus*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F6gPhSc0Av7duvhHtxYlH%2Fimage.png?alt=media\&token=9a6e0ccf-6e29-49e4-8253-347b852dd475) Running the strings command against the binary we see what the purpose of the binary is. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FFWNRzgd6xiCEMtzfs1zq%2Fimage.png?alt=media\&token=de583c5c-0350-4977-b9a2-6ea848908f51) Running the binary itself, we can run within the context of the user *zeus*. Knowing this we copy the `/home/zeus/.ssh/id_rsa` key to the `/tmp/` directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FigIM3om55vilVyEcxxpc%2Fimage.png?alt=media\&token=94ab6542-464a-42b6-8cc9-cd41111362c3) The `id_rsa` key is then copied to the attacking system. When attempting to use the key file we are prompted for a password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtdTeDiO6PQbhWHF086Qv%2Fimage.png?alt=media\&token=3449e3f2-369a-4dec-8c5a-ca24077a1168) `ssh2john` can be utilized to hash the `id_rsa` file and then cracked to reveal the password. ``` /usr/bin/ssh2john ~/Desktop/id_rsa >> ~/Desktop/id_rsa.hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fim6qPRAb0PEN6616F6xg%2Fimage.png?alt=media\&token=bf9c97d4-d7eb-49ed-9231-3efeb910f27b) ### SSH as zeus After cracking the hash and obtaining the password we are then able to login as *zeus*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu5URagwghXWNu4t3WVKF%2Fimage.png?alt=media\&token=78146cf5-5f5a-42a8-a040-95a4569dc539) Manual enumeration of the web directories reveals a directory with a randomized name and within, a PHP file with a randomized name. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXtfT9JSmMgkcI73qpoKT%2Fimage.png?alt=media\&token=6d7f9cd9-eebe-4316-a196-72d67b05ba33) Viewing the contents of `VIGQFQNYOST.php`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fa21CpXW39RJKsmhjDuUK%2Fimage.png?alt=media\&token=f9ca18a5-bfad-4f55-8060-5daaebb3e142) Where we can also browse to the same location and file: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FZSvLvjeJxgXQ8FR6Lh9S%2Fimage.png?alt=media\&token=e42037ce-9058-4d24-b11c-a01c4b885ebf) However, I was unable to proceed using the root shell shown in the image below: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fcwlw3T0CbQ3B7kWkxskJ%2Fimage.png?alt=media\&token=9e042d38-8db3-425c-8c4a-830da84ae9be) ### Privilege Escalation #2 A further look through at the PHP code and we can see we can call a binary file to spawn a root shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F41uwXiT22LZsOTyc9AS8%2Fimage.png?alt=media\&token=40a7e3a1-9ab4-4ff1-9ebd-8d4be60c65d7) ``` uname -a; w; /lib/defended/libc.so.99 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3oVTRaFjqhaVGPyvYQRF%2Fimage.png?alt=media\&token=9e24e6d8-79ae-47c8-9a5e-ea3bb00c1add) ### Flag #3 After spawning the root shell we can then grab the 3rd flag. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FSFuPoDxkDznN9JYonKHM%2Fimage.png?alt=media\&token=4e53b28a-cf37-4a33-b906-e65187ad5411) ### Flag #4 For the 4th flag we are advised by the room creator to search for it within the root shell. We can utilize grep with the known syntax of the previous flags to find it. ``` grep -irl flag{ /etc/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdKDtWN52cJONiR5qhG9P%2Fimage.png?alt=media\&token=62dfbcaa-1836-4c07-8057-ea04ebf0eac2)