Olympus
https://tryhackme.com/room/olympusroom
Last updated
https://tryhackme.com/room/olympusroom
Last updated
Note: Add olympus.thm to /etc/hosts.
Browsing to the web server on port 80 after amending the hosts file, we are presented with the page shown below.
Using feroxbuster to force browse the directories on the target system we get a valid hit for /~webmaster.
From here we are taken to a new page that appears to be running Victor CMS.
A simple search with searchsploit shows multiple known issues. After going through some of the vulnerabilities I oped for the "cat_id" option as this does not require any authentication.
Attack vector: https://www.exploit-db.com/exploits/48485
Using the PoC linked above we perform the request and capture with Burpsuite. Saving the raw request in the process.
With the saved request we utilize it with sqlmap. Using the --batch option we discover the olympus database and the "chats" table.
Together with this information we then dump the table.
Where we retrieve three password hashes for the accounts:
prometheus
zeus
root
Dumping all tables in the olympus database also reveals the first flag under the "flag" table.
Running john against the captures hashes we soon get a single hit on the first hash for the prometheus.
From the remaining information dumped from the olympus database we also discver the virtual host "chat.olympus.thm". Browsing to this we find the following login page.
Where using prometheus' credentials cracked earlier we are able to authenticate. Looking at the existing message log we see we have the ability to upload files, however we see that uploaded file names are randomized.
Firstly, we upload a PHP reverse shell.
Then looking back at sqlmap we find the database stores the name of the file after it has been randomized.
In the chat application we see mention of an "uploads" folder. Using this information combined with the name of the shell we have uploaded, we can browse and trigger our shell.
Browse to:http://chat.olympus.thm/uploads/b8b91888be70b2a182bffb24fd12441a.php
Where we obtain a shell as www-data.
The next flag can be found in /home/zeus/user.flag.
For privilege escalation linpeas.sh was run against the target system, linpeas identified where the binary /usr/bin/cputils has the SUID bit set for the user zeus.
Running the strings command against the binary we see what the purpose of the binary is.
Running the binary itself, we can run within the context of the user zeus. Knowing this we copy the /home/zeus/.ssh/id_rsa key to the /tmp/ directory.
The id_rsa key is then copied to the attacking system. When attempting to use the key file we are prompted for a password.
ssh2john can be utilized to hash the id_rsa file and then cracked to reveal the password.
After cracking the hash and obtaining the password we are then able to login as zeus.
Manual enumeration of the web directories reveals a directory with a randomized name and within, a PHP file with a randomized name.
Viewing the contents of VIGQFQNYOST.php.
Where we can also browse to the same location and file:
However, I was unable to proceed using the root shell shown in the image below:
A further look through at the PHP code and we can see we can call a binary file to spawn a root shell.
After spawning the root shell we can then grab the 3rd flag.
For the 4th flag we are advised by the room creator to search for it within the root shell. We can utilize grep with the known syntax of the previous flags to find it.
