TryHackMe — Archangel WalkThrough
This is a practical walkthrough of room “Archangel” from TryHackMe. Although this room is marked as easy level, but for me it was kind a medium level. This room is aimed at Boot2root, Web exploitation, Privilege escalation, LFI.
This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.
Room Link: https://tryhackme.com/room/archangel
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.We won’t be using Metasploit for this challenge
All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.
There are two generic flags, 2 user flags and 1 root flag to collect to complete this room.
Enumeration
We kick off this room with enumerating the IP address allocated to us with Nmap
From the result of Nmap, two ports are open which can help us to advance further. We will start with HTTP service enumeration. Before we fire up the tools, let’s visit the web page and try to find any crucial information.
Upon visiting the web page, the first thing I saw was email address. From this email address, we got domain name. Let’s edit our hosts file and point target IP address to this host/domain name. You can directly append the IP and host/Domain name or you can use any of your favorite text editor to add.
Now we have pointed the host/domain to target IP address, let’s visit the domain and find what it has.
Alright, got our first generic flag by just visiting the domain. The page says, it’s “under development”, that means bugs, vulns, misconfigurations, etc. Whatever it is, we can find it here. While doing CTFs, I usually try manual stuff like, reading HTML source, email address, virtual hosts, robots.txt and couple other. Upon visiting the robots.txt, I found a page.
As you can see, upon visiting that page, we got a button with a heading “not to be deployed”. This means, we are advancing towards right path. Let’s click that button and find out what’s up with that.
We gotta message “control is an illusion” (from Mr. Robot series) and it redirected to different url. The part of url ?view= hints us that there’s a possibility of LFI (Local File Inclusion) attack.
LFI — TL;DR
You trick the server into sharing its private files. Think of the configuration, log and source code files of the website. Sometimes it can even lead to Remote Code Execution. LFI attacks are therefore considered to be high impact.Read More on LFI Here To Understand
I tried couple LFI strings to get the passwd and hosts file, but unfortunately I failed. The reason might me, it’s not vulnerable or some kind of protection is in place to stop these basic LFI attacks. I googled “lfi cheat sheet” in hope to find any bypass techniques. The first link was HighOnCoffee and Second link was HackTricks. The first link was all about how to get a reverse shell from LFI and second link explained about basic LFI bypass techniques. I tried some of them to read passwd file, to my surprise one of them worked.
As you can see, the content of passwd file is displayed on our browser. Initially I tired LFI attack on ?view=without the path and it didn't work, and I tried with the path ?view=/var/www/html/development_testing and it worked. What we can assume at the moment is, it’s restricting to run without path.
From above LFI attack, we got passwd content, and there’s a user called “Archangel”. We got the username, now we can try SSH brute force, unfortunately I got nothing. At this moment I didn't know what else to do, so I looked at the hint “Best way to exploit lfi is to look at the code”. So, it says to exploit LFI we must look at code and find some interesting configuration which can help us to bypass the restrictions.
TBH, I never getting a shell by exploiting LFI vulnerability. Before I dive into the research, I wanted to try something else, if there’s a user called “archangel”, then is it possible to access the users home folder? Why I got this question is, even if I try to get a reverse shell then I’d get the same user (www-data) level access which I am trying now to exploit. So, I just tried to access home folder of “Archangel” user with flag.txt and I failed fantastically, at this point I was laughing so hard and wondering who’d be this naive to try to access flags. After couple tries, I landed on it. I used user.txt.
Jackpot, we got the user flag before second generic flag. This is just pure luck.
Moving to the hint we got from THM, it says to exploit the LFI vulnerability, we need to view the source code of the PHP file. As we already know it’s not possible to view PHP source code unless we are admin or some serious misconfiguration on server side.
So I googled how to view php source code by exploiting LFI vulnerability. After couple minutes, I found something concrete information. There are some builtin Wrappers available in PHP, which are responsible for handling protocol related tasks like downloading data from a web or ftp server and exposing it in a way that it can be handled with PHP’s stream related functions.
One of the blog discussed about how to use one of the wrapper to read the code of PHP using LFI.
PHP:// is a wrapper for Accessing various I/O streams. We will use php://filter — it is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. There are multiple parameters to this wrapper, we will use convert.base64-encode/resource= — This will convert the given file into base64 encoding and print it on screen. But we have to provide the resource what we want to read like a file name index.php.
As we already know there’s a file in /var/www/html/development_testing/ that is mrrobot.php, let’s try this wrapper on it.
I ran the following with target domain: ?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php
As you can see, we got the result in encoded format. Let’s decode it and find out what code looks like.
As you can see the PHP code, it’s just echoing the text. That php code is of mrrobot.php file, we want to read actual PHP code which is vulnerable. To do that, we need to just switch mrrobot.php to the one which we got from robots.txt file.
As you can see we got the PHP code, this is quite long. Let me show you from HTML source.
Let’s decode this and find out the mystery of LFI exploitation.
Alright, we got the second generic flag and php code. So, the code says (as I understood) the first condition is, the parameter which we are passing must not have “../../” string and another condition is the parameter must have “/var/www/html/developing_testing” string. Because of that first condition we used “..//..//..//” technique to bypass earlier. So, when these two conditions are met we can exploit the LFI and get a reverse shell.
I looked at the hint section it says “poison”. I just searched LFI Poison on google and found out about “Log Poisoning” technique. There are multiple ways to get reverse shell via log poisoning. But, for this room we’d stick with “Apache Log Poisoning”.
TL;DR — Apache Log Poisoning — Source
The idea behind log poisoning is to put some php code (payload) into the logs, and then load them where php will be executed. If we look at the access log, we see that on each visit to the site, there’s an entry written with the url visited and the user-agent string of the browser visiting.
The simplest case would be to change our user-agent string in a such a way that it includes php code, and then include that log file with our LFI.
So, basically we need to send our PHP payload as user-agent string, it get logged on the server and we need to load the log to run the PHP payload. I guess I got it right.
The PHP Payload we are going to use is, <?php system($_GET[‘cmd’]);?>
This execute an external program and display the output. It is a built-in function of PHP system() this function accepts the command as a parameter and it outputs the result. There are couple other, read more here.
We are going to use Burp Suite to capture the request, modify the user-agent string, send it back to server. Once it get logged, we can run native commands and get a reverse shell.
This below is our Burp request.
As you can see first line, I am requesting a specific page. Hint: robots.txt. And on fifth line, we have default user-agent string. Now we need to add our PHP Payload and pass it to server.
As you can see, I have modified the string and added a marker (0xAniket:) so that as the log file grows, we can easily locate our output, either with ctrl-f, or using curl and grep. Send this request to server from Burp.
I have sent that PHP payload to server, it must have logged in access.log. Now we need to stop the Intercepter of Burp Suite and move to browser. From browser, I need pass the linux commands to check whether its working or not.
As you can see, from my browser I am passing linux cmd “whoami” and the result is below.
We can try any commands, like “ls”. We’d get the list of current folder.
Now it’s time to get a reverse shell by running php one-liner. You can get it from here. Before we run the one-liner, we need to start a netcat listner on our kali linux machine to receive our reverse connection on target machine.
Now, we need to copy our one-liner from given link and encode it to url format.
Note: Make sure to change IP address and Port Address accordingly.
Paste it and run it in your browser to get a reverse shell.
We got the reverse shell on our machine. Now we need to stabilize this unstable shell, there are many ways but most people like Python and by-default it’s available on Linux based OS.
If we roam around user folder, we get couple files. As we already collected the user flag we don’t need it. But, there’s two other folders present in the user directory.
We can’t access “secret directory” because we don’t have permission, as you can see only user “archangel” got access. Myfiles is just Rick Roll.
Now we need to escalate privileges to existing user. We start our hunt with finding SUID binaries.
I don’t see any odd binaries present in the list. So, we need a tool which can find any PrivEsc path. I tried with LinPeas, found only one thing which caught my eye and that is a cron job.
As you can see there’s one cron job allocated to user “Archangel” and the location is /opt which runs every minute, but more importantly it’s an shell file, we can execute it to gain user privileges. Let’s find the user permission of this file and read it then.
As you can see, our current user (www-data) can read/write this file. As a matter of fact, any user do it. Also there’s another directory named “backupfiles”, but we (www-data) don’t have permission to access.
It’s a hint to add one-liners to this file and up execution we get a reverse shell with Archangel user privileges. Before we add this, we need to setup a new netcat listener on Kali Linux.
You can get you bash one-liner from here, and append it.
Give it a minute to connect back to your shell.
Let’s access secret directory and check it’s content for flag.
Alright, only one flag is remaining to complete this room. Let’s find SUID binaries again.
We got something odd binary in our list. The last one named as “backup”. If we run “file” command then we can able to determine file type.
It’s an ELF (executable and linking format) file, this file contains the single instructions as machine code that are understood by the CPU, and are executed as soon the compiled program is run. Let’s try to run this binary and find out.
Upon execution it’s giving an error related to missing either file/directory. We can use Ghidra to find what’s happening in this file and find out why this missing error I am getting. But, let’s try the simple “strings” command, it prints the strings of printable characters in files.
Upon scrolling up, I got this path where its source and destination of copy command is being executed.
In the hint they have also mentioned about “certain paths are dangerous”. This is all coming together, cp command is being executed without absolute path (/bin/cp), that means when this binary get executed, our shell search for “cp” in each directory in the path list to look fo the executable file by that name. Then shell will then run the first matching program it finds.
We can take advantage of this misconfiguration in SUID binary (backup). This is our default path.
As you can see, when “backup” gets executed, it searches for different directories for “cp” executable. We can modify and update the path to look for “cp” executable and we create our own binary and add it to the path.
We created the “cp” binary, now we need to update our path.
Now path is updated and upon execution of backup binary we’d get root. Let’s run the binary.
Now we got all the flags to complete this room.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
https://0xdf.gitlab.io/2018/09/08/htb-poison.html#web-shell-via-log-poisoning
https://medium.com/better-programming/becoming-root-via-a-misconfigured-path-720a52981c93
https://www.netsparker.com/blog/web-security/php-stream-wrappers/
https://book.hacktricks.xyz/pentesting-web/file-inclusion#basic-lfi-and-bypasses
https://github.com/swisskyrepo/PayloadsAllTheThings
https://www.php.net/manual/en/wrappers.php.php
