TryHackMe — En-Pass
This is a practical walkthrough of room “En-Pass” from TryHackMe. Although this room is marked as easy level, but for me it was kind of difficult level. This room is aimed at tricky web application Exploits and PrivEsc.
This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.
Room Link: https://tryhackme.com/room/enpass
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.We won’t be using Metasploit for this challenge
All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.
There are two flags to collect and one name path to complete this room
Enumeration
We will kick off this room with enumerating target using Nmap.
We got two open ports on target, HTTP and SSH service with respective version information. As you can see HTTP is not running on default port (80) and SSH version is vulnerable for username enumeration (Check on Exploit-DB).
If we visit HTTP service then we’d see three images with messages on them. Two messages are in cipher text (Caesar Cipher) and one is in clear text. If we convert from cipher to clear text then we’d get “best of luck” and “A sad Man”, something like that. There’s no robot.txt file too, even if we check the page source, there’s nothing.
So, we have to go with directory enumeration on HTTP service to find any pages or directories on target. Let’s pull up GoBuster and find.
We got couple pages and directories on target. Let’s find reg.php is.
We have here an input field. If we input any text, it returns “try again”. If we check the page source, then we’d see a php code.
So, there’s a filter which we need to bypass. There are some conditions to be met in order to bypass the above filter. The input shouldn't have any Alphabets (lower or caps), nor any numbers, it means we have to try with only special characters. There’s an explode parameter which separates input strings using “,”. If all the conditions match and our values of array (input) match to the $sum ==9 then it will show the result.
I performed trial and error on a online php compiler to get that echo as result.
So, if we input $$,!!,&,^^,@,^^,$$,*,))) then we’d get the result. Let’s try it on target web page.
Nice, we got result and it’s a password. We could try with SSH but we still don’t have any username. Let’s Keep enumerating further using different approach.
Let’s fire up DirSearch and directories.
Before trying DirSearch, I tried with GoBuster and it didn’t have recursive function to find directories, so I had to do manually. The best thing about DirSearch is recursive with level of depths to brute force.
Initially we’d get these two forbidden directories on target machine.
As you can see the HTTP status code is 301, that means it’s not accessible to us. DirSearch adds the directory to the queue once it finds any. We need keep searching until unless we get HTTP status code 200.
As you can see after many attempts, we found a directory/file with h HTTP status code 200. Let’s visit that and ind out what it is.
Aight, we got encrypted private key from that DirSearch result. We can use this for SSH authentication, but we don’t have username yet, without username it’s not possible to authenticate.
After trying couple hours, I couldn't able to enumerate the username, even after using different wordlists. So, what I conclude is that, they must have a custom username which is not part of any wordlist.
There’s another php page names 403.php. Upon visiting that page, it shows us custom error message.
At the moment I didn’t know whether there’s any trick to this or just regular forbidden message. So, I tired a lot of things before finding out about 403 bypass techniques and also there’s a hint from THM.
Using 403fuzzer python application, This tool will check the endpoint with a couple of headers such as X-Forwarded-ForIt will also apply different payloads typically used in dir traversals, path normalization etc. to each endpoint on the path.
I am excluding some of the response code from seeing in the result. It tries with many payloads to bypass the 403 page and you might see a lot of 200 response code, but you have to filter based on length result.
We got the payload, now we need to execute directly in browser to get the result.
Whoop, whoop, we got the username. We have a private key and username to access SSH now. Let’s try it.
So, we have to save the private key, change the permissions and run the SSH on target. The private which we fetched from target, is encrypted, SSH will ask you to provide the password for that. We have also got it from encase input, provide it and *hacker voice* you are in.
We got our first user flag, now we need to escalate our privileges by find any misconfigurations.
I started with finding any binary which has SUID bit enabled and moved to LinPeas and LinEnum, but unfortunately I couldn't find any misconfigurations. Then I ran Pspy application.
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
While combing through all the data which I got from pspy, I got this.
This is being executed by root user, every minute. If we check the /opt directory, then we’d find the script.
We can read and execute this file, but can’t edit it. But, fortunately this file is owned by root. Upon execution of this py file, it gives us below error.
It’s looking for a yml file in /tmp directory and that file is not available to load. Even if we check the /tmp directory, there’s nothing named file.yml.
I googled ‘python yaml.load’ and to my surprise it’s deprecated since 2006 because it is unsafe as it is possible to call system commands. Source
Example:
Now we need to create a file in /tmp directory with name file.yml with python system call to our exploit.
Chmod 4777 (chmod a+rwx,ug+s,+t,g-s,-t) sets permissions so that, (U)ser / owner can read, can write and can execute. (G)roup can read, can write and can execute. (O)thers can read, can write and can execute.
We are copying bash binary /tmp directory and changing the permission with chmod 4777 of that binary.
As you can see from above two images, after a minute of creating file.yml, we got our bash binary in /tmp directory. Now we need to execute this binary to get root shell.
We got all the flags required to complete this rooms.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://www.geeksforgeeks.org/php-explode-function/
