0Day TryHackMe Walkthrough
TryHackMe | 0day Writeup
Introduction
0day is a medium level room on tryhackme, with one user flag and one root flag. The room will require solid enumeration of the target, and the exploitation of two published CVE’s. This post will detail the steps I took to complete the room as well as my thought process throughout the completion of the room. Follow along and enjoy!
0day on TryHackMe: https://tryhackme.com/room/0day
Initial Scans and Enumeration
Starting off, we run rustscan against the target ip with this command: rustscan -a <machine-ip> -r 1–65535 -b 3500 — -A
The command above tells rustscan to scan the machine ip through the entire range of 65535 ports, with a batch size of 3500. Batch size is the number of ports that rustscan will scan simultaneously. You can read more about rust here: https://github.com/RustScan/RustScan
Rustscan output
Looking through the rustscan results, we see that there are only two ports open: 22 (SSH) and 80 (http). Lets do some more enumeration on port 80. I put the ip address of the machine into my browser and get this webpage presented to me,
This page basically just contains links to the machine creator’s different social meda sites, github, etc, so nothing immediately sticks out, but we still have to continue enumerating. Viewing the source code of the webpage doesn’t reveal anything to exploit.
At this point, it’s a good idea to run a directory enumeration tool like dirsearch, as well as a web vulnerability scanner like nikto.
Dirsearch ouput
While we let nikto continue to run, we can check out some of these directories found by dirsearch. Navigating to the admin subdirectory, we get a blank page with nothing at all in the source code. Odd. The secret subdirectory gives us a little hint with a picture of a turtle.
“secret” subdirectory
Hmm… ok. When we started the machine on tryhackme, the decription said “Exploit Ubuntu, like a Turtle in a Hurricane”. So this is obviously trying to lead us somewhere. Let’s keep note of that and look at what nikto got for us. I actually had to go back and re run the nikto scan on the machine because my screenshot disappeared somehow. Oh well.
Nikto output
This nikto output clearly tells us to look into the shellshock vulnerability. It also references the cgi-bin subdirectory that we saw from dirsearch earlier. Now, before taking on this room, I had heard of the shellshock vulnerability but I was not totally familiar with it. After doing some research, I found that the cgi-bin subdirectory is essentially a place where the web server stores scripts that it needs. In short, the shellshock vulnerability allows an attacker to manipulate environment variables in ways that allows for remote command execution. You can read much more about shellshock here: https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/
Exploitation
Knowing what we now know, we can search to see if there is a shellshock module we can use on metasploit. I think it’s a good idea to search for modules on metasploit when exploiting well known vulnerabilities. as it can help save some time. However, when doing CTF’s for learning purposes, it’s also a good idea to sometimes explore the more manual methods of exploitation. For this particular CTF though, I went to metasploit. We can open metasploit with the command “msfconsole”, then use “search shellshock” to find a shellshock module.
Searching for shellshock modules on metasploit
The second module, “exploit/multi/http/apache_mod_cgi_bash_env_exec” looks promising. Let’s select it with the command “use 1” and then list the module options with the command “options”. Ok, that gives a lot of options, but we’re about to walk through it together.
Metasploit shellshock module options
Ok, lets walk through setting the options for this module. The first option to set is “RHOSTS”. This will be set to the ip address of the target machine with the command “set rhosts <machine ip>”. Then you can move all the way down to the targeturi option. This option requires a path to an existing cgi file. Luckily, there is already a test.cgi file in the cgi-bin subdirectory. Set the targeturi option with the command “set targeturi /cgi-bin/test.cgi”. Now moving down to the lhost option, set it with the command “set lhost <youripaddress>, and that’s it!. Now type “run” and wait for about 20 seconds or so, and you should now have a meterpreter shell. Type “shell”, and you are on your way.
Retrieving the user flag
Once you have the shell up and running, it is fairly straightforward to retrieve the user flag. You’ll have navigate back out of a few subdirectories using the “cd ..” command. Once you have reached the root directory, navigate to the home subdirectory with “cd home”, use the “ls” command to list the contents of the subdirectory, cd to ryan, then use “cat user.txt” to get the user flag!
Privilege Escalation
To find out which kernel the target is running, we can use the “uname -a” command, which reveals Linux ubuntu 3.13.0. With that information, we can use google to find information on kernel exploits that we could use to escalate our privileges. From our search, we find a local privilege escalation vulnerability. https://www.exploit-db.com/exploits/37292
The vulnerability takes advantage of weaknesses in overlayfs. Overlayfs is a mechanism by which linux systems can mount multiple mount points into one, basically merging directories and subdirectories. You can read more about overlayfs here: https://www.educative.io/edpresso/what-is-overlayfs
We can again use metasploit, this time to search for an overlayfs privilege escalation module. First though, go back to the shell, type “exit” and then type “background” in the meterpreter line. This will allow you to search metasploit for other modules while keeping your shell alive and allowing you to come back to it later. Now search “overlayfs”.
Select the module and lets start setting the options for the exploit. First, type “show targets” to list the specific target vulnerabilities that the module is able to use, and set it to option 0, CVE-2015–1328. This is the specific CVE pertaining to the linux kernel of the target machine, Linux ubuntu 3.13.0. Set the lhost option to your ip address. Now type “sessions” to confirm the id of the meterpreter shell session you have in the background, then set the session option to that session id number. Ex: set session 1. Now run the module. You should be presented with a new shell, with root access. Use “cd ..” again to move back in subdirectories until you reach the root directory, cd into the root subdirectory, then retrieve the root flag!
Retrieving the root flag
Conclusion and Takeaways
Overall, this was an enjoyable machine to exploit. I learned some new things about the shellshock vulnerability as well as the overlayfs privilege escalation vulnerabilities that are present on some linux kernels. This reinforces the need to fully enumerate the target not only before gaining initial access, but also upon gaining that initial access. The enumeration you do upon initial access should include finding what kernel the target is running, searching for SUID and SGID binaries, etc. But gather a lot of information about the target system before you try firing away some privilege escalation exploit.
