THM: All In One

Introduction

This box’s intention is to help you practice several ways in exploiting a system. There is few intended paths to exploit it and few unintended paths to get root.
Try to discover and exploit them all. Do not just exploit it using intended paths, hack like a pro and enjoy the box !

This is All in One from Try Hack Me. Advent of Cyber has finally finished so I went back to poke around THM for a bit. This one is ranked as easy.

Ports

We have three open ports:

1. 21/tcp open ftp
2. 22/tcp open ssh
3. 80/tcp open http

FTP

Anonymous login is allowed:

21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

But, the directory is empty (no hidden files either). I don’t seem to be able to create a directory or upload (put) a file, so this is presumably a rabbit hole.

HTTP

Running a basic gobuster turns up a single page: /wordpress. So let’s run wpscan:

root@kali:/opt/tryhackme/allinone# wpscan -e --url http://10.10.225.241/wordpress

With this, we find one user: elyana. We also have a couple of plugins:

mail-masta version 1.0, and
reflex-gallery version 3.1.7

Reflex-gallery had an arbitrary file upload vulnerability in a previous version (3.1.3) but this may have been patched. Searchsploit reveals mail-masta has both an LFI vulnerability and an SQLi injection.

I kick off a password attack but it’s proceeding slowly; at the same time let’s check our other avenues.

LFI

LFI here:

view-source:http://10.10.225.241/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

With this we can see we’ve only got one user with console apart from root; that’s elyana again. I can’t find any SSH files, and I can’t read the apache logs or auth.log. So possibly no log poisoning.

SQLi

I run sqlmap through Burp Suite per the instructions from searchsploit; it’s against:

http://10.10.225.241:80/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php

With this I can dump the table wp_users:

-u 'http://10.10.225.241:80/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php' --dump -T wp_users --cookie='wordpress_test_cookie=WP+Cookie+check'

And we can get the hash for elyana; she’s the only user here too:

$P$BhwVLVLk5fGRPyoEfmBfVs82bY7fSq1

hashes.org doesn’t recognise it; hashcat won’t crack it with rockyou and the best64 rule; I assume that means we’re not supposed to be cracking the hash!

I cancel the password attack on wordpress.

Other stuff

Checking /etc/hosts with the LFI we have a host called elyana; I add this to /etc/hosts and try again but nothing changes. I run a subdomain search with WFUZZ; nothing.

root@kali:/opt/tryhackme/allinone# wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://elyana" -H "Host: FUZZ.elyana" -t 42 --hw 964

Using the LFI to look at the FTP config:

GET /wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/vsftpd.conf HTTP/1.1

It appears that we possibly should have write access for FTP. It’s not working for me though. Hopefully that’s not the intended foothold vector.

More gobusting

With a larger wordlist (directory-list-2.3-small.txt) we find:

http://elyana/hackathons

This contains this mysterious message:

Damn how much I hate the smell of Vinegar :/ !!!

And some hidden message:

Dvc W@iyur@123
KeepGoing

So … apparently ‘vinegar’ is a hint about Vignere cipher; ‘dvc’ I guess could be ‘decode vignere cipher’ and the KeepGoing is the key? Which gets you: M@eufl@123, which isn’t actually useful for anything. So yes, that’s a waste of time.

Edit: shortly after I uploaded this I thought about it a bit more. KeepGoing is not the key, but pgoing does give the right result (see below). So it’s Kee and then the actual key. Gedit, do ya? Yeah. I face palmed.

More LFI

Alright so I went for a hint. I’d previously tried to read wp-config.php with the LFI:

GET /wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/www/html/wordpress/wp-config.php HTTP/1.1

This does not work. However using the PHP filter function

GET /wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php HTTP/1.1

it does work.

So with this we can get the database credentials for Wordpress, and elyana’s password for that is the same as her Wordpress password: H@ckme@123

Shell, and everything else

Once I log in to Wordpress, I upload a plugin for a shell as I’ve done previously for other boxes; easy. Once on I run linpeas and this box has a bunch of ways to get root including several SUID binaries and a cronjob amongst others; I’d seen the cron earlier with the LFI reading /etc/crontab. Elyana is also in the LXD group and I gather that works, her password can be found in a not particularly deeply hidden file. Anyway I just use bash per GTFOBins to get the root flag and finish it up. So yes that was very easy.

Once I was done I went and checked the published write-ups (6 of them) for the box to see if I’d missed anything - one thing I noticed was that they all used the 404.php theme editing for the shell. I’ve used that before and I could have this time too but it wasn’t the only method that worked and I find it a little coincidental that everyone used the identical method here. Sometimes I wonder if there is some cut-and-paste going on. If so; what’s the point?