THM: Team
Team
Beginner friendly boot2root machine
It is aimed at beginners as I often see boxes that are “easy” but are often a bit harder!
Whilst not difficult by any means, I still think this one will trip a few noobs up. This is Team from THM.
Ports
FTP, SSH and HTTP; the triumvirate.
FTP
No anon access; moving on. Actually let’s stay here for a bit. This box had a whole series of breadcrumbs I guess the creator thought you would follow; I circumvented quite a bit at the start and that includes the part involving FTP. But we can discuss it anyway - I do need to skip around a bit though.
If we go to the IP for the page in a browser, we get the Apache default page and in the page source we get:
If you see this add ‘team.thm’ to your hosts!
So if we do that we get an extra page. If you go gobusting or whatever, you can find this page: http://team.thm/scripts/script.txt, and it contains (amongst other things) this line:
Note to self had to change the extension of the old “script” in this folder, as it has creds in
So if we go to http://team.thm/scripts/script.old we can get the old version which contains credentials, which we can use to login to FTP. If we do that, we can get a file with these contents:
Dale I have started coding a new website in PHP for the team to use, this is currently under development. It can be found at “.dev” within our domain.
Also as per the team policy please make a copy of your “id_rsa” and place this in the relevent config file.
Gyles
Right, so we’ve got two users (Dale and Gyles), a dev subdomain and a copy of an SSH key. Well, I missed all of this.
HTTP
There is a hint on the THM room page:
As the “dev” site is under contruction maybe it has some flaws? “url?=” + “This rooms picture”
So we know there is a dev subdomain. Or we can find it easily by fuzzing:
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://team.thm" -H "Host: FUZZ.team.thm" -t 42 --hh 11366
000000019: 200 9 L 20 W 187 Ch “dev”
We add this to /etc/hosts and have a look; we’ve got an easily exploited LFI; e.g.
http://dev.team.thm/script.php?page=/home/ftpuser/.profile
Now bear in mind that I had skipped the FTP part so I didn’t know I was specifically looking for an ssh key in a config file, although I certainly tried looking in /home/dale/.ssh and /home/gyles/.ssh; there are no keys there. I was expecting possibly log poisoning at this point, so I tried reading the logs for apache, vsftpd, auth etc. Nothing. No /proc/self/environ, no mail, nada.
Eventually I user Burp Turbo Intruder on a big list of linux files and found the target - http://dev.team.thm/script.php?page=/etc/ssh/sshd_config
For some reason, this file contains a copy of the SSH private key for dale; who knows why that would be the case. Anyway; onwards.
On the box
We SSH in as dale, no problem. What can he do?
And what is that?
Alright. This took me a bit to figure out but on:
read -p “Enter ‘date’ to timestamp the file: “ error
Whatever is entered is executed as a command. To exploit:
Root
I run linpeas as gyles and it screams at me about /usr/local/bin. Here we have a writeable script running as a root cron. Nice.
And with a listener:
Done. It never ceases to amaze how every single time a new challenge is released someone is asking for hints on the discord almost immediately, even though every new challenge has a 3 day embargo on hints. If this applies to you, have a good hard look at yourself.