{"id":796,"date":"2023-09-03T19:36:38","date_gmt":"2023-09-03T17:36:38","guid":{"rendered":"https:\/\/babdcatha.net\/?p=796"},"modified":"2024-01-30T20:05:56","modified_gmt":"2024-01-30T19:05:56","slug":"tryhackme-expose","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/09\/03\/tryhackme-expose\/","title":{"rendered":"TryHackMe : Expose"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hi, today, we&#8217;ll be taking a look at the <a href=\"https:\/\/tryhackme.com\/room\/expose\">Expose<\/a> room on TryHackMe. From the description, it looks like the machine will have a few exposed services that maybe should not be so visible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is a summary, since this box is quite long :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#initial_recon\" data-type=\"internal\" data-id=\"#initial_recon\">Initial recon<\/a><\/li>\n\n\n\n<li><a href=\"#SQLi\">SQL injection<\/a><\/li>\n\n\n\n<li><a href=\"#Puzzle\">Puzzle<\/a><\/li>\n\n\n\n<li><a href=\"#upload_bypass\">Upload bypass<\/a><\/li>\n\n\n\n<li><a href=\"#Privilege_escalation\">Privilege escalation<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"initial_recon\">Initial recon<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As usual, let&#8217;s start with an Nmap scan :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nmap.png\" alt=\"\" class=\"wp-image-801\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nmap.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nmap-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nmap-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can see an FTP server, SSH is enabled, a DNS server, a webserver on port 1337 and a mosquitto server on port 1883.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s start with the FTP :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/ftp_anon.png\" alt=\"\" class=\"wp-image-804\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/ftp_anon.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/ftp_anon-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/ftp_anon-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">While anonymous access is enabled, we can&#8217;t seem to see any file there. Let&#8217;s put it aside for now, and see the webpage :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/webpage_http.png\" alt=\"\" class=\"wp-image-806\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/webpage_http.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/webpage_http-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/webpage_http-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This is what we get when accessing it using http. Using https, we can see an error. Let&#8217;s scan the website for hidden directories :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster.png\" alt=\"\" class=\"wp-image-810\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/admin<\/mark>, we get a login page that doesn&#8217;t appear to do anything :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_1.png\" alt=\"\" class=\"wp-image-808\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_1.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_1-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_1-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s check the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/phpmyadmin<\/mark> page :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"612\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/phpmyadmin_1.png\" alt=\"\" class=\"wp-image-812\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/phpmyadmin_1.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/phpmyadmin_1-300x191.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/phpmyadmin_1-768x489.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It is the basic phpmyadmin page. The default credentials don&#8217;t work, and the documentation at <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/phpmyadmin\/doc\/html\/index.html<\/mark> indicates that version 4.9.5 is running, but I couldn&#8217;t find any useful exploit for it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Subscribing to the MQTT Broker on port 1883 does not reveal anything, I could not receive any broadcast, and the DNS did not provide much more information. We need to go back a step.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s enumerate the website with a different wordlist :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"513\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster_2.png\" alt=\"\" class=\"wp-image-817\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster_2.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster_2-300x160.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/gobuster_2-768x410.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We find a new admin portal, at <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/admin_101<\/mark>, let&#8217;s take a look at it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101.png\" alt=\"\" class=\"wp-image-819\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This time, we get an email, and a domain name. This time, the &#8220;Continue&#8221; button does something. We get an error message. Looking at the response, this is what we get :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_2.png\" alt=\"\" class=\"wp-image-821\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_2.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_2-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_2-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Trying to toy with it a bit, we get this :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_SQLi.png\" alt=\"\" class=\"wp-image-822\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_SQLi.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_SQLi-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/admin_101_SQLi-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It could be vulnerable to an SQL injection !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"SQLi\">SQL injection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s fire SQLMap and try to find one. We first save a request to a text file using burp :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"yaml\" class=\"language-yaml\">POST \/admin_101\/includes\/user_login.php HTTP\/1.1\nHost: root.thm:1337\nContent-Length: 37\nAccept: *\/*\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.5481.78 Safari\/537.36\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\nOrigin: http:\/\/root.thm:1337\nReferer: http:\/\/root.thm:1337\/admin_101\/\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: PHPSESSID=cr2atocos004dgm54rrn9uofsa\nConnection: close\n\nemail=hacker%40root.thm&amp;password=test\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And we find something :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sqlmap -r Desktop\/request.txt -p email<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap.png\" alt=\"\" class=\"wp-image-829\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We find the following databases :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">[*] expose\n[*] information_schema\n[*] mysql\n[*] performance_schema\n[*] phpmyadmin\n[*] sys<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In the expose DB, we find two tables :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">[2 tables]\n+--------+\n| user   |\n| config |\n+--------+<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Dumping it, we find a few passwords, and a URL to a potentially interesting file :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-12\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap_dump_blur.png\" alt=\"\" class=\"wp-image-832\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap_dump_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap_dump_blur-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/sqlmap_dump_blur-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s take a look at the first file :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-13\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/file1010101010.png\" alt=\"\" class=\"wp-image-833\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/file1010101010.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/file1010101010-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/file1010101010-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Using the password we cracked alongside it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-14\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/Tourism_in.png\" alt=\"\" class=\"wp-image-834\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/Tourism_in.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/Tourism_in-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/Tourism_in-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This looks a bit like a riddle, let&#8217;s investigate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Puzzle\">Puzzle<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Hmmm, interesting. When we look at the code of the page, we see this :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"markup\" class=\"language-markup\">&lt;span style=\"display: none;\"&gt;Hint: Try file or view as GET parameters?&lt;\/span&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, well, when we add a <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">file<\/mark> parameter to our request, we get an empty page :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-15\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/empty.png\" alt=\"\" class=\"wp-image-836\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/empty.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/empty-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/empty-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, when we set this parameter to <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/etc\/passwd<\/mark> :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-16\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"790\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/passwd_blur.png\" alt=\"\" class=\"wp-image-837\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/passwd_blur.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/passwd_blur-300x246.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/passwd_blur-768x631.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We get a list of the users on the machine, and one starts with &#8220;Z&#8221;. If we remember, there was another path supposedly only accessible to the user that started with &#8220;Z&#8221;. Let&#8217;s take a look at it now that we have that info.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"upload_bypass\">Upload bypass<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is what we see :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-17\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/upload.png\" alt=\"\" class=\"wp-image-839\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/upload.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/upload-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/upload-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s try to upload a php reverse shell, shall we ? It looks like we can only upload jpg or png images, so we&#8217;ll need to find a way to bypass this security measure. We can do that using Burp again. We send a valid png, intercept the file, and change it as it is being transferred to the server. This is the original request :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-18\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_1.png\" alt=\"\" class=\"wp-image-840\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_1.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_1-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_1-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, we change it to this :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-19\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_2.png\" alt=\"\" class=\"wp-image-841\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_2.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_2-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/burp_2-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, as we can see in the response, our payload was correctly uploaded. We can start a netcat listener, and open our payload, we then get a reverse shell :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">nc -lvnp 4444<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once we have our shell, we can try to get into the user&#8217;s folder. There, we find two files :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-20\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nc_blur.png\" alt=\"\" class=\"wp-image-842\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nc_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nc_blur-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/nc_blur-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can&#8217;t get to the flag yet, but we get some SSH credentials. Using them, we can connect to the target and get the user flag !<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-21\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/flag_user_blur-1.png\" alt=\"\" class=\"wp-image-846\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/flag_user_blur-1.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/flag_user_blur-1-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/flag_user_blur-1-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Time to root this target !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Privilege_escalation\">Privilege escalation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, onto privilege escalation ! We cannot use sudo, but there are quite a few SUID binaries that we can find using this command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">find \/ -perm -u=s -type f 2&gt;\/dev\/null<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">One interesting one is <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/usr\/bin\/nano<\/mark>. It is a text editor, so if we can run it as root, we can access root&#8217;s files, and the flag is most probably under <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/root\/flag.txt<\/mark>. Doing this indeed works. We can simply launch nano, open <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/root\/flag.txt<\/mark>, and the root flag is here ! For fun, and to have something interesting to show here, I also escalated my privileges using find, and a method found on GTFOBins :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-22\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/root_flag_blur.png\" alt=\"\" class=\"wp-image-845\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/root_flag_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/root_flag_blur-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/09\/root_flag_blur-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And this concludes this box ! It was quite long, with many basic things covered, from port scanning, website enumeration, SQL injection, upload validation bypass&#8230; and quite a few traps and dead ends. But we got through in the end !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I hope you enjoyed this room \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, today, we&#8217;ll be taking a look at the Expose room on TryHackMe. From the description, it looks like the machine will have a few exposed services that maybe should not be so visible. Here is a summary, since this box is quite long : Initial recon As usual, let&#8217;s start with an Nmap scan [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[72,40,69,70,14,8,71],"class_list":["post-796","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-burp","tag-php","tag-sql","tag-sqlmap","tag-suid","tag-tryhackme","tag-upload-validation"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=796"}],"version-history":[{"count":31,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/796\/revisions"}],"predecessor-version":[{"id":855,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/796\/revisions\/855"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}