Post

TryHackMe | Opacity Writeup

Posted Updated
Opacity
Opacity
By
2 min read

TryHackMe | Opacity Writeup

Hello friend!
In this writeup we gonna explore another ctf from TryHackMe called Opacity.
Machine Link: https://tryhackme.com/room/opacity
Difficulty: Easy

Info-gathering and enumaration

After basic Nmap scan, we got open ports

1
2
3
4

22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2

image

Let’s directory enumration it and we got access to functionality that was login protected.

image

I tried several php revshell upload, but it was taking jpg to be successfully uploaded, so I just need to bypass it, just rename php-revshell as follow and we can upload it.

image

Initial Shell Access

After uploading our reverse shell, we can start netcat listner on our local machine and we just need to visit the link.
image

image
And boom!!!, we got sell access.
image

Privilege Escalation

User Access

First we are now as www-data user with no permission but just can navigate into file systems.
So while exploring the files, i got some interesting file in the /opt directory.
image
But unfortunetaly we have no permission to explore this, but I managed to copy this file to local machine.
image
image

And I found that this is Keepass Database file, Keepass KDBX is the file format used by KeePass, a free and open-source password manager. It’s essentially a container that securely stores all sensitive information, like passwords, login credentials, and other confidential data, but access to this was password protected, so after some research I found that John the Ripper is capable to crack it’s password.
So lets crack it.
image

After John cracks the password, we can access the database using keepassxc command.
image

In the database, we got login credentials for the user sysadmin.
image

Root Access

For the root access, we can try several methods, but in the home directory of the user, we have some hints, there is /script folder, which is owned by the root user.
After exploring this folder, I found script.php which is being run by root user every minute. image
image

So we have no permition to edit ay of this folder’s file, but here is a flow, this root user owned folder is inside the sysadmin’s home directory, so we can rename it, can create our new scripts folder and can run our malicious php script to as root user. So I just renamed old folder and created new one with old same name, and inside it, I created script.php with pentestmonkey revshell payload and start a netcat listner on my local machine, and after one minute, boom! we got root shell!
image

image

image
That’s all guys, I know there are more methods to root a machine, so share me if you have any different.
Signing Out ~ 0xBug

Connect with me

Contact Me

CTF
TryHackMe writeup
This post is licensed under CC BY 4.0 by the author.