TryHackMe | Road WriteUp
TryHackMe | Road WriteUp
Hello Friend! In this writeup we gonna walkthrough TryHackMe CTF called Road.
TryHackMe Room Link: https://tryhackme.com/room/road
Difficulty: Medium
Info Gathering Enumeration
Nmap Scan :shipit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Nmap scan report for 10.10.141.52
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
| 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Sky Couriers
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The port 80:
Directory Enumeration
1
2
3
4
5
dirsearch.py -u http://10.10.141.52/
301 313B http://10.10.141.52/assets -> REDIRECTS TO: http://10.10.141.52/assets/
301 317B http://10.10.141.52/phpMyAdmin -> REDIRECTS TO: http://10.10.141.52/phpMyAdmin/
301 309B http://10.10.141.52/v2 -> REDIRECTS TO: http://10.10.141.52/v2/
Lets visit /v2
Here, We can register ourselve, lets do a quick registration.
Now, lets login…
Admin account takeover
In the profile section, we got an option to upload to file, but it was only availabe for the admin@sky.thm user.
So lets takeover admin account first.
Now, lets login as admin@sky.thm user!
Initial Shell Access
Now we have access to upload to file, lets upload php reverse shell of pentest monkey.
To Find out where the payload gonna uploaded, we need to intercept the response of the request, and we got this location.
Lets visit this URI.
http://<machine-ip>/v2/profileimages/
lets take this request into burp repeater and do as follow.
Turn on NetCat listner.
nc -lvnp 1337
Append the name of the file we uploaded, and send.
Here we got shell access!!!
We can retreive first flag here,
Privilege Escalation
Lets list all user’s using ;-
$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
webdeveloper:x:1000:1000:webdeveloper:/home/webdeveloper:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
mongodb:x:114:65534::/home/mongodb:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/sh
nobody:x:65534:65534:nobody:/:/usr/sbin/nologin
Lets list all sudo users.
$ getent group | grep sudo
sudo:x:27:webdeveloper
So, first we need to access shell as webdeveloper user.
If you look closer to all the user’s listed above, we can find that there’s some database system running, like mongodb and mysql, so lets enumerate them.
$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 10.10.160.54%eth0:68 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:9000 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
We can see, both ports, 27017 for MongoDB and 3306 for MySQL.
Lets go with mongo first.
Visit this link for basic commands.
>mongo
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c5990cf8-8b4d-4e36-ab73-8d74c780dde1") }
MongoDB server version: 4.4.6
List All Database
>show dbs
admin 0.000GB
backup 0.000GB
config 0.000GB
local 0.000GB
Upon enumerating all them, backup seems more interesting, lets dig it.
use backup
switched to db backup
List all collections.
>show collections
collection
user