OLYMPUS — Tryhackme
Well… Happy hacking ^^
Performed an Nmap scan on the target IP and found that port 22/ssh and port 80/http are open. Since the specified IP address does not load, we need to add the IP to the hosts file with the DNS record as olympus.thm.
Website port 80
olympus.thmThere is a message on the website indicating that the previous CMS version is still accessible, so a Dirbuster scan was performed on the target.
Navigate to the directory that was found. The only important things we see are the search function and the login page.
So, use the search function and add the payload [1'] in the search field. You'll see that there is a SQL syntax error. The next well-known step is to use SQLMap. You can refer to this blog about SQL injection using SQLMap.
capture the request and run sqlmap
sqlmap -r req.txt — batch — tables Olympus
Database dump
So, the cat_id parameter is vulnerable to SQL injection and can be used to read data from the backend database. With SQLMap, it is possible to enumerate databases, tables, and columns using the following options:
- Use
--dbsto list the database names. Once you have identified the desired database, you can specify it on the command line with the-D <DB NAME>option. - Use
--tablesto list the table names. Specify the table on the command line with-T <TABLE NAME>. - Use
--columnsto list the column names within a table. Specify the columns with-C <COLUMN NAME>. - You can dump the entire table using
--dump.
cat_id parameter is vulnerable to SQL injectionFound the first flag.
There is a table named ‘users’. Dump the table and look for important details.
Dump the data from the users table.
There are usernames and passwords for three users. Copy the hashes and use John to crack the passwords. John was only able to crack Prometheus’s password.
Now log in with the credentials that were found.
Dump the users file again.
There is another subdomain called ‘chat.olympus.thm’. Add it to the hosts file and start hacking.
After accessing the website, we see a login page.
There is an upload option on the chat page.
Upload php_reverse_shell.php
After wondering where the uploaded files go, I scanned with Dirbuster and found the /uploads directory.
After seeing a blank page, I remembered the table from the Olympus database related to chat. Let’s try SQLi again and extract the data.
Here, you can see that all file names are encoded in a certain way and changed to something else. For our uploaded file, the name was changed from reverseshell.php.
Now try to access the uploaded file in /uploads while starting Netcat at the same time.
At this stage, we have a reverse shell from the website with the www-data user. To access the zeus directory, we need to escalate our privileges or log in as zeus. Using the command find / -perm -u=s -type f 2>/dev/null, we found an interesting file called cputils.
cputilsThat file is interesting because it can be executed as zeus, and its function is to copy files.
Immediately copy Zeus’s private SSH key so that you can log in as Zeus.
Found the second flag in the zeus folder, and we obtained the id_rsa by running the cputils file.
Read the id_rsa file.
Downloaded the private key, but when trying to log in, it asks for a passphrase since it is password-protected. So, use ssh2john to generate a hash and crack it.
SSH into the system as zeus.
Run the command find / -type f -group zeus 2>/dev/null.
find / -type f -group zeus 2>/dev/nullI tried searching for files to use for privilege escalation and found /var/www/html/0aB*************/VIGQFQMYOST.php. So, I tried reading and analyzing the file. It simply does something straightforward (runs a binary) to gain root access.
Run the same code in the terminal as zeus since it grants us root access.
Go to /root, find flag3, and read it.
