Try Hack Me: Tartarus

The skills to be tested and needed to solve this room are: nmap, gobuster, hydra, burp suite, privilege escalation, cron jobs, and nc (netcat). This room has three privilege escalations, two horizontal lateral movement and the last one obviously is vertical.

This room was released on 8/13/2020, and I wanted to try if I can crack it. This room is rated easy in terms of difficulty, but I thought it was more challenging than easy, mainly because I haven’t used vim and it was the only editor available to use. Yeah….yeah….you can laugh at me for being a nano user. lol

I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.

Shoutout to the room creator, @csenox. You can access the room at https://tryhackme.com/room/tartarus

I was assigned a victim IP address of 10.10.215.66 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.

We only need to retrieve the user flag and the root flag to complete the room:

  • User flag:
    • 0******************************f
  • Root flag:
    • 7******************************d

Steps:

  1. Deploy the machine to get a victim IP address:

2. Scan the machine for open ports and services by using nmap. Use the command: nmap -sC -sV -oG nmap/tartarus 10.10.215.66

  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oG nmap/tartarus – to save the results of the scan to a file named “tartarus” and saved in a grepable format
Ports open are 21, 22 and 80

3. The nmap scan result is showing anonymous FTP login allowed. Login to FTP by typing ftp 10.10.215.66, for the username type anonymous, and leave the password blank:

FTP login successful

4. Search for any interesting files by typing ls -la:

Directories and files available
  • The above screenshot was trying to trick us. There was nothing helpful inside the test.txt file, and the tricky part is the ellipsis (). Normally there are only two hidden folders that uses dots, the root directory and the current user’s home directory. See screenshot below taken from my personal machine:

5. Search the interestingly named () directory:

There is another () named directory

6. Search the () directory inside the () directory:

Oh, and we got commended for having good eyes. This is for noticing the () directory

7. Download the yougotgoodeyes.txt file to our attack machine (kali) by typing get yougotgoodeyes.txt

Download completed

8. Open the file to see what is in it by typing cat yougotgoodeyes.txt

That looks like a directory to me

9. Open a browser to check what is running on port 80:

Nothing here, just the normal Apache default page

10. Checked on the Page Source Code and there is no hidden message found. Let’s use gobuster to search for hidden directories and files by typing gobuster dir -u http://10.10.215.66 -w /usr/share/wordlists/dirb/common.txt

  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w /usr/share/wordlists/dirb/common.txt– is the flag to set the list of possible directory and file names
Only /robots.txt looks interesting

11. Check the content of the /robots.txt file by going to your web browser and type 10.10.215.66/robots.txt in the URL bar:

Looks like another directory and a possible username

12. Go and check the /admin-dir that we found in the robots.txt file by typing 10.10.215.66/admin-dir in your browser’s URL bar:

credentials.txt and userid files do sound juicy to me 😉
Contents of the userid file
Contents of the credentials.txt file

13. Download both files to your attack machine by typing wget http://10.10.215.66/admin-dir/userid and wget http://10.10.215.66/admin-dir/credentials.txt on your kali terminal:

userid file downloaded to our local machine
credentials.txt file downloaded to our local machine
  • We still don’t know where to use the credentials that we found. We could try to brute-force SSH using those credentials, but first, I want to enumerate the /admin-dir if there are any more helpful files and directories we can find by using gobuster again. This time type gobuster dir -u http://10.10.215.66/admin-dir -w /usr/share/wordlists/dirb/common.txt
There is nothing to be found here

14. Now, let’s go check the /sUp3r-s3cr3t directory we found in the FTP server:

Login portal!
  • I tried default credentials like admin:admin, admin:password, root:root and they don’t work. We will have to use Hydra to brute-force this login form.

15. Use Burp Suite to easily retrieve parameters that we need to use with Hydra:

POST request
POST response

16. Now, are going to use Hydra to brute-force the web login form. Type hydra -L userid -P credentials.txt 10.10.215.66 http-post-form “/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect Username”

  • -L userid – to instruct hydra that we are using the userid file that contains a list of possible usernames
  • -P credentials.txt – to instruct hydra that we are using the credentials.txt file that contains a list of possible passwords
  • http-post-form “/sUp3r-s3cr3t/authenticate.php – indicates hydra that the login page authenticate.php uses a http-post-form type form
  • username=^USER^ – the “^” signs are for hydra to know where to enter usernames
  • password=^PASS^ – the “^” signs are for hydra to know where to enter passwords
  • Incorrect Username – is the “failure string”. This is important so hydra knows that the attempt to login failed and hydra can move on to the next combination of username and password that might work
16 possible username and password combinations that might work

17. Login to the http://10.10.215.66/sUp3r-secr3t page:

Upload page
  • Now, the screenshot above is showing us that there might be other directories and pages inside the /sUp3r-s3cr3t directory. Let’s try and enumerate it using gobuster by typing gobuster dir -u http://10.10.215.66/sUp3r-s3cr3t -w /usr/share/wordlists/dirb/common.txt
Found another directory /images

18. Check the /images directory inside the /sUp3r-s3cr3t:

Looks like this is where the files get uploaded

19. Test the upload page and see if we can open it inside the /sUp3r-s3cr3t/images/uploads folder. I created a file called test.txt:

My test.txt file uploaded successfully

20. Check the /sUp3r-s3cr3t/images/uploads if the test.txt is there and if we can open it.

Test file is in

21. Now that we know that we can upload files, the next step that we have to do is to upload a PHP reverse-shell so we can access the web server. I just googled “pentestmonkey PHP reverse shell” and got the result here. Go ahead and download the file:

22. We need to extract the file php-reverse-shell-1.0.tar.gz by typing tar -xzvf php-reverse-shell-1.0.tar.gz

Files extracted

23. Look for the file php-reverse-shell.php and edit the information to point to your IP address and port number to obtain a reverse-shell. Type sudo nano php-reverse-shell.php

You can leave the $port unchanged, but make sure to set $ip to your kali’s tun0 network adapter IP address

24. Change the permission of the php-reverse-shell.php file by typing sudo chmod +x php-reverse-shell-php

Make the file executable
Reverse-shell is now executable

25. Upload our payload:

Payload was uploaded successfully

26. Before we execute the payload, we have to setup a listener on our attack machine by typing nc -nlvp 9999. Be sure that the port number you choose on your listener matches the one that you entered in the php-reverse-shell.php payload:

Listener is up and waiting for a connection

27. Go to the /sUp3r-s3cr3t/images/uploads through your browser and run the payload:

Click on the payload and go back to the listener you set up on your attack machine
  • Our listener connected successfully, we now have a reverse-shell:
Reverse-shell session

28. Let’s convert this to a more stable shell by checking if python is running on the victim machine by typing which python

Python is installed

29. Now, the conversion to a more stable shell by typing python -c ‘import pty;pty.spawn(“/bin/bash”)’

Stable shell

30. We are in, and let’s try if we can locate the user flag by typing find / -name user.txt 2>/dev/null. I like adding the 2>/dev/null so it dumps any permission denied of errors to null and we don’t have to scroll and look for the file that we have access to:

Location of the user flag with 2>/dev/null added
Results from find command without adding the 2>/dev/null

31. Open the user.txt file by typing cat /home/d4rckh/user.txt

Got the user flag!
  • Besides the user.txt file there was another file called cleanup.py.

32. Let’s check if our current user, www-data have any sudo privilege by typing sudo -l

Looks like we have to escalate to a user thirtytwo using gdb
  • Let’s check GTFObins on how to exploit gbd:

33. We have to use -u as we sudo so we can change user to user thirtytwo. If you remember on Step 32, user thirtytwo was the user specified. Type sudo -u thirtytwo /var/www/gdb -nx -ex ‘!sh’ -ex quit

Now, we see that we are user thirtytwo

34. Again, spawn a more stable shell, python -c ‘import pty;pty.spawn(“/bin/bash”)’ and check if there is any interesting file in user thirtytwo‘s home directory:

Only one file in note.txt is found

35. Open note.txt by typing cat note.txt

Looks like a message from user d4rckh about git access

36. Type sudo -l to check what other sudo privileges can we find in user thirtytwo

Looks like another lateral privilege escalation to user d4rckh

37. Check GTFObins again to exploit git

Here’s how to exploit git

38. Type sudo -u d4rckh /usr/bin/git -p help config and the !/bin/sh

We are now user d4rckh
  • Still we cannot find anything except for the cleanup.py file. And upon running sudo -l, we have nothing. Looking at the file cleaup.py, it looks like a script that removes whatever is inside the /home/cleanup/ directory. Let’s check /etc/crontab if this script runs in a schedule. You can do this by typing cat /etc/crontab
Looks like this script runs every 2 minutes
  • We can edit the file cleanup.py to give us a reverse-shell as root.

39. Nano doesn’t work to edit the file cleanup.py, the only editor that works is vim, and I struggle with vim, so what I did next is to completely just create a new file and still keep the name cleanup.py, because that is the file that that is in crontab. First, we have to rename the current cleanup.py by typing mv cleanup.py cleanup.py.old

cleanup.py is now cleanup.py.old

40. Let’s create a new cleanup.py file with a reverse-shell payload by typing vim cleanup.py. And let’s check PentestMonkey for a python reverse-shell that we can use:

Here’s the code that we have to use and enter as the new file cleanup.py
  • New cleanup.py file

41. Set up the listener on your kali machine by typing nc -nlvp 8888 and wait for 2 minutes for the new cleanup.py to be run and we get our reverse-shell:

Now, we get are reverse-shell

42. Check who we are by typing whoami

We are now ROOT!

43. Finally, open root.txt by typing cat root.txt

root flag!

Hope you enjoyed it and learned something too!

Don’t forget to subscribe to my blog!

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: