ajread@aj-ubuntu:~/TryHackMe$ nmap -A [Remote IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-05 19:32 EDT
Nmap scan report for [Remote IP]
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.43 seconds
A full nmap scan affirmed the services on the target.
Enumeration
Initial Access
After doing some research online, it appeared that Traffic Offense Management system is susceptible to SQL injection or RCE (https://www.exploit-db.com/exploits/50221). First checking on SQL injection, I attempted to login with test:test and found that the response from the server contained SQL queries.
I found an exploit online that was listed as RCE and I used the username:password combination in the exploit to login to the TMS. Reading through the same exploit, I could upload anything on the admin/?page=user page, which is used to create a new user, as the user avatar. Therefore, I created a php reverse shell using pentest monkey to upload in the avatar section.
Before uploading, I set up a listener on my local machine.
Finally, I uploaded the php reverse shell at http://[Remote IP]:445/management/admin/?page=user on the TMS and it called back!
I made sure to upgrade my shell.
In order to see user.txt, I had to become the plot_admin user. It appeared that a backup shell script (called backup.sh) ran periodically as user plot_admin on the system when I looked at the cronjobs. I needed to find a way to have that same mechanism execute my own shell script as user plot_admin. I found out that I have write access to the /var/www/scripts directory, where the shell script sat. I was lost for a while, so I used infinity's write up here: https://wiki.thehacker.nz/docs/thm-writeups/plotted-tms-easy/ to help me figure out a way to link a shell script that would execute /bin/bash to the backup.sh shell script.
As a result, I escalated to user plot_admin.
And got the user flag.
Privilege Escalation
I added my public ssh key as an authorized key on the target machine so that I was able to ssh into the target.
Looking around for possible privilege escalation techniques, it appeared that user plot_admin could run openssl as root without a password.
I checked out the GTFOBins website to see if I could use openssl for priv esc (https://gtfobins.github.io/gtfobins/openssl/). It looked like I could with:
Combining the information I found, I tried to read the flag within the root home directory. And it worked!
Assistance
Done with help from: https://wiki.thehacker.nz/docs/thm-writeups/plotted-tms-easy/
ajread@aj-ubuntu:~$ nmap -p- [Remote IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-05 19:31 EDT
Nmap scan report for [Remote IP]
Host is up (0.10s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 708.46 seconds
plot_admin@plotted:~/tms_backup$ cat /etc/doas.conf
permit nopass plot_admin as root cmd openssl
LFILE=file_to_read
openssl enc -in "$LFILE"
plot_admin@plotted:~/tms_backup$ doas openssl enc -in "/root/root.txt"
Congratulations on completing this room!
[REDACTED]
Hope you enjoyed the journey!
Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888