TryHackMe – Tempus Fugit Durius Walkthrough

TryHackMe – Tempus Fugit Durius Walkthrough

Hello everyone, this is Anıl Çelik. In this write-up, I would like to share the walkthrough of the room named “Tempus Fugit Durius”, which was recently released on TryHackme. https://tryhackme.com/room/tempusfugitdurius The machine is rated as intermediate/hard and a real life box.

Before starting, thanks to 4ndr34z for creating this room, I have learned so much from it!!


Let’s start with our nmap scan first:

  • As we can see from our output, we have 4 ports open: 22, 80, 111 and lastly 51947. Let’s start to enumerate the HTTP service:
  • Allright, it’s a.. Page. Let’s try to execute gobuster on it to see hidden directories:
  • Well, at this point it didn’t work because the server returned status code for non existing urls.  This means we can’t perform a gobuster scan on this host. Let’s try to manually enumerate this page.  The “Upload” link on the top of the page looks interesting. Let’s navigate on that one:
  • As we can see, an “Upload” module popped up. Now I know that, not even in an easy box, we would not be able to upload a reverse shell directly. So as a sneaky move, (SNEAK 100) i will try to upload an image onto the system, if I can do it, then can inject a malicious shellcode inside it later on.
  • When we forward our request, we can see that we are not allowed to upload something other than “.txt or .rtf”:
  • Then I checked if I really can upload a “.txt” file:
  • Ok, so basically what I just did in here is, I have created a “.txt” file named “a.txt” and I echoed “123” inside it. When I upload the file, I can see its content on the page such as shown in above.
  • Now, at this point, I first tried to intercept and change the extension of the file which is being uploaded but that didn’t work. Later, I literally searched for injecting a shellcode inside a “.txt or an .rtf” file but that method didn’t work either. Later, after a little bit of research, I found that I can get a reverse shell by manipulating the file name by intercepting it on BurpSuite. First, I tried to get the shell by giving my tun0 IP address directly but that didn’t work:
  • When I gave my tun0 IP address as below, I get the following error:
  • No sh*t, the file name was waaaay too long. After a little bit of research, I figured out that if I give my IP address as HEX-encoded, the page can parse it and so my request can be sent. So, the HEX-encoded  version of my IP address is:
  • Let’s try the same process again and bypass the filter:
  • Now, I get the shell:
  • Ok, so we get our first shell in the machine as “www-data”. Since we are on a netcat shell, we know that this shell is really unstable. What I mean is, when we do something wrong and try to cancel it by hitting “CTRL+C”, the shell drops and we need to do the same procedure again. To prevent this, we can upgrade our shell into a meterpreter shell. By doing this, even though our shell drops, we can gain back our shell instantly from the meterpreter. So, let’s upgrade our shell:
  • In order to upgrade my nc shell to a meterpreter shell, firstly I have created a payload with msfvenom named “shell.elf” (as can be seen in above pic), then I uploaded it on the box. Then, when I set up my multi handler module properly, I got my meterpreter shell
  • Now, we can go further. Let’s enumerate this box:
  • When we navigate to the “/” directory, we can see there are bunch of files located in here. I will first try to see the content of the file named “start.sh”:
  • Hmm, this looks interesting. It says “If there’s a prestart.sh script in the /app directory, run it before starting PRE_START_PATH=/app/prestart.sh”. Let’s navigate to “/app” directory:
  • Alright, so “main.py” got my attention, I am going for it:
  • Surprise!!! We found some FTP creds. After writing these down, let’s try to connect to FTP service to see what we have on FTP directory:
  • Well, the FTP service is not installed on here, and we are not able to install it. So, after a little bit of research, I found that I got the Python installed on box and if I write a Python script, I can access the FTP service:
  • First, let’s try to connect to FTP service. Later, we’ll try to get the files in the FTP directory.
  • So, it worked! What we can see here is that there are 2 files on FTP share named “a.txt (which we have uploaded on the system while we were trying to get a reverse shell) and “creds.txt”. Let’s add another couple of lines to our script in order to get “creds.txt” from the share to our computer:
  • After completing our script, let’s try to execute it again and get our “creds.txt” file:
  • Yes, this one went successfully. Now what I understand from here is, I get possible admin panel login credentials. On this point, we need to enumerate the box more. Since we are in a Docker container, let’s first check the IP configuration:
  • What we can see here is, there is another host up located in Interface 9 with IP address “192.168.150.10”. At this point, we need to escape from this container and access to the host located on Interface 9. In order to do that, we need to do port forwarding:
  • With above command, we created our Local TCP relay by forwarding Port 80 on Remote Host to our Port 8888. When we do this and browse “localhost:8888”, we can see the same page we got initially from Port 80 on remote host, which is useless for us to find the admin panel we need. At this point, we need to discover other hosts on “192.168.150.0/24” subnet. I tried to run nmap on the box but nmap wasn’t installed either and I was not able to install it. To perform an nmap scan outside of the box, we can use proxychains with nmap. To do this, we first need to run autoroute to specify our path:
  • Then, we need to set up socks4a proxy:
  • After getting each prerequisite done, let’s run nmap with proxychains:
  • As we can see from the output, the host with IP address “192.168.150.1” is also up. Let’s try to do our port forwarding on that host:
  • Then, let’s navigate to forwarded port on our browser:
  • We got a new page on our hands. Before going further, let’s see if we have any DNS records for our box. The reason why we are doing this is to see whether there is a canonical name which can lead us directly to the administration subdomain:
  • As we can see, my scepticism was right and we found a record with the canonical name “newcms.mofo.pwn”. First add this record to our hosts file and try to navigate on it:
  • Looks like we are on the right track. Now I guess we can do some gobuster in here:
  • Yes, the admin panel we wanted to get. Let’s navigate:
  • Login with the creds we found previously.
  • So in here, let’s a little bit fast-forward all the things. In the panel, we navigate to Themes section. In Edit menu, first I tried to insert my shellcode into page’s source code (by considering a real-life scenario, if we change the page completely, its possible to be get busted lol)
  • Yet, this didn’t work. Even I didn’t wanted to change the whole page, I had to do it:
  • After putting my reverse-shell code on the page and when I execute it, I get my shell:
  • Finally I escaped the container and got a shell from the real machine. Let’s try to navigate to “/home” directory:
  • Well, apparently, there are two users named “benclower and me”, but we are not privileged to access those. We can check “/etc/passwd” file also.  So, the first thing I did after upgrading my shell again to a meterpreter shell was going to “/tmp” directory and copy “linPEAS” from my computer:
  • On linPEAS output, I saw there are some database files located in the “/var/www/html/inc/data/” directory. Let’s navigate to there:
  • Download these files by using meterpreter’s download module:
  • Inspect them:
  • What we see here is we got the password hash of the user named “Ben Clower”. After performing a brute-force either with hashcat or john by using rockyou.txt, we get the password. So, what I did was switching to benclower and executing linPEAS again to find a possible privilege escalation vector. After getting the user flag on benclower, I kept enumerating the box and found that there might be some useful information placed in the “auth.log” file, but I was not able to access it:
  • After a really frustrating privilege escalation step, I found that I could use “/usr/bin/ispell” SGID privileges to read the “auth.log” file. 
  • Before going any further, let’s see what this “/usr/bin/ispell” is really about:
  • We see that “ispell” is simply a spell checker module. When we go down in the man page, we see something interesting:
  • Seems like we can use “!” character to execute a shell command. Let’s try to use this option after opening a file we are privileged to read with ispell:
  • After we try to open “flag1.txt” file with ispell, we will try to spawn a shell by using “!” command:
  • That worked, now let’s try to read the contents of “auth.log” file:
  • Seems like we got a possible password for root. Let’s try to switch users!!!!
  • Successfully elevated to root and got the root flag!!!!!! That was all I wanted to share with you guys about this box. Also, thanks to 4ndr34z for creating this cool box and for giving me useful nudges through my journey on this box. Hope you guys enjoyed it, see you on my next write-ups!!

Resources:

  • https://www.offensive-security.com/metasploit-unleashed/portfwd/
  • https://www.offensive-security.com/metasploit-unleashed/pivoting/
  • https://null-byte.wonderhowto.com/how-to/elevate-netcat-shell-meterpreter-session-for-more-power-control-0193211/
  • https://nullsweep.com/pivot-cheatsheet-for-pentesters/
  • https://www.1337pwn.com/using-nmap-with-proxychains-in-kali-linux/
  • https://www.browserling.com/tools/ip-to-hex

Related Posts

Facebook Comments