Tryhackme “Archangel” Report
- An exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible.
- A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).
- A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel user.
- A custom binary on the system was exploited for privilege escalation to the root user.
- ssh port 22 open
- no usernames or password list for a dictionary attack
- http port 80 open
- This webapp has no obvious exploitable vulnerabilities, just a rickroll
The main home page contains an email at the top banner, firstname.lastname@example.org
Once the hostname is added to /etc/hosts, the virtual domain can be visited, and the first flag is displayed.
Directory busting this virtual domain shows a /test.php page. This is also shown in /robots.txt
When the button is clicked, text appears.
The test.php file is including another file, this could be susceptible to a LFI vulnerability.
A list of LFI payloads from Github is used to brute force this vulnerability with Burp Intruder: https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt
Here, /etc/passwd is read. The user.txt file in /home/archangel/ can be read as well.
To convert this LFI vulnerability into a RCE vulnerability, we can try to poison a log file with malicious php, then navigating to that log file will execute the php.
Burpsuite can speed up the process of identifying valid log file paths:
To poison the access.log, just visit a valid page with malicious php code in the User-Agent header field.
Now that access.log is poisoned, visiting access.log will execute the reverse shell one-liner and connect to the netcat listener.
Flag 2 can be found in the source code for test.php
As the www-data user, /home/archangel/secret is inaccessible, and the only thing in /myfiles is a passwordbackup file that contains a link to get rick-rolled.
linpeas.sh showed a cron job that executes /opt/helloworld.sh every minute. Initially I tried to copy /bin/bash to /tmp/bash, then set the suid and execute /tmp/bash as archangel, but the binary never copied over. Adding a reverse shell one-liner spawned a reverse shell connection as `archangel` user.
The archangel user can read the /home/archangel/secret folder and obtain the second user key.
Here is also a `backup` file. When run, it outputs an error, saying /home/users/archangel/myfiles/* doesn’t exist. True, there is no /home/users directory, and /home is not writeable by archangel.
This must be a hardcoded command in the file. A list of strings in the file can be printed with `strings` <filename> command.
The command backs up files to /opt/backupfiles, same directory the cron job script /opt/helloworld.sh wrote to.
But /opt/backupfiles/ doesn’t contain anything useful, just another rickroll link.
Going back to view strings of /home/archangel/secret/backup, notice cp command doesn’t use the full path
Can add new directory to the $PATH variable and make a new file named `cp`in that directory for `backup`to execute