Tryhackme “Archangel” Report

  • An exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible.  
  • A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).
  • A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel user.
  • A custom binary on the system was exploited for privilege escalation to the root user. 

  • ssh port 22 open
    • no usernames or password list for a dictionary attack
  • http port 80 open
    • This webapp has no obvious exploitable vulnerabilities, just a rickroll

The main home page contains an email at the top banner, support@mafialive.thm
Once the hostname is added to /etc/hosts, the virtual domain can be visited, and the first flag is displayed.

Directory busting this virtual domain shows a /test.php page. This is also shown in /robots.txt

When the button is clicked, text appears.

The test.php file is including another file, this could be susceptible to a LFI vulnerability.
A list of LFI payloads from Github is used to brute force this vulnerability with Burp Intruder: https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt

Here, /etc/passwd is read.  The user.txt file in /home/archangel/ can be read as well.

To convert this LFI vulnerability into a RCE vulnerability, we can try to poison a log file with malicious php, then navigating to that log file will execute the php.  

Burpsuite can speed up the process of identifying valid log file paths:

To poison the access.log, just visit a valid page with malicious php code in the User-Agent header field. 

Now that access.log is poisoned, visiting access.log will execute the reverse shell one-liner and connect to the netcat listener. 

 

Flag 2 can be found in the source code for test.php

As the www-data user, /home/archangel/secret is inaccessible, and the only thing in /myfiles is a passwordbackup file that contains a link to get rick-rolled.  

linpeas.sh showed a cron job that executes /opt/helloworld.sh every minute. Initially I tried to copy /bin/bash to /tmp/bash, then set the suid and execute /tmp/bash as archangel, but the binary never copied over. Adding a reverse shell one-liner spawned a reverse shell connection as `archangel` user.

The archangel user can read the /home/archangel/secret folder and obtain the second user key.

 

 

Here is also a `backup` file. When run, it outputs an error, saying /home/users/archangel/myfiles/* doesn’t exist. True, there is no /home/users directory, and /home is not writeable by archangel.

This must be a hardcoded command in the file. A list of strings in the file can be printed with `strings` <filename> command.

The command backs up files to /opt/backupfiles, same directory the cron job script /opt/helloworld.sh wrote to.
But /opt/backupfiles/ doesn’t contain anything useful, just another rickroll link.

Going back to view strings of /home/archangel/secret/backup, notice cp command doesn’t use the full path
Can add new directory to the $PATH variable and make a new file named `cp`in that directory for `backup`to execute

 

Leave a Reply