TryHackMe: HA Joker CTF

OK, so this is a guided walkthrough box from TryHackMe and it looks quite interesting from the tags and involves an LDX container for privesc.

Anyway, as always let’s start with an nmap scan to identify open ports and service on the box.

So we have ssh open on port 22, an Apache web server on port 80 and another Apache web server on port 8080.

There is little we can do with the ssh server at this time, so we will concentrate on the Apache web server on port 80.

Port 80 — Apache web server:

So not a lot here, looking at the source code there are lot’s of comments which appear to be quotes from Joker:-), but there is nothing I can see which will help with further enumeration. Time to fire up OWASP DirBuster, I also added a few file extensions to search for php and txt and set it to brute force recursively both directories and files:

After a while we see an very interesting file called secrets.txt. Examining this file we see a conversation between Joker and Batman.

As a best guess it is possible that batman and Joker are possibly users on this system or at least one of them is. Let’s check out Port 8080:

Port 8080 — Apache Web Server:

OK, so was have a basic web authorisation screen asking us to enter a username and password. Let’s see if we can brute force this using our suspected usernames and xHydra. To brute force basic http authentication we need to set the Protocol to ‘http-get’ and I used the rockyou.txt wordlist.

We get a hit and brute force the http authentication. I will also try doing the same with batman as the user, but nothing comes up, so lets move forward with the credentials we have found.

Now we have credentials to bypass the http authentication, let’s run a Nikto scan

So we are logged into a Joomla CMS website. Checking the Firefox Wappalyzer, we are running on Apache 2.4.29 on an Ubuntu operating system.

When enumerating a website, I find it always useful to run a Nikto scan. In this case as we have http authentication we need to run Nikto with the:

nikto -host http://10.10.207.22:8080/ -id joker:hannah

We see an interesting file /backup.zip which should be investigated to see whether we can find any credentials. We can download this file by navigating to the file on the website.

We can use zip2john to extract the hash from the zip file and convert it to a format that John can read, we can then use John to hopefully crack the hash.

zip2john backup.zip > hash.txt

It looks like Joker is sloppy with his passwords and used the same one to protect the zip file. Let’s unzip the backup.zip using the ‘unzip’ command with the passphrase:

OK, we extract a backup which appears to be a backup of the Joomla site. Moving to the directory we can see two further directories, /db and /site. In the /db directory we can see a file called joomladb.sql. Let’s take a look at this file and pipe to grep and search for any reference to ‘admin’

cat joomladb.sql | grep admin

So we have found credentials for Super Duper User with the username ‘admin’ hash :$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG

Again, let’s use John to see whether we can brute force the hash, but first we need to copy the hash to a file:

echo '$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG' > joomla.hashjohn joomla.hash --wordlist=/usr/share/wordlists/rockyou.txt

OK, so we have cracked the hash identifying the password, we can now try and login to the Joomla CMS using the credentials discovered as an admin.

From our earlier Nikto scan, we know the admin login panel can be found at /administrator, so let navigate to this page on the website:

We are in, all we need to do now is upload a reverse php shell. Just like the Wordpress CMS, the easiest way to get a shell is by overwriting the code on either a template file or a plugin. Templates are a good place to start and I will usually try the 404 redirect file first.

Fist we need to see what template Joomla is using, so under ‘Configuration’ click on ‘Templates’

So navigate from the top menu /Extensions/Templates/Templates and select ‘Prostar Details & Files’ and select the ‘error.php’ file.

My favourite php reverse shell I like to try first is from Pentest Monkeys, which by default is already available on Kali and can be found in the /usr/share/webshells/php directory.

Delete the code in the current error.php file and replace with the reverse shell code and change the IP and Port to suit.

We can now ‘Save& Close` and logout of Jooomla and back to the main site. Let’s setup our listener to catch the remote shell. For this I will be using Pwncat which has a lot of built-in features compared to Netcat (nc).

To start to reverse shell all we need to do is navigate to a page that does not exist to trigger the 404 error.php page and we have our reverse shell.

So we have a low level user shell (www-date) and we can see that it is a member of the lxd group. Basically lxd is a docker technology and hints that we may have to exploit this to privesc further to a higher privileged user. Anyway, let’s have a look around and then run a enumeration script to look for potential attack vectors.

It looks like the main objective of this box is to exploit lxd, this will be the same method as used in the other TryHackMe box Game Server, so let’s start.

There is a very good explanation of this exploit at the link below:

To start with we need to download the lxd-alpine image builder to our local machine:

git clone https://github.com/saghul/lxd-alpine-builder.git

cd into the “lxd-alpine-builder” directory and run the “build-alpine” with the following command.

sudo ./build-alpine -a i686

Once complete there will be a .tar.gz file which we need to upload to the remote machine. I will setup a simple http server on my remote machine in the directory containing the alpine image.

python3 -m http.server

Using wget I will upload the alpine image to the remote machine:

We can then import the alpine image into lxc:

lxc image import alpine-v3.12-i686-20201010_1904.tar.gz.1 --alias alpine

Using the command ‘lxc image list’ we can see that our image has been added.

We now need to create a machine from the image, this can be done by running the following command:

lxc init alpine privesc -c security.privileged=true

If we use command ‘lxc list’, we can see that our new user privesc has been created; however the machine is not running.

Next we need to add a hard drive to the machine, the privesc technique in this case looks to have the whole host mounted in the /mnt/root and thus you have root access. We can achieve this with the following command:

xc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

We now need to start the machine, we can use command lxc list, to mack sure it is running:

lxc start privesc

To exploit the machine, we run the following command:

lxc exec privesc /bin/sh

We can now navigate to our directory on our mounted hard drive /mnt/root:

Here we see the /root directory of the remote machine, we can navigate to /root and grab the flag:

Again, I really enjoyed this machine, well done to the writer. Having done a few machines using the lxc exploit, I feel that I am now familiar with this.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yebberdog

Yebberdog

More from Medium