zeno TryHackMe Writeup

Scanning

We run nmap on all ports with scripts and software versions.

Enumeration

We access the high web port and find an inactive resource.

Launch “dirsearch” and list the directory “rms”.

Accessing the directory, we find a website with “Restaurant Management System” displayed.

Control panel

We listed the control panel, but it is out of service.

We create a user and see that it is vulnerable to SQL Injection (Time-Based).

We use the “sqlmap” tool, we manage to enumerate the databases and obtain some credentials, but it does not help us to connect via SSH.

Databases name

Members table

Columns name

Users

Exploitation

We reviewed exploits and found this one for Remote Code Execution (RCE).

Exploit: https://www.exploit-db.com/exploits/47520

The exploit has some faulty lines, we fix the exploit, run it and we have a command shell via PHP.

PoC

We put a Netcat listening and run a reverse shell and gain access to the system.

Reverse shell

We read the “config.php” file of the CMS, but the password is not valid for the user “edward”.

We do a quick reconnaissance with the “lse” script, we find two interesting things:

We use the password on the user “edward” and read the user flag.

Privilege Escalation

We check if we can run any script or binary with SUDO, we see that we can restart the system.

We remember that previously we found a service file that we can modify, we have already done this procedure in other machines, so we modify the file and restart the machine, so we will force the new loading of the service file.

We create a service file with the following content:

[Unit]
Description=root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'echo "edward ALL= (root) NOPASSWD: /usr/bin/sudo " >>/etc/sudoers'

[Install]
WantedBy=multi-user.target

When the machine restarts, it will grant us to use sudo as root, so we can run a bash, become root and read the flag.