Archangel — TryHackMe
This machine is mainly on privilege escalation and lfi vulnerability.To understand the basics of lfi, you can practice in a Tryhackme room.
Let’s start by enumerating the machine, we can use nmap to see open ports and services.
sudo nmap -A <target_ip>
Scan shows two open ports, but nothing interesting to further look into it. Let’s look for hidden directories using gobuster.
sudo gobuster dir -u http://<target_ip>/ -w /usr/share/wordlists/dirb/common.txt — wildcard php,html
The gobuster scan also didn’t show any hidden directories that we can further enumerate.In the task it’s mentioned to find a different hostname.Tried with enum4linux and with nmap didn’t come with any results. Looking at the webpage we can see that there’s a mail id for support that will be the other hostname. Now we have further enumerate this hostname, before doing that we have to add this hostname to our /etc/hosts file.
Now accessing the website we will be prompted with flag1.
We can further enumerate to find hidden directories under this hostname. We have access to robots.txt file!
Here is a php file that we can use to get a shell.Clicking on the button leads to mrrobot.php file, maybe it contains lfi vulnerability.Googled and found this guide to be helpful to do so.
Let’s use a simple base64 filter that allows us to read the contents of test.php file.We can edit the url to view the contents of test.php file like below.
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobots.php
Now we have a base64 output.Save it in a .html file and decode using base64 converter.
The output shows us the flag2 and some code that is prohibiting us form accessing files like /etc/passwd.
Above snapshot of the payload shows that it doesn’t allow ../.. after development_testing directory. But it doesn’t filter out ..//..//.. this. Let’s try to access the /etc/passwd file . We got access!!
As the page is php we can try with log poisoning.You can refer to this article to understand how to do that. Now we need to access the access.log file located in apache2 directory.
Intercept the request using burpsuite.
To get a shell we need to modify the user agent request. <? php system($_GET[‘cmd’]); ?> and append &cmd= to get request.After sending the request we can see that we are able to get a shell.Now upload a reverse shell at cmd= . We can go with pentestmokeys cheat sheet. Now we can’t just place the reverse shell . We need to encode it as url. Burpsuite decoder can be used to do so or you can use any online encoders.
Now place the encoded url and send the request,but first start a netcat listener at your terminal.
We got a shell!! and the user flag is present here.Further we need to get shell as user2 that is archangel.Tried to find any SUID binary files are running came up with nothing useful.Further enumerating using linpeas shows there is a scheduled crontab for user archangel.
The helloworld.sh file is executed on a regular basis as the user.We need to inject our reverse shell into this.Use the pentestmonkeys cheat sheet.After injecting it wait for couple seconds , you will get the shell!!
Here we got shell as user archangel,head on to secret folder and you can access the user2 flag.Our next task is to escalate our privilege to root!!
In the secret folder we can see there’s a backup binary file, it can be executed by any user.The backup file attempts to use cp command. As the copy command is being executed in the user’s path, it can be misused to execute another binary instead, such as /bin/bash. This can be done by modifying the user’s path variable.
Finally we escalated to root privilege, now access the root directory to get the flag!!
Thank you!!
Happy Hacking!🦇
