I started with an nmap scan and found both SSH and a web server:
I went to the web server in my browser and found a default Apache landing page:
I scanned for some common directories using gobuster and got the following hits:
At /content I got this message:
I’ve never heard of SweetRice before, so I tried to read up a little about it, HERE.
I expanded the search from /content, and found a few more directories:
At /as, I got this:
At /inc I found a bunch of files:
I think I found the version number here:
The other interesting file here was the “mysql_backup” file. Which seemed to show some users named admin and manager. And it looks like manager has a password hash:
I quickly threw it into an online password cracker and hilariously, the password is “Password123”, which is funny because I tried that exact same password for the admin user at the login page earlier.
And we’re in:
I switched the website on to see what would happen and this was all it was:
Well now that I have the version number I can look for some exploits. I initially searched Metasploit for vulnerabilities, but they didn’t have anything:
But I was able to find a bunch online and in searchsploit:
Looks like quite a few for version 1.5.1 in searchsploit. I chose the XSRF and PHP Execution one and downloaded for more info.
So according to this, I need to go to the Adding Ads section and upload this, which will allow me to add PHP code to the server.
I used the script provided but made some changes, highlighted here:
The URL will be personal to you, it’s the IP you got assigned from TryHackMe.
Then you can replace the php code to add in a reverse shell. I opted for the tried and true reverse shell from Pentest Monkey, found HERE.
You will replace the highlighted parts here:
I changed the php script, adding in my attackbox IP and a port for listening.
Then I set up a listener.
After you press DONE, you should see it here:
Then head to this directory to execute:
After you click on the exploit, head back to your listener where you should now see a shell has spawned:
Remember that you can create a better shell by using the following:
Right now it seems I’m logged in as www-data. Time to look around.
I finally found the first flag by navigating to the “itguy” user:
mysql_login.txt gives a username (rice) and password (randompass). Not sure if that will be useful yet.
Right now my goal is to escalate privileges. Currently, I have the following permissions:
This says that I can manipulate backup.pl with no password required.
After checking that file, I see that it’s running something called “/etc/copy.sh”
I went to check /etc/copy.sh and saw this, which looks like another reverse shell.
I then checked if I was able to write to it, in order to change it for my own devious purposes. And I could.
So essentially I’m going to try and change it to give me a shell. I’m going to keep it very simple and overwrite everything inside to /bin/bash
And since I know I can run this with sudo + no password because of what I saw earlier, I should be able to get root privileges after I run it.
Looks like it worked! And after this it was easy to navigate to the root flag:
I never did anything with those mysql logins I found. If anyone figured out what those were for, let me know.
