Open in app

Sign in

Write

Sign in

[THM] : Hacker Vs Hacker Walkthrough

Suvam Adhikari
4 min readJan 31, 2023

Initial Recon

# Nmap 7.92 scan initiated Tue Jan 31 19:54:16 2023 as: nmap -sV -sC -v -T4 -oN nmap.txt 10.10.235.249
Nmap scan report for 10.10.235.249
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
|   256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_  256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
|_http-favicon: Unknown favicon MD5: DD1493059959BA895A46C026C39C36EF
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 31 19:54:54 2023 -- 1 IP address (1 host up) scanned in 38.02 seconds

In this box we have to walk through a hacked box. The application running on port 80 contains a CV upload field. But when I tried uploading any file I got following error.

Seems like the attacker had uploaded a shell through this endpoint. Upon content discovery, I found the following directories.

.htaccess               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 350ms]
.htpasswd.php           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 3615ms]
.htpasswd               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4622ms]
.htaccess.php           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4623ms]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 252ms]
cvs                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 250ms]
dist                    [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 251ms]
images                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 195ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 179ms]
upload.php              [Status: 200, Size: 552, Words: 67, Lines: 19, Duration: 178ms]
:: Progress: [40938/40938] :: Job [1/1] :: 222 req/sec :: Duration: [0:03:45] :: Errors: 0 ::

I again did content discovery on the cvs/ directory with .pdf.php extension and got shell.pdf.php. The attacker used common filter bypass.

I downloaded reverse shell in remote box using wget and obtained a reverse shell as www-data.

After looking the files of the remote server, found .bash_history file in the home directory of lachlan that conatined the ssh credintial.

I tried logging in into the lachlan account but seemed like something was disconnecting us from connection.

The attacker had edited the /etc/cron.d/persistence. We can see that the there is a cronjob that kills /dev/pts session. Every binary has an absoulte path except the pkill command.

$ cat /etc/cron.d/persistence
PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1  && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done

So, I bypassed the cronjob executing a /bin/bash shell right after ssh connection.

ssh lachlan@10.10.134.249 /bin/bash

As, we can see that the PATH variable is set to /home/lachlan/bin in the /etc/cron.d/persistence file so we can create a pseudo pkill binary in that directory and execute any command as our wish as root.

Then, I checked the /root directory and it was accessible by everyone. This gave the root flag for the challenge.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Suvam Adhikari
Suvam Adhikari

Written by Suvam Adhikari

95 Followers
101 Following

Ops..

No responses yet

Write a response

What are your thoughts?

More from Suvam Adhikari

See all from Suvam Adhikari

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams