THM writeup: d3bugger

OSCP-like machine for beginners

Earlier this week, I developed another machine at Try Hack Me. The machine is very OSCP-like and beginner friendly. You can find it here:

https://tryhackme.com/jr/d3bugger

Getting a shell

A simple Nmap scan shows that there are a few ports open. However, all webserver ports except 8081 is 403 forbidden. According to the scan, port 8081 has an Atutor installation.

The Atutor version is 2.2.1. However, the application is not yet installed, as the requirements are not met. Attempting to install the installation will not work. There are, however, several entries for ATutor in the Exploit Database. Maybe there is another way to get a shell?

Gobuster reveals a /debug directory. As the machine’s name is d3bugger, this might give a hint that there is something else worth looking at.

The /debug dirctory shows a Utility Belt installation where it is possible to run PHP code. There is also a Metasploit module for this specific application listed here: https://www.exploit-db.com/exploits/39554. However, entering the payload manually is straight-forward, as shown in the image above. This will execute a reverse shell and connect back to the attacker machine at port 80.

Open a netcat listener before running the PHP code. The connection was received on port 80 and the attacker spawned a new TTY.

The first flag can be found in the /home/billy directory as flag_1.txt.

Privilege escalation

Wget is listed as a SUID binary. This will allow any user on the system to execute wget with root privileges. There are numerous ways to misuse this. However, a common method is overwrite the existing /etc/passwd file with a new user, which has root privleges.

Create the new user’s password by using openssl. Create the new passwd entry string, as shown above. This can be inserted into the new /etc/passwd file before overwriting the existing file.

Copy the /etc/passwd file on the targeted system. Use any text editor and insert the contents locally on your system. VIM is preferred 😉 Insert the new passwd entry that you just created. Save the file.

Now that wget is running as root, the attacker can overwrite the existing passwd file with the new file that was just created. This will allow the user toxic to log on as root with the password password123. Host the file locally on your attacking machine using Python’s http server.

Use wget to transfer the new passwd file. Overwrite it to /etc/passwd using the -O flag, as shown in the image above. The attacker can now successfully log on as toxic and get a root shell.