TryHackMe: Olympus

Nmap scan resulting 2 open ports.

Look at message from HTTP-title, HTTP-title by default is accessing / but it's redirected to http://olympus.thm, so we need to add this domain to our hosts first.

Then let's take a look at the web.

We got a message, it's basically saying that the current website is under development but there is old version of this website is still accessible on this domain. So let's try to enumerate the directory.

Enumerate using feroxbuster with common.txt word-list from Seclist i discover route named "~webmaster", let's check it.

Victor's CMS? Then i searching on google is there any vulnerability for this CMS and found this on exploit db.

The PoC is basically saying there is SQL Injection on the search feature, so let's try intercept the request and run sqlmap.

Send to repeater and save the request to a file.

Then run sqlmap with the request file.

Notice that flag table? let's check it first, i think it might be contain our first flag.

Since root is the user with Admin role so i tried to crack his password first, but it's take too long so i give up and try Zeus password and it's same as root, take too long and then tried Prometheus and i got the password.

Using the credentials to logs in and i got in.

Then I tried searching for another vulnerability again, to see if there was a vulnerability for the admin dashboard, and then i found this on Exploit DB.

It's basically say we can create a user and upload a webshell here.

But after I submitted it and accessed the image route as specified in the PoC exploit DB, I got a forbidden route error.

And then i was looking at View All User and found interesting email

I think it's another domain, so let's add it to our hosts first. Accessing the web and found new login page, and we can login as Prometheus with same credentials as before.

Chat App, as you can see above, this is chat between Prometheus and Zeus, they are chatting about upload feature, from here we got hint there is uploads folder here, and the file we uploaded are changed and we must discover our file name first if we want to access it, but how?

After that i got stuck for some time and remember that we found tables named chats on olympus database, let's try to upload our webshell first and check in on database.

Copy the file name and access it on /uploads route, It works!

We can gain reverse shell from here. First set up your netcat listener and put payload below on the URL.

Our second flag is on Zeus's home directory.

After that i finding an SUID file and found unusual binary file.

We have Zeus privilege to run this binary, tried run cputils command and i discover that this command is copying file and because we have Zeus privilege, we can try to read Zeus SSH private key.

Grab it to our local machine and try use it to logs in with SSH as Zeus.

It's need passphrase key, so we need to crack it using john first.

After logs in i tried to find file with Zeus's group and found this interesting file.

When i try to access the route in the browser i got not found error, i think it's only accessible on local network.

Then i tried to curl it with target shell and it works! looks like a form post.

Let's forward it to our local machine, we can using SSH here.

Let's visit the route before.

We need a password, since i can access the PHP file, i tried to read the PHP file first and found a hard coded password there.

Use the password to logs in and got this:

I think we can gain reverse shell from here, and i think we just need to put our ip and listening port to the URL.

Got it. The root flag is on the /root directory and the bonus flag is on the /etc directory.