TryHackMe: VulnNet: Endgame

Nmap scan resulting 2 open ports.

Accessing the web and got this:

Let's add this domain to our hosts file.

Accessing the web again and found nothing useful information.

Since the description of the challenge mention enumeration is the key, so i am enumerate the directory web and found nothing, then i enumerate the subdomains and found this.

Let's add those subdomains to our hosts again.

On the shop.vulnnet.thm is nothing useful information there, i tried access all the available link on the web and found nothing and i tried to enumerate the directory and still found nothing useful.

Then checking api.vulnnet.thm is just throwing message the API is up, it might be useful later.

Continue checking the next web which is blog.vulnnet.thm, this web is for render a blog post.

And i notice interesting thing while looking at the request network while render the post.

It's fetching API from api.vulnnet.thm, then i tried to access it and it works.

Spent some time on this and i tried changing the ID to "1 --" and it reflected, i think it's SQL Injection.

Tried to put sleep() function and it works! it was sleeping!

Then i grab the URL and run a sqlmap.

There is 3 database available, let's check the vn_admin first.

be_users is the interesting one, let's check the column.

Let's dump it.

Then grab the hash and run john to crack it. While waiting john to complete i checking another domain which is admin1.vulnnet.thm, It tell us that management panel is up, so i tried to enumerate the directory and found a CMS login page.

I guess we need chris_w credentials to logs in to it. But john was running for some time and still not found the password, so i give up and try to check another DB to enumerate.

It's a long list, i think it's not actual credentials but i think it might be contain chris password? let's dump it to csv file.

Got it, then tried use the credentials to logs in on typo3 CMS and got in.

On the file list i tried upload PHP script to gain reverse shell but file with PHP extension is not allowed.

But we can change the configuration to allow PHP extension, Follow steps below.

Then comeback to file list and upload it again and it works!

Access the file on "http://admin1.vulnnet.thm/fileadmin/user_upload/pentest_monkey.php" and don't forget to set up netcat listener.

Moving to home folder and there is home directory named system.

And inside it there our user flag, the .mozilla directory is interesting, because usually on CTF we can gain credentials from this.

Let's zip it and grab it to our local machine.

Then i am extracting it and found there is 3 user profiles (?) but on the profiles.ini there is no "2fjnrwth.default-release" profile, so i adding it.

Then download firefox decryptor here and cd to it, run the script and got the password.

Use the password from firefox to logs in with SSH as system.

I was running linpeas and nothing useful found, then i search SUID manually using find and nothing found, then i am searching capabilities and found this:

And after playing around with it i found that we can read and write any file.

So we can gain privilege escalation by changing the root password same as system password, we can do that by read the etc/shadow then overwrite root hash with system hash.

Save that to file, in my case i named it shadow and don't forget to overwrite the root hash with system hash. Then overwrite the etc/shadow with our file.

And let's change user to root using system password.