Bookstore Write-Up (TryHackMe)
A Beginner level box with basic web enumeration and REST API Fuzzing. This room was created by sidchn.
I started my enumeration phase with Nmap to learn more about the host and the technologies which are running on ports.
- -sC : Equivalent to — script=default
- -sV : Probe open ports to determine service/version info
- -p- : Scan all ports
There are ssh on port 22 and two web servers on ports 80 and 5000.
- The web server on port 80 runs Apache 2.4.29
- The web server on port 5000 runs Werkzeug 0.14.1 with Python 3.6.
- On the Werkzeug web server, there are /robots.txt and /api
As I didn’t know much about Werkzeug 0.14.1, I made a few search and found that there is a RCE wich can be exploited (maybe). https://www.rapid7.com/db/modules/exploit/multi/http/werkzeug_debug_rce/
After that, I tried to access the website on port 80 with my browser.
Then, I found a login page.
I displayed the source code and found something a little interesting…
Still Working on this page will add the backend support soon, also the debugger pin is inside sid’s bash history file
So, apparently, we have an user (sid) and the pin is inside .bash_history.
Maybe we’ll be able to read this file via a LFI.
The debugger ??? It reminds me the exploit I found previously…
The next thing for me was to access the web server on port 5000 with my browser.
Let’s enumerate the web servers with gobuster.
Port 80 :
- dir : Enumerate directories
- -u : The URL to enumerate
- -w : The wordlist to use
- -x : The extensions of the files you want to find
I tried all theses directories and found nothing except a cipher in page source of /books. To decode it : base32 -> Hex -> Plain . Just a rabbit hole…
Port 5000 :
Console locked. WE NEED THE PIN !
Local File Inclusion
We can see a lot of parameters which made me think there was a Local File Inclusion vulnerability. Maybe we can use this vulnerability to see the bash history file and find the pin.
So, I tried with the parameter id
I tried a lot of different payloads without success.
Reminds you of the introduction text of the room ?
A Beginner level box with basic web enumeration and REST API Fuzzing.
So, I had the idea to replace v1 to v2 (because v1 can be unpatched) and fuzz the parameter.
- -u : Url to fuzz
- -w : Wordlist to use
- — hc : Hide responses with the specified code
Yeah ! We found the parameter !
I went to /console and entered the pin
I immediately tried to get a reverse shell. Reverse Shell Cheat Sheet : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Initial foothold done, we are sid and we got the user.txt
There was a SUID binary here called try-harder
I opened a python server on the machine to download the binary to my attacking machine, then analyzed it with r2 and found this source code.
- The code validates the input of the user to some value.
- We can see that line 14 there is a XOR function. We need to know the good value for user_input, so I tried this in a Python interpreter :
I got this result : 1573743953
Thank you for reading this write-up, I hope it helped you.