TryHackMe — Lockdown Write-Up
Lockdown is a CTF Room on TryHackMe with medium difficulty. It has the following description: “Stay at 127.0.0.1. Wear a 255.255.255.0.”
The web application has a SQL Injection flaw, which allowed us to dump the database. By cracking the admin hash it was possible to login into the web app. The administrator interface has an arbitrary file upload vulnerability. We have used this flaw to upload a PHP reverse shell and to gain a shell. We could escalate the privileges to cyrus by reusing the credentials of the admin user of the web app. The cyrus user has permissions to run a script with root privileges, which call ClamAV and copies all malicious files into a folder, which cyrus has access to. Cyrus also has permissions to write into a directory that contains the signatures for ClamAV. With that flaw we could get the /etc/shadow file. We could crack the password of the maxine user, who has permissions to start a interactive root shell.
Starting an Nmap scan will show us that there is SSH running on port 22 and an HTTP Server on port 80:
On port 80 there is a web app running. Opening the root of the web page will redirect us to http://contacttracer.thm/login.php
Change your /etc/hosts file, so you can navigate to that page
After that you will see the following landing page:
If we type in any value for the establishment code, the web app will hit the following endpoint:
It seems like we could test the code parameter for injection attacks. First let’s test for SQL Injections. We can use the tool sqlmap:
sqlmap -u "http://contacttracer.thm/classes/Login.php?f=elogin" --data="code=123"
Sqlmap will identify that the backend database is MySQL and the code parameter is vulnerable to time-based blind SQL injection:
Next we can start enumerating the databases. Please note that this might take a while.
sqlmap -u "http://contacttracer.thm/classes/Login.php?f=elogin" --data="code=123" --dbs
Sqlmap will enumerate 2 databases. One of them is “cts_db”, which does not seem to be a standard one. Next we can start enumerating that database. First let’s try to get the tables:
sqlmap -u "http://contacttracer.thm/classes/Login.php?f=elogin" --data="code=123" -D cts_db --tables
Sqlmap was able to get table names of 8 tables. The most interesting one here is the users table. We can now try to the columns of the table. So later when we dumb the whole table we will only dumb certain columns of interest. This will save us time, because this is a time-based SQL injection.
sqlmap -u "http://contacttracer.thm/classes/Login.php?f=elogin" --data="code=123" -D cts_db -T users --columns
Next we will dump the table users. But only the column username and password.
sqlmap -u "http://contacttracer.thm/classes/Login.php?f=elogin" --data="code=123" -D cts_db -T users -C "username,password" --dump
Sqlmap will be able to retrieve the admin hash and will be able to crack it. I have used the rockyou.txt wordlist. This wordlist can be found at /usr/share/wordlists/rockyou.txt on Kali Linux.
Finally we can log into the web app
We can upload an arbitrary file by setting the web app’s system logo. I have used the PHP Reverse Shell by Pentestmonkey. You will have to change the IP address to your tun0 IP. Then you can upload it in the following settings page:
Next navigate to the landing page and you will receive a reverse shell:
It seems like the user cyrus reuses the admins password: sweetpandemonium
This will give us the user flag:
The user cyrus may run the following script as root:
It uses clamscan to scan a directory for malicious files. If it found one, then it i will copy the file to /home/cyrus/quarantine and give us permission over the file. ClamAV uses signatures to determine if a file is malicious. These signatures are yara rules that are stored somewhere. To find the directory that stores the rules, we can run the following command:
find / -name *clam* 2>/dev/null
One of the interesting directories is /var/lib/clamav.
It contains a signature for the EICAR file inside the cyrus user’s home directory:
I have created the following Yara file:
It will flag all files as malicious, thus copying everything in the directory to the quarantine directory:
Now we can read the flag:
We can also get the files inside the /etc directory. It contains the shadow file, which contains the password hashes of the users:
Now we can crack maxine’s hash with john the ripper:
He has much more privileges and we can get a root shell with these privileges:
All parameters of the web app should be hardened against injection attacks. For that the input must be sanitized. Furthermore the users should have more complex passwords. Also passwords should not be reused. Additionally the user cyrus should not have write privileges for the directory /etc/lib/clamav.