TCM Security: Dev Box Writeup

Our current task involves gaining root access to a machine named Dev, which is sourced from TCM Security. Despite extensive searches, it appears this machine is exclusive to their offerings and not widely discussed or available elsewhere. It serves as an excellent primer for those new to the field of penetration testing.

Network Integration

Use ip addr command on vulnerable machine to find its ip address.

Vulnerable Dev box IP

Ping the target ip from your host machine. In my case ping is successful so our both machines are on the same network.

Checking Connection

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

nmap -A -T4 -p- 192.168.102.236

This performs an aggressive and detailed scan on all 65535 TCP ports of the target IP address 192.168.102.236, gathering information on open ports, service versions, operating system details, and running scripts for additional enumeration.

• nmap initiates scan.
• -A enables OS detection, version detection, script scanning, and traceroute. It's an aggressive scan by combining several advanced features.
• -T4 sets the timing template to "4", which is more aggressive and faster than the default.
• -p- specifies that Nmap should scan all 65535 TCP ports on the target host. This is useful for discovering open ports across the entire range.
• 192.168.102.236 is the target IP address for the scan.

Nmap scan results

NFS

We also found an NFS service running on our target machine. Let’s enumerate the NFS Service to understand what shares are available. We will use the following command for that:

showmount -e 192.168.102.236

The above command will send a query to the NFS server at the specified target IP address, requesting information about the NFS exports available.

Checking available NFS exports

This output indicates that the /srv/nfs directory is exported by the NFS server located at192.168.102.236 and it's accessible to all clients. Let’s create a directory named dev in /mnt directory and we can do this by using command sudo mkdir /mnt/dev .

Creating dev directory in /mnt

Now, let’s mount the /srv/nfs directory and we can mount it by using the following command:

sudo mount -t nfs 192.168.102.236:/srv/nfs /mnt/dev

Mounting /srv/nfs

Let’s check what we have got in there. We can do this by changing directory to /mnt/dev and listing files there.

listing files in /mnt/dev

We have a zip file named save.zip . Let’s unzip it by using command sudo unzip save.zip .

Extracting zip file

Dictionary attack using fcrackzip

The file is password protected. Let’s use fcrackzip to crack zip files. We can do it by using the following command.

fcrackzip -v -u -D -p /home/ubuntu/Downloads/rockyou.txt save.zip

The above command attempts to crack the password of a zip file named save.zip using a dictionary attack with the rockyou.txt wordlist.

• fcrackzip is the command to run the fcrackzip tool.
• -v enables verbose mode, which will provide more detailed output during the execution.
• -u tells fcrackzip to try unzipping the file once it finds a potential password match.
• -D specifies that a dictionary attack will be used. This means the tool will attempt to use each line of the provided wordlist as a password.
• -p /home/ubuntu/Downloads/rockyou.txt sets the path to the dictionary (wordlist) file that will be used for the attack.
• save.zip is the target zip file whose password fcrackzip will attempt to crack.

Dictionary attack using fcrackzip

We have successfully cracked the password by using fcrackzip dictionary attack. Let’s unzip it again using the cracked password.

Zip file extracted

Upon extracting the save.zip file we got two files id_rsa and todo.txt. We can check the text file by using cat todo.txt command.

Contents of todo.txt file

Let’s set permissions for id_rsa and we can do that by using chmod +x 600 .

The above text file ends with jp. It could be the username so let’s try ssh into the target system by using jp as username. We can do that by using command ssh -i id_rsa jp@192.168.102.236

Trying ssh with jp as a username

It says permission denied……. :/

Examining Http services

The scan results shows that both port 80 and port 8080 are hosting HTTP services. Let’s navigate to these ports using a web browser and check the content and functionality of the web pages running on these ports.

webpage on port 80

Directory busting on port 8080

The webpage on port 80 shows some information regarding bolt installation error and the webpage on port 8080 shows some information regarding php server.

Directory Busting

Let’s start directory busting on both URLs to check if we get something useful. We can do it by using following commands for directory busting on both URLs.

On port 80:

ffuf -w /home/ubuntu/Downloads/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.102.236/FUZZ

• ffuf invokes ffuf tool.
• -w /home/ubuntu/Downloads/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ specifies the path of wordlist to use for fuzzing. The path points to the wordlist file, and :FUZZ tells ffuf where to inject each line from the wordlist into the request.
• -u http://192.168.102.236/FUZZ: This specifies the URL to be fuzzed. FUZZ is a placeholder that ffuf replaces with each entry from the wordlist during the fuzzing process.

Directory busting on port 80

The results of directory busting shows a directory named app. Let’s check what we have there.

192.168.102.236:80/app

It took us to the index page where the config directory seems useful. Let’s check what we have in there.

192.168.102.236:80/app/config

config directory contains a couple of files including config.yml file. Interesting…. Let’s open and check config.yml file.

config.yml file

config.yml file contains a username and password that can be useful for us.

On port 8080:

ffuf -w /home/ubuntu/Downloads/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.102.236:8080/FUZZ

• ffuf invokes ffuf tool.
• -w /home/ubuntu/Downloads/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ specifies the path of wordlist to use for fuzzing. The path points to the wordlist file, and :FUZZ tells ffuf where to inject each line from the wordlist into the request.
• -u http://192.168.102.236:8080/FUZZ: This specifies the URL to be fuzzed. FUZZ is a placeholder that ffuf replaces with each entry from the wordlist during the fuzzing process.

Directory busting on port 8080

Directory busting results on port 8080 shows only two directories server-status and a dev directory. Let’s visit dev to check what we have there.

Boltwire application on port 8080

We discovered boltwire application running on port 8080. We can see a register option on the webpage. Let’s register ourself on the app and login.

Registering ourself on boltwire

Logged in as test

So, we are logged in as test user. Let’s search boltwire exploit on google to check if we have any exploit available for boltwire.

Searching exploit for boltwire

We got an exploit for BoltWire 6.03 on Exploit DB. Let’s open the link and read description.

OffSec's Exploit Database Archive

Boltwire app is vulnerable to Local File Inclusion attacks that allows an attacker to include files on a server through the web browser. This vulnerability occurs when a web application does not properly sanitize user-supplied input, allowing the inclusion of server-side files within the output delivered to the web browser.

Exploit description on exploit DB

Let’s copy the payload from Exploit DB and paste it in our browser.

Payload added in URL

On reading the information disclosed we can see that there is home directory of jeanpaul. I think that’s the same jp we saw earlier in todo.txt file.

home directory of jp found

Let’s try connecting through ssh by using jeanpaul as username and the password we saw in config.yml file.

Attempting SSH with jeanpaul’s username

Booooom!!! We are in. 🙌🏽🙌🏽🙌🏽🙌🏽

Let’s check which commands jeanpaul tried to execute before we break in. We can do this by using history command.

History of commands

Waooo!! smart approach!!… jean tried to clear history before leaving.

Privilege Escalation

Now, let’s check which commands jean is allowed to run with sudo privileges, showing the sudoers file configuration specific to the user. We can do this by using sudo -l command

results of sudo -l command

The results of sudo -l revealed that the user has capability to execute the usr/bin/zip command with elevated privileges. Cool!! Let’s go to GTFOBINS and search for privilege escalation with zip command as shown in the image below.

Search for zip command as sudo on gtfobins

Type zip in the search bar and click on sudo.

payload for privilege escalation

We got our exploit on GTFOBINS. Let’s copy and try that on our target. Once we get the shell we can verify it by typing the id command.

The id command in Linux is a utility used to display the user and group information for the current user or a specified user. It shows the user ID (UID), group ID (GID), and the groups to which the user belongs.

Accessed system as root

Boom!!! We have successfully escalated privileges. 🎆🎆

Let’s check /root directory by listing files there.

flag.txt found

We’ve found our desired flag.txt file. Now, to capture the flag, we’ll simply use the cat command.

flag captured

There we go!!! we have our flag….. 🎉🎉🎉

CONGRATULATIONS!!!

I would like to express my gratitude to #TCMSecurity for providing such amazing CTF challenge as part of their Practical Ethical Hacking curriculum.

This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊