Bypass

Use your defence evasion skills to take control of a secure network. - by 1337rce

TryHackMeTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We start with a Nmap scan and discover three open ports, SSH on port 22 and an Apache/2.4.41 web server on ports 80 and 443, each of which provides a web page. After a version and default script scan, we only see that the results return a 403 forbidden and the certificate information on 443.

Calling the index page on port 80 only gave a 403 forbidden response, which we get on any requested resources. On the index page on port 443 we receive a login prompt that expects a password.

If we look at the source, we discover an interesting comment that refers to the endpoint /mail.

On this endpoint, we find a directory listing with the file dump.txt.

Here we find instructions to recover the password for the login on index. Each request on /fpassword.php?id recovers a part of the flag. To retrieve the flags at /fpassword.php?id one needs to send specially crafted packets first and then request the source. We will discuss each individual requirement below.

First Login

As already stated, we have to restore parts of the password.

After receiving all the flags, you can visit the MACHINE IP that will ask you for the password. 
The first password will be concatenated values of all five flags you have received above.

cctv.thm/fpassword.php?id=1

Make a UDP request to the machine with source port number 5000. 
Once done, you can fetch the flag through /fpassword.php?id=1

To make a UDP request, we use the command line tool nc with the flag -u to specify that we want to use UDP. Furthermore, we define the source and destination port as 5000 and additionally send some data to that port, even though the requested port seems closed on the nmap scan.

echo -n "Crafted packet for password recovery" | nc -u -w1 -p 5000 cctv.thm 5000

After submitting the command, we are able to retrieve the first flag at https://cctv.thm/fpassword.php?id=1.

cctv.thm/fpassword.php?id=2

Make a TCP request to fpassword.php?id=2 with user-agent set as "I am Steve Friend". 
Once done, you can fetch the flag through /fpassword.php?id=2

Here we have to make a TCP request with a special user-agent. Since HTTP operates on TCP, we just make an HTTP request using cURL with a custom user agent specified via parameter -A.

curl -A "I am Steve Friend" http://cctv.thm/password.php?id=2

After submitting the command, we are able to retrieve the second flag at https://cctv.thm/fpassword.php?id=2.

cctv.thm/fpassword.php?id=3

Send a ping packet to the machine appearing as Mozilla browser 
(Hint: packet content with user agent set as Mozilla). 
Once done, you can fetch the flag through /fpassword.php?id=3

Next, for the third flag, we need to send data via an ICMP ping. For this we use the ping command using the -p option which allows you to specify the pattern used to fill the payload of the ICMP echo request packets. When you use -p followed by a pattern, such as -p ff, it fills the packet with the specified pattern.

How to send a message with ping?Stack Overflow

But we only have 16 bytes available, and the payload must be hex encoded. We use CyberChef to decode Mozilla to its hex representation 4d6f7a696c6c61.

ping -p 4d6f7a696c6c61 cctv.thm

After submitting the command, we are able to retrieve the third flag at https://cctv.thm/fpassword.php?id=3.

cctv.thm/fpassword.php?id=4

Attempt to login to the FTP server with content containing the word "user" in it. 
Once done, you can fetch the flag from /fpassword.php?id=4

Now we need to make a login attempt to the ftp server with the content containing the word user. For this, just issuing the following command is sufficient.

ftp cctv.thm

After submitting the command, we are able to retrieve the fourth flag at https://cctv.thm/fpassword.php?id=4.

cctv.thm/fpassword.php?id=5

Send TCP request to flagger.cgi endpoint with a host header containing more than 50 characters. 
Once done, you can fetch the flag from /fpassword.php?id=5

Lastly, we need to make a TCP request on endpoint flagger.cgi with a host header containing more than 50 characters. Like in the second flag, a cURL request is sufficient, but this time we specify the host via the -H header parameter.

curl -H "Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" http://cctv.thm/flagger.cgi

After submitting the command, we are able to retrieve the fifth flag at https://cctv.thm/fpassword.php?id=5.

Logging in

Now we have all five parts of the password together, we can concat those to craft the password. Don't forget that the password consists of the whole flag parts.

After submitting the password, we log in and find another login field, requiring username and password. Furthermore, we see a timestamp, which looks like a dropdown with a single entry.

Second Login

For the second login we only need the username since we have the password already. The username is the machines' hostname. The developer excludes the possibility of command injection for his application. This will probably not be the case.

For the second layer of security, I have enabled a wholly sandboxed login environment with no connection to the database and no possibility of command execution. The username is the computer's hostname, and the password is the same as the previous password. I will SMS you the details as well.

We look at the source of the page and see that the drop-down is part of a form. It is very suspicious that commands can be selected here. The value of an option element is probably the command that is executed.

The JavaScript code listens for the DOMContentLoaded event and attaches an event listener to the dropdown element. When the dropdown selection changes, it submits the form associated with the form element named myform. So all we have to do is expand the form with commands that we want to execute.

What is the username for the CCTV web panel?

So, let's get the username, I mean hostname of the machine.

 The username is the computer's hostname, [...]

This is how the element could look like.

<option value="hostname">Get Hostname</option>

We can add this by making use of the development tools of Firefox or chrome. We just duplicate the node and edit its value content. To get the hostname, we just change the value to hostname. After having the dropdown prepared, we trigger it by selecting the second item.

Here is the procedure:

What is the lsb_release -r -s command output from the attached machine?

We repeat the process to get the Linux standard base.

<option value="lsb_release -r -s">Get Release Number</option>

What is the flag value after logging into the CCTV web panel?

After logging in ...

... we have access to the cctvs and the final flag.

Bonus: Initial Foothold + Privilege Escalation

Being curious, we try to get on the machine using a reverse shell.

After setting up a listener and triggering the selection, we are able to catch a reverse shell using busybox.

We are dealing with the kernel 5.15.0-1041. Maybe we could get root privileges with a kernel exploit.

The poc of CVE-2024-1086 is a promising one. We compile the following and bring that to the machine.

GitHub - Notselwyn/CVE-2024-1086: Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.GitHub

After executing the exploit we get root privileges.