Empline
https://tryhackme.com/room/empline
User flag
Let's start wih an nmap scan.
There are three open ports (22, 80, 3306). Let's see what's in port 80.
It looks like a simple website. We can use goscript to see if there's any hidden directory.
Let's check the directories and see if there's anything interesting.
We found nothing interesting. After a while looking around the website we found a subdomain.
Let's add job.empline.thm to "/etc/hosts".
Let's head to the added subdomain.
It looks like a website listing job offers. Select "Show all jobs".
There's a mobile dev position, let's check it.
Click on "Apply to Position".
We can upload files. Maybe we can upload a reverse shell or something like that. Let's look up "Opencats" on google and see if there's a known vulnerability we can use it in our advantage.
We found an article about a XXE in the 0.9.4 version. Let's follow the steps.
We have to create a docx file. We used a python script for it.
Let's unzip it.
Now open the "document.xml" file in the "word" folder and edit it with the following XXE payload.
Now we just have tu zip it again and upload it to the platform.
It worked. We discovered a new user: George.
If we keep reading the article now we can repeat the process using "php://filter/convert.base64-encode/resource=config.php" instead of /etc/passwd so we can read plain text passwords.
Let's decode the text.
We found a database user. We can use it to try to log in to the platform.
We can also use the found user to log into the database and retrieve information.
We found a few user passwords. Let's try to crack the george password.
We cracked it. Now we can use it to try to log into the machine using ssh.
We're inside. Let's get the user flag.
Root Flag
For the root flag we tried to list SUID files but we didn't find anything interesting.
Next step is listing the capabilities.
The ruby capabilities seem interesting. Let's check GTFObins.io.
We can't use the GTFObins method because it uses the CAP_SETUID capability instead of the CAP_CHOWN.
The CAP_CHOWN give us the power of changing the owner of a file so we can try to write a little ruby script to change the owner of the /etc/passwd file.
Run the script using the command:
ruby priv.rbNow we can edit the /etc/passwd and add a new password to the root user.
su into the root account and get the flag.
Last updated
Was this helpful?