Lockdown

https://tryhackme.com/room/lockdown

User Flag

As usual let's start with a port scan

A more detailed scan:

If we head to port 80 we'll get a "Server Not Found" error. If we check the link we see it redirect us to http://contacttracer.thm

Let's the ip to /etc/hosts and try again

We see a simple website about coronavirus contact tracer. We can also see a "Go to Admin Panel" link, let's click on that and try to get in using common credentials.

It didn't work. Let's use dirsearch to see if there's something interesting.

We found README.md file. Let's read it.

We can see the app is an open source app named "Covid 19 contact tracing system". Let's google about it and see if we find any CVEs.

Luckily we found a RCE exploit. Let's take a look at it and try it.

If we read the script we find out it uploads a file into the webapp and triggers it.

Let's try to run the exploit.

We have to edit the path.

Let's try again.

We started a nc listener but we weren't able to get a shell using this method so we had to keep looking. We found another interesting SQLi CVE affecting the login page.

LogoPacket Stormpacketstormsecurity.com

Let's try to exploit that CVE.

We got in.

Now we can do two things. We can try to upload manually the reverse shell or we can try to use sqlmap to dump the database and see if get anything interesting.

Let's head to the system info and upload a php reverse shell.

To trigger the reverse shell you have to visit http://contacttracer.thm/login.php (logged out). Don't forget to start a nc listener.

We're inside the machine.

Looking around the webapp we can find an interesting file in /var/www/html/classes (DBConnection.php)

We found out creds for the database. Let's connect to it.

mysql -u cts -p

Dump the users info.

There's a hashed password. We can crack it using hashcat or any other tool and try to use it against the two users (cyrus and maxine).

It works with cyrus. Once logged in we can read the flag.

Root Flag

Let's check our sudo rights.

We can run scan.sh as root. Let's see what the script does.

It looks like it scans files to search potential viruses and copy them into the quarentine folder in cyrus's home. Let's try it.

Nothing happened. If we take a look at the ClamAV documentation we see it accepts yara rules.

LogoYARA Rules - ClamAV Documentationdocs.clamav.net

Yara rules are stored in /var/lib/clamav directory. We can write a yara rule that copies the root flag.

LogoWriting YARA rules — yara 4.4.0 documentationyara.readthedocs.io

We know the flag will contain the string "thm{".

rule test
{
 strings:
  $s = "thm{" nocase
 condition:
  $s
}

Run the script.

Another method we can try is copying the shadow file to get user hashes and try to crack them.

rule test
{
 strings:
  $s = "root" nocase
 condition:
  $s
}

Run the script.

Root didn't have a hashed password but fortunately maxine did. Copy the contents of the shadow file and the passwd file and send them to the attacker machine.

We can use unshadow to get a hash and crack it using john. 

unshadow PASSWD-file SHADOW-file > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

We got a password. Log in as maxine.

Let's check our privileges as maxine.

We can basically do whatever we want. Become root and get the root flag.

PreviousEmplineNextMinotaur's Labyrinth

Last updated

Was this helpful?