TryHackMe’s Toc2 by PoloMints — Writeup

This room will teach you several topics such as: RCE, PrivEsc Race Conditions and how to exploit them. There’s a very nifty video that I will link later on in the walkthrough in order to follow on for the Priv Esc part and how to exploit that included binary…

I really enjoyed this room, wasn’t too bad difficulty wise. Although the room is a ‘medium’ room, it is very borderline medium/easy — but that’s just my own opinion :).

<pump_own_tires> May I add this is the first room that I’ve completed without finding another walkthrough on the web (at the time of this writing) — and for that I’m proud! :-) </pump_own_tires>

Enumeration

Deploy the machine.

Nmap scan reveals 2x ports open 22 ssh and 80 http.

sudo nmap $ip -A -p-

Visiting the web page on port 80 leads us to a page that is ‘Under construction.’

at least we have some creds in there !

A gobuster scan reveals a robots.txt file.

gobuster dir -u $ip -w /usr/share/dirb/wordlists/common.txt

We see there is the name of the database.

Excellent. We have a username, password and database name.

In the base cmsms directory there’s a readme and install.php file.

Remote Cote Execution (RCE) … to the races!

I found an exploit on exploit-db: https://www.exploit-db.com/exploits/44192 that tells us to setup the database and tamper with the timezone setting on step 4.

We are modifying Step 4 in Burpsuite with the indicated string in order to be able to run commands from the URI by using RCE.

Set up the CMS using the creds given and the db name in the robots.txt file until we hit step 4.

Start up Burp and modify step 4’s request like stated in exploit-db.

We’ll test this exploit out — and see that it works.

Let’s try this again, but cat the /etc/passwd file.

We see that frank is a user on the system, let’s try to use a dictionary attack on his pass with hydra.

Not an obvious password… at all.

We can ssh as frank with the newly found password.

We find the first flag user.txt in frank’s home directory. cat it for the flag.

Privilege Escalation

Navigate to the root_access directory in frank’s home dir to find a few interesting files. One is called readcreds. Executing it will tell us we must pass a file as an argument. Trying root_password_backup gives us a permission error.

For the next step — WATCH this video if you are not familiar with race conditions … I certainly wasn’t. He boils it down so simple, and will enable you to root this machine.

VIDEO explaining race conditions - ‘like I’m 5' version.
https://www.youtube.com/watch?v=5g137gsB9Wk

Download rename.c given from the hint link (from THM). Upload it to the host machine using wget. For some reason wget and git clone were not working on the host machine, so that was my workaround.

You’ll need to compile this C file first.

To compile this: ‘gcc -o rename rename.c’

If you watched the video, basically you will take this rename executable and pass it two arguments. One will be a file that you have permissions to, and the other higher permissions that you want to read… such as the root_password_backup file in our case. The video explains what is going on so I won’t go into detail here again.

Create a blank file to use as one of these two arguments. I just ‘touched’ asd. *keyboard smash!*

…and execute it with root_password_backup as an argument “ ./rename root_password_backup asd”. You will see the terminal hang… this is normal.

Perfect, now, on a separate terminal (because we want to keep this binary running — you can ssh as frank again, or just background the process altogether) let’s try to run the readcreds binary with our file we want to read. At first we may not be able to open, but keep pounding up and enter until eventually we hit our permissions and cat the file.

Switch user and BAM! cat /root/root.txt.

or cd to the directory first like I did ;)

If you have any questions or require further clarification, you can always message me on Twitter! I’d be glad to help you!

Happy hacking!

-swehtpantz