Bandit
INTRO
Hello everyone!
Today, we'll be tackling the network-room prepared by l4m3r8 on the website https://tryhackme.com/
Recon
Registration
The first thing you need to do according to the instructions in the challenge is to connect via SSH to the subnet of a Windows host with the ending .250. In my case, the IP address is shown below, but yours will most likely be different. Log in using the password register:register.
After logging in, we receive instructions regarding our objective. Now, we will add its IP address to the etc/hosts file under the name bandit.escape.
Nmap
We'll start the recon with an nmap scan:
As usual, I'll perform two nmap scans: the first to detect open ports, while the second will focus only on the discovered ports and conduct a deeper enumeration. This way, we'll save time and avoid bombarding the network with excessive traffic. We'll execute the second scan with the following command:
Our scans detected 4 open ports:
Port 22: SSH (not much we can do at this stage)
Port 80: Apache web server
Port 631: CUPS (Common Unix Printing System)
Port 8002: Another web server
Web server - 80
We'll start with the first web server.
NOTE: During your enumeration, you may encounter such a message when trying to access the first web server.
It means that you are attempting to access it via IP address; it's important to have bandit.escape in the address bar.
Gobuster
We'll run Gobuster in the background and focus on manually enumerating the website.
Reflected XSS
We'll start by manually browsing the site. It appears there isn't much here except for a search field and a message suggesting that some sort of filter is applied.
I checked if the website is vulnerable to XSS using a simple script visible on the screen, but no results were obtained.
I decided to look for some information regarding this filter. Interestingly, we can observe its operation in the page's code (F12).
After a short moment of playing with the filter, I found a solution. The phrase
"><script>alert('1');</script>triggers an alert on the page, confirming that it's vulnerable to XSS.
Since we have the ability to log in on the website, it opens up further possibilities. I attempted some SQL injection but unfortunately without success.
Apache 7.1.1 - HTTP Smuggling
After searching for the version of our Apache server, I came across a post on a certain blog link where:
This version is vulnerable to HTTP Smuggling.
The blog also contains a Step-by-Step PoC that could be utilized on our website.
You can also find resources on burpsuite site:
What is HTTP request smuggling? Tutorial & Examples | Web Security Academy
So I've already crafted the appropriate payload which sends two HTTP requests, one of them being completely normal, while the other one smuggles an XSS payload. Below is the code to copy:
Next, we'll loop our payload so that the server keeps receiving packets with the XSS payload continuously. To do this in Burp Suite, we need to go to Send to Intruder or press Ctrl + I, then select Payloads and set Payload type = null payloads. Additionally, we check the option Continue indefinitely, and we're done.
Now, upon refreshing the page, we'll see our XSS in action even though we're not interacting with the page.
XSS + HTTP Smuggling = Cookie Graber
So, our next task will be to combine two vulnerabilities found earlier in the cookie grabber.
After a brief research, I found an interesting project prepared by TheWation here: https://github.com/TheWation/PhpCookieStealer
It actually has all the instructions we need as well as the payload itself, which requires only minor modifications.
The plan is as follows:
Host a server that acts as a cookie grabber.
Then deploy an XSS payload redirecting to our server.
The server reads the cookie.
We replace the cookies.
Great Success
So let's begin.
We'll start by setting up a server, and I can't be bothered to set up any fancy stuff, so we'll just create a simple netcat listener. Then we'll move on to crafting the payload. Finally, I've come up with this:
And indeed, we receive response B).
NOTE:Remember to url-encode the payload!
Returning to Burp Suite, it's enough to send our new payload once, and we're done.
We got cookie :)
Do you remember our Gobuster? If you still remember it, that's great because now is the moment when it will prove handy. During enumeration, it found several interesting hits, such as uploads (a dokΕadniej plik upload.php)
Let's try substituting the cookie and see if we can get in there.
Worked :)
Upload Panel
So now we need to work a bit on the upload panel and most likely bypass some filters related to the uploaded file.
After a brief search, I discovered that simply bypassing the file extension filter isn't difficult; you just need to ensure that the content-type in Burp is set to image/png (or another image extension). The filter doesn't even check the file extension. However, a problem arises with the size of the uploaded file. Below is my attempt to upload the PHP reverse shell for downloading from here:
https://github.com/pentestmonkey/php-reverse-shell
. As you can see, it's not a small file, and in the server's response, we see the "limit exceeded" message
In contrast to attempting to upload a small PHP file, here I'm sending a really simple script that outputs "test". As you can see, it goes through without any issues.
However, that's not the biggest problem at the moment, although it doesn't mean we should forget about it (we'll probably need to address it in the future). The biggest issue is finding out where these files are saved and how I can access them.
Finding files
Returning to our original website, we can notice that files appear in the gallery as we upload our images.
During the attempt to open the file, something like this appears. The name is our file name only hashed in MD5
But if we try to change extension from jpg to php⦠Bam we got response now we need reverse shell
We still need to remember what we discovered earlier - the files cannot be too large, so the reverse shell from pentestmonkey is not an option.
To find something really short, in response to my problem, I came across an article on the website.
The tiniest PHP system shell ever? | Pen Test Partners
Where they presented a tiny script.And it works B)
Obtaining Reverse Shell
We'll start by finding our file named shell.php, which we uploaded to the server in the previous part. We know we're dealing with MD5 hashing, so I inputted the name of our file into CyberChef.
Thanks to that, I found the name of the file and managed to execute the ls command(as value of variable 1 ) on the server.
Now it's time for fireworks! We'll use a simple reverse shell command to get a shell.
Remember to URL-encode it.
Disgusting - we are in docker
In addition to that, I started searching our box and decided to go through the configuration files of the application. And of course, I found what I was looking for in the auth.php file.
And with this creds we can ssh to bandit.escape machine
SSH Connection
So, we have SSH access to the first machine. Phew, finally, we can celebrate finding one flag! Now it's time for the next one. The first thing that catches the eye is the hostresolver.py file, which is a convenient alternative to manually adding an entry to /etc/hosts.
Now we can ping by domain name. :)
Additionally, it's worth noting that in this system, we have root access; simply use sudo su.
In addition to our user, there's also another one named "ubuntu."
And theoretically, there should be a file with the PowerShell history containing the data needed for further progress. Unfortunately, there's a good chance that the file won't be generated (this happens when you receive a "lost connection" message during registration). I also encountered this problem and after a long search and falling into various rabbit holes, I eventually just used a writeup.
Below is a screenshot of the contents of that file.
To use PowerShell, you need to use the command pwsh and then paste the entire content of the absent (or present with enough luck) file.
And there we have a connection to the Windows machine.
NOTE: I changed the colors to make the text more visible.
Escaping the powershell matrix
So, we've landed on the Windows machine, but something seems off here...
As you can see in the screenshot below, many basic commands aren't working. Most likely, this is a deliberately created restricted environment. We need to figure out what to do next.
I decided to check the available commands using the "Get-Command" command.
There doesn't seem to be anything special here. After some time, I discovered that our starting point could be the "Get-ServicesApplication" command.
Why? Well, with each command, I checked what could be done with it. Sort of a separate manual for each command can be displayed using the command Get-Command -ShowCommandInfo Get-ServicesApplication, which allowed me to learn that this command supports the filter flag, which, as the name suggests, is used for filtering. You can place a command in it that will execute to help us filter. By using this dependency, we can force the system to output the result of the command. Of course, an error will also pop up with the result. Below is an example of "smuggling" the whoami command.
Let's set up a reverse shell to bypass these silly restrictions then.
We'll start by downloading netcat onto our Windows system. To do that, we'll download the netcat static binary from here:
https://github.com/int0x33/nc.exe/
, and we can download it using the command:
Remember to set up an HTTP server on the AttackBox.
NOTE: I had issues when not using nc64.exe, so I recommend choosing that version instead.
Next, we'll set up a listener on the AttackBox and invoke netcat using the command.
It's important to repeat the command several times because sometimes it just doesn't work.
Once done, on the administrator's desktop, we'll find the flag
Conclusion
What a fantastic room, using several interesting techniques. My favorite moment was the use of HTTP smuggling, which I must admit I hadn't used before, so it was a new challenge for me. As always, I had a great time and learned a lot. Thank you for reading, and see you soon!
Last updated