Badbyte is a free walkthrough room by electronforce and Raccoonijna on Tryhackme.com

You have to Infiltrate BadByte and help us to take over root, each task teaches you a little more. Some really good and hard tasks to get you thinking.

Standard deployment - also time to start your attack box.

Nmap of the machine.

Most of us will use our standard nmap options - I use -sC and -sV normally. This is a little reminder that there are lots of options and you have to use a couple to progress.

running nmap -p- -vv <machine ip> scans all the ports and gives verbose output. You can keep an eye on the output so you spot the open ports.

Once you have the ports you can then use nmap -A -p port1, port2, port3 <machine ip> to get from information about the services that are running.

Connect to the 2nd service you found via normal method using anonymous and you can download the id_rsa file you need for the next part There is also a note from the user which provides the username.

using ssh2john to extract the private key hash and then you can use rockyou.txt to crack the RSA private key password.

Now you have the private key you can can connect via ssh Don't forget to apply permission to the file chmod 600 id_rsa

ssh -i id_rsa <user>@<machine ip>

When you connect you will see there is not much you can do as the user has a restricted set of commands they can run.

The task information advises there are some locally hosted websites which you can access.

Setting up proxy chain:

To be able to scan a device using nmap you need to use dynamic chains.

SSH -i id_rsa -D 1337 <user>@<machine ip>

Also you need to edit using nano the nano /etc/proxychains.conf and comment out sock4 entry. Add the socks5 proxy: sock5 127.0.0.1 1337

use proxychains nmap -sT 127.0.0.1 to scan remote machine

This will show two ports are open. Stop the current ssh using ctrl+c

Then single port local forward

ssh -i id_rsa -L 8080:127.0.0.1:<remote port> <user>@<machine ip>

You can then view the page using a browser by visiting http://127.0.0.1:8080

run nmap --script scan or another scan to find the CMS system and any vulnerable plug ins

nmap -p 8080 --script http-wordpress* 127.0.0.1 -vv

The hint - search-limit=1500 did not help.

This seemed to take a while so I ran wpscan -u http://127.0.0.1:8080

I checked Exploit-db and found nothing initially. After a bit of googling to check CVE numbers for the plugins and downloading rb files and updating Metasploit to test POC proof of concept

First CVE Adding this to Metasploit was a bit of a mission - my attack machine was unable to load the file from the .msf4/modules/auxiliary folder so I ended up copying it to /opt/metasploit-framework-5101/modules/auxiliary and then had some errors.

similar to: must be lowercase alphanumeric snake case (Msf::ModuleLoadError) After a bit of googling, I discovered there was a - instead of _ Also found that you have to create the folders under modules.

2nd CVE This was a shell script but for some reason did not work the server was vulnerable but could not be uploaded to - probably due to proxychains.

Instead I used Metasploit and CVE With a bit more time spent saving to the correct Metasploit module folder - /opt/metasploit-framework-5101/modules/exploit/remote/http I was able to get the connection

Once connected using Metasploit, locating files via Basic Linux Enumeration.
Ok basic rule for Linux Enumeration - check the files you can see!

-rw-r--r-- 1 cth cth 220 Apr 4 2018 .bash_logout

-rw-r--r-- 1 cth cth 3771 Apr 4 2018 .bashrc

drwx------ 2 cth cth 4096 Dec 29 10:47 .cache

drwx------ 3 cth cth 4096 Dec 29 10:47 .gnupg

-rw-r--r-- 1 cth cth 807 Apr 4 2018 .profile

-rw-r--r-- 1 cth cth 0 Dec 4 11:38 .sudo_as_admin_successful

-rw-rw-r-- 1 cth cth 38 Dec 28 16:53 user.txt

-rw------- 1 cth cth 2414 Jan 18 13:53 .viminfo

I missed one file and then went off looking for the website and cms configuration files.

I found /etc/wordpress/ had a few interesting configuration files but a bit of a red herring.

config-127.0.0.1.php config-localhost.php htaccess

cth@badbyte:/etc/wordpress$ cat config-localhost.php

<?php

define('DB_NAME', 'wordpress');

define('DB_USER', 'wordpress');

define('DB_PASSWORD', '@n0therp@ssw0rd');

define('DB_HOST', 'localhost');

define('DB_COLLATE', 'utf8_general_ci');

define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');

?>

I went back to the original folder and check the hidden files again.

The .viminfo provided:

# File marks:

'0 31 0 /var/log/bash.log

|4,48,31,0,1610977989,"/var/log/bash.log"

# Jumplist (newest first):

-' 31 0 /var/log/bash.log

|4,39,31,0,1610977989,"/var/log/bash.log"

-' 1 0 /var/log/bash.log

|4,39,1,0,1610977905,"/var/log/bash.log"

# History of marks within files (newest to oldest):

> /var/log/bash.log

`*	1610977988	0`

`"	31	0`

`.	31	0`

`+	37	0`

`+	31	0`

`+	37	0`

`+	31	0`

Checking the log found, provided the results I was looking for

cth@badbyte:~$ sdou su

Command 'sdou' not found, did you mean:

command 'sdoc' from deb ruby-sdoc

command 'sdop' from deb sdop

Try: sudo apt install <deb name>

cth@badbyte:~$ #################

G00dP@: command not found

cth@badbyte:~$ ^C

cth@badbyte:~$ passwd

Changing password for cth.

(current) UNIX password:

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

cth@badbyte:~$ ls -l

total 4

-rw-rw-r-- 1 cth cth 38 Dec 28 16:53 user.txt

cth@badbyte:~$ id

uid=1000(cth) gid=1000(cth) groups=1000(cth),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

cth@badbyte:~$ echo "Hello World"

Hello World

cth@badbyte:~$ locate script

And guessing what the user has changed their password to was mentioned in the original task information. For example they may change it from "Goodpassword2019" to "Goodpassword2020" or from "Autmun20!" to "Spring20!"

I guessed correctly and was able to ssh into the machine as the user.

From here I could see the user could su as root.

Once you have it then the flag is yours