TryHackMe

Writeups for the rooms available in TryHackMe

View on GitHub

image

https://tryhackme.com/room/gitandcrumpets

Enumeration:

Commencing with a swift Rustscan, I uncovered a handful of accessible ports:

sudo rustscan -a 10.10.213.70 -- -sC -sV -vv -oN git_nmap

The scan revealed the following open ports:

PORT      STATE    SERVICE REASON                  VERSION 
22/tcp    open     ssh     syn-ack ttl 61          OpenSSH 8.0 (protocol 2.0)
80/tcp    open     http    syn-ack ttl 61          nginx
26164/tcp filtered unknown admin-prohibited ttl 61
52263/tcp filtered unknown admin-prohibited ttl 61

Proceeding from the port scan results, my focus shifted to port 80, housing an HTTP web server. Upon exploration, the server redirected me to a YouTube video. To delve deeper, I employed curl and stumbled upon a noteworthy note embedded in the source code:

image

Subsequently, I added the domain “git.git-and-crumpets.thm” to my host configuration file, allowing me to navigate through it and unveil a Git instance:

image

Attempts to gain access via default credentials on the login page proved futile. Consequently, I proceeded with user registration:

image

Git:

Upon creating a new account with the username ‘nimda,’ I discovered two repositories within the Git platform:

image

Upon inspecting the ‘scones’ repository history, I unearthed a deleted commit containing a Password file, accompanied by a comment stating, "I kept the password in my avatar to be more secure."

image

To follow this lead, I downloaded the avatar of ‘scones’ using wget:

wget http://git.git-and-crumpets.thm/avatars/3fc2cde6ac97e8c8a0c8b202e527d56d

Examining the avatar metadata with exiftool revealed the password in the comments:

image

Leveraging this password, I successfully gained access to the “scones” account:

image

Initial access:

Upon logging into the “Scones” account, I discovered the ability to update and modify GitHooks. Further exploration into GitHooks revealed their role in customizing Git behavior:

image

Taking advantage of this capability, I modified the pre-receive hook, injecting a Bash reverse shell:

image image

However, triggering the Git hook required a commit change. Unfortunately, attempts to connect on the default port 1337 were unsuccessful: 😕

image

Undeterred, I changed the port to an alternative, successfully establishing a connection to my netcat listener: 🙂

image

Navigating to the home directory, I retrieved the user flag, encoded in base64. (pwn3d!🙂)

With remote access secured, I generated an SSH key pair, adding my public key to the authorized keys for the Git user. This provided a stable SSH connection to the host:

image

Privilege Escalation:

As the password for the “scones” account was still elusive, I initiated manual enumeration. A crucial discovery emerged in the /var/lib/gitea/data directory, where a hidden gitea.db folder was located:

image

Leveraging SQLite3 to interact with the database file, I uncovered valuable information:

sqlite3 gitea.db

sqlite> .tables
sqlite> SELECT * FROM user;

image

sqlite> SELECT * FROM repository;

Exploring the repository table, I identified a hidden root database not visible through Git:

image

SELECT sql FROM sqlite_master WHERE type='table' AND tbl_name='repository';

Delving deeper, I altered the is_private property for the root repository, making it visible:

image

UPDATE repository SET is_private=0 WHERE id=2;  #as root id =2

With this modification, the root repository became accessible in Git:

image

Inspecting the “dotfiles” commit in the root repository’s history, I unearthed the SSH private key for the root user:

image image

Utilizing this private key with the passphrase “Sup3rS3cur3,” I successfully accessed the root user via SSH:

image

Subsequently, I retrieved the root flag, completing the privilege escalation.(pwn3d!🙂)