TryHackMe: Ollie Writeup

Level: Medium
OS: Linux
Link: Ollie

Highlight: Using a SQLi vulnerability in the IPAM address management software to initial access. Privilege escalation using a bash script running as root, which we can find using pspy.

Enumeration

nmap scan reveals that port 22,80 and 1337 are open.

Port 1337: Here we get a hint we can use during the exploitation in port 80

Connecting using netcat and answering the questions gives us the username and password we can use to login into the IPAM system.

port 1337 hint

Port 80:

Using the credentials found previously, login to the IPAM system.

On the bottom of the screen, we can see that the phpIPAM version 1.4.5 is running.

Exploiting SQLi

Searching for the exploits on exploit-db, I came across the following: https://www.exploit-db.com/exploits/50963

However, even though using this exploit says we have a shell, it really does not work. After tampering around a bit, I remembered the “backward compatibility” mentioned in the box’s introduction. With this, I tried the exploit for version 1.4.4: https://www.exploit-db.com/exploits/50684

Hence, I setup a burp proxy to get the request and then use sqlmap.

Setting up burp proxy:
Under the “Proxy Listeners” add a new listener and choose a port and redirect it to out target machine.

Now run the exploit to capture the POST request.

Even though the exploit doesn’t do anything, I copied over the post request to a text file, and modified the ‘subnet=’ value to add a *, so can use it readily with sqlmap.

Running the sqlmap shows us that the application is vulnerable to SQLi.

sqlmap with captured POST request

Reverse Shell

Getting reverse shell is easy using sqlmap. I uploaded the php reverse shell script to /var/www/html/ location, and started a netcat listener to get the reverse shell.

sqlmap -r req.txt -dbs --file-dest=/var/www/html/reverse.php --file-write=./reverse.php

Opening this file in the browser (http://<target_ip>/reverse.php), should give us the reverse shell on the netcat listener.

reverse shell

After stabilizing the shell, we can elevate ourselves to “ollie” user using the same password we had found before.

From this, getting the user.txt is a straight forward task.

user.txt

Privilege escalation to root

After running the linpeas and digging around, the best way to elevate the privilege to root, is using a the “feedme” script which is running as root, and the ‘ollie’ user has the rights to edit it.

This can be found using pspy. I downloaded the pspy64 binary and uploaded it to the machine.

Next, I find where this file is, and see the permissions. As said above, we can edit this file.

I use vim to edit the file, and add a bash reverse shell code to it. Then start a netcat listener to get the root shell. It takes about a minute, and if everything is write, we will have the root shell.

editing feedme

After we get the root shell, I get the flag in the root directory :)

root.txt