Git and Crumpets
No brute-forcing is done in this room .You may be blocked by the site not from TRYHACKME only from machine .And this is mentioned on the room that Dev team has taken come counter measures .That’s the hint which tell us not to brute-force .
SO LETS BE VERY CLEAR THAT I WILL NOT BE MENTIONING ALL THE STEPS IN THIS WRITE-UP .
THANKS TO @furikake_jin FOR THE HELP
SO LETS GET STARTED WITH NMAP SCAN
So after the nmap scan we found that there are three services running one on port 80 , 22 and 9090
So I visited the site on port 80 and it was redirecting me to a YouTube video. So I was thinking what to do now .So I asked help from @furikake_jin and he told me to use curl .So i used curl command { curl {IP_ADDRESS_of_the_machine }
So here I found a really interesting info and I quickly added (git.git-and-crumpets.thm) on my /etc/hosts file .You can do this by typing sudo nano /etc/hosts . After that you need to add target machine IP with git.git-and-crumpets.thm
After that I visited the site and created a new an account .
After that I tweaked around a bit and found a repo which has deleted password.md file .
And after some time I found the deleted file which states that password is in his avatar .
So here it says that user scones has saved his password in his avatar. So I quickly went over his profile and and downloaded his avatar .And Used exiftool to get information from the image and boom I got his login password.
So with that username and password. I logged into his account .
After some research I came across a vuln .Which lets to Remote Code Execution (RCE for short ) CVE-2020–14144 .You can know more about this over here . So I did some more research and tried to figure out how to exploit it .Which I will be showing here very soon.
Exploiting :-
For exploiting we need to go to setting section on cant-touch-this repo .
After That, we need to visit git-hook section and then to pre-receive section and add our code which we will execute and get Reverse-Shell.
After that when we will enter to pre-receive section and add our code
Then we have to click on update hook .And don’t forget to setup netcat listener.So we are almost set .we Just need to commit change which will give us shell.
Boom now we have got the shell .
Now you need to change your directory to home and then git and you will get your first flag.
So know its time to get root flag
So I tweaked around a bit and I found this /var/lib/gitea/data/gitea.db
we can run this by using the command( sqlite3 /var/lib/gitea/data/gitea.db)
After that I used (select * from user;) this command which shows all the info about all the user on that platform .
After that I have changed permission of our user to admin.
UPDATE user SET is_admin=1 WHERE id=3;Then I visited back to our target website .And I found backup repo .
So you need to tweak around a bit and you will find hidden file named .ssh/Sup3rS3cur3 which has private ssh key .So Grabbed the key and tried to do ssh login into the machine .But don’t forget to give proper permission to the key chmod 600 file_name .Then I tried logging but sadly it asked for passphrase .So after a while I got back to the page ,where I found the key .The passphrase is name of that file .
Now you just need to copy the key into your machine and give proper permission to it .And yeah the passphrase is the name of the file .
Now you have to do ssh with username root and your are done
Now you can get the root flag .Hope you like this writeup .This one was my 3rd writeup .So If you find something that could you added and if you know how it can be improved you can contact me over twitter @Hac78040354 . And again thank you @furikake_jin for the help.
Git and Crumpets
Our devs have been clamoring for some centralized version control, so the admin came through. Rumour has it that they included a few countermeasures…
By TRYHACKME
