Post

TryHackMe | Brains

The city forgot to close its gate.

Posted Updated
Preview Image
By cristibtz
5 min read

First of all, after starting the machine, I go ahead and do a usual Nmap scan. For the scan I used the following command:

1

nmap -sV -A -sT -p- IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Nmap 7.94SVN scan initiated Sat Oct  5 11:55:30 2024 as: nmap -sV -A -sT -p- -o brain_nmap.txt 10.10.92.239
Nmap scan report for 10.10.92.239
Host is up (0.064s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fd:c6:18:a9:45:6f:2d:b3:8f:c1:96:9c:b1:a7:2c:40 (RSA)
|   256 b9:dc:89:a7:8d:b1:73:30:42:57:cb:b3:c2:06:1e:8d (ECDSA)
|_  256 2b:2c:d9:d7:7e:81:d2:2b:d2:2f:a3:21:24:04:4c:af (ED25519)
80/tcp    open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.41 (Ubuntu)
50000/tcp open  ibm-db2?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 401 
|     TeamCity-Node-Id: MAIN_SERVER
|     WWW-Authenticate: Basic realm="TeamCity"
|     WWW-Authenticate: Bearer realm="TeamCity"
|     Cache-Control: no-store
|     Content-Type: text/plain;charset=UTF-8
|     Date: Sat, 05 Oct 2024 15:56:54 GMT
|     Connection: close
|     Authentication required
|     login manually go to "/login.html" page
|   drda, ibm-db2, ibm-db2-das: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 05 Oct 2024 15:56:54 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>

The result of the scan presents us with 3 open ports: 22(SSH), 80(HTTP) and 50000. Visiting the site with default port 80, we get a maintenance page.

Photo 1

Port 50000 may have something more interesting to offer. And so it is, as we find a login form for TeamCity(which is a CI/CD software).

Photo 2

Below the login screen, there is some text with the version of the app. One easy thing to do right now is to search for a CVE associated with this version of software. After a quick Google search, we find that this TeamCity version has a a CVE, more exactly CVE-2024-27198.

I thought about what can happen now. Can we pass this login screen, achieve RCE? Or both. On Github, I found some interesting repositories, that have exploits for this vulnerability. I’ll leave it to you to figure how to use them. It’s very easy and in this way you’ll be able to go past the login screen.

https://github.com/yoryio/CVE-2024-27198.git
https://github.com/Stuub/RCity-CVE-2024-27198

Photo 3

After getting in, I figured out this isn’t very much progress if I’m not able to get a shell. Given that I don’t know what TeamCity’s functionalities are at all, I just looked around a bit. I realised that using Metasploit would be a better option, because luckily the exploit to bypass the authentication and gain RCE is there. So, I spun up Metasploit.

Photo 4

At first, it didn’t work at all and I attributed that to the fact that I fooled around a little with the Github exploits before Metasploit.

Photo 5

After setting up again and adding the correct options, I got a shell.

Photo 6

In the meterpreter shell, we can use cd and change folders until we get to where the flag is. After that, a simple cat flag.txt does the job.

Photo 7

In this way, the first part of the machine was done. This part was the exploitation part, red teaming. Now, let’s move on to the blue teaming part, investigating a breach.

We spin up another machine and by the task description, we get access to Splunk, where we can find data about the breach. This was the first time I had to deal with Splunk, so some Google searches and ChatGPT were my tools for this task.

1. What is the name of the backdoor user which was created on the server after exploitation?

First, I found the place where I can query for certain data and discovered this command that helped me list all the indexes.

1

| metasearch index=* | stats count by index

1

index="auth_logs" useradd OR adduser OR passwd OR usermod

Photo 8

You should be able to find the user yourself. It’s pretty obvious.

2. What is the name of the malicious-looking package installed on the server?

This part gave me a little bit of headache as I was not familiar at all with how Splunk works, but after enough researching, I found this solution that I can use:

  • In summary, I had to get all the package logs, extract the package name and present all the names in a table
    1. index=* sourcetype="packages"
    2. Delimit them by name(Google how to do it :) ), the field before the last one is the package name, and call it whatever you want
    3. index=* sourcetype="packages" | table packageName Photo 9

Finally, after changing the time range around the time of the incident, we get an interesting result, which will help us finish this task.

Photo 10

3. What is the name of the plugin installed on the server after successful exploitation?

This last task is pretty easy, given the fact that there were three indexes: auth_logs, main and weblogs, there is only one that we didn’t inspect: weblogs. Using index=weblogs query should showcase you all the information needed to finish this task. Just look at the logs and also make sure you keep the same date from the previous tasks.

Finally, we finished this task. This challenge was very interesting, giving you the opportunity to see two different parts of cybersecurity: the exploitation part and the investigation one. The first part was a good opportunity for me to reuse usual pentest tool: Nmap, Metasploit. The second part was a challenge, because I never had to use Splunk, but hey, this is what is all about: adapting and solving the challenge, and in this way, grasping new concepts and information.

Thanks for reading!

CTF Writeups, TryHackMe
CTF writeups
This post is licensed under CC BY 4.0 by the author.

Trending Tags

CTF writeups Blog CCNA